Apple Enterprise Company Jamf Now Manages 20 Million+ Devices Worldwide

[Euroamerican]

Hmmmm.... So the privately owned/leased iPhones that employees wanted to have access to company resources through, at my previous job, were required to load some MDM software that partitioned off some of the memory and the employees could only use the company apps from within that partition. You were not allowed to access resources otherwise. That partition was remotely accessible by the company, or at least they could remotely wipe that partition clean.

I would argue that this is a good thing, as your personal phone contents might otherwise be legally discoverable by parties in a lawsuit.

JAMF (IIRC) is used where I currently work and IT seems quite pleased with it for company owned devices. As far as I know, they are not placing any MDM software on privately owned devices.

 

[SchrodingersMartian]

Apple should purchase them.

 

[lifeinhd]

I feel like the only Jamf admin who is not a huge fan of the product. It’s basically just a platform that lets you host and deploy scripts. Almost nothing can be done natively— everything worth doing requires a third party script or a custom .plist. Obviously, this has a lot of benefits in that it’s super flexible, but other MDMs offer similar flexibility, while also offering built-in options to manage common settings. While I struggle to think of another Mac MDM I’d consider fully baked, I would argue other MDMs have a better roadmap ahead of them than Jamf does. Jamf is a legacy product that’s only so popular due to a) being around since forever and b) their close working relationship with Apple.

It’s also missing two basic things offered by every other MDM I’ve tried: a) screen sharing (that doesn’t require you to be on the same network), and b) remote command execution, again that doesn’t require you to be on the same network. These two missing things, as well as a host of other things (lack of certain types of logging, lack of restore functions, lack of ability to change system settings, etc) shows me their cloud offering is basically a lift-and-shift of their on-prem offering. There’s also no location-determining abilities, which is a bummer, though I realize it’s just an IP-based guess.

Really the only thing it does better than other MDMs is it doesn’t require an agent to be installed on the device to function. But that’s honestly a non-factor for me when making an MDM purchasing decision.

Also, the interface is crap.

 

[Animalk]

I hope they take security more seriously than SolarWinds.

 

[BGPL]

Is this similar to WUPHF technology?? If so, very exciting!

 

[nikhsub1]

Most of the shortcomings of Jamf or any other software like it are mostly due to Apple rules and limitations. I only manage iOS devices on it. Being able to push apps out to certain devices or locking the device down to a single app is very handy for my needs as the devices I manage are all out in the medical field. To those that think this is spyware, you just are clueless as to what the software can and can not do.

 

[DogHouseDub]

I hope they take security more seriously than SolarWinds.

all system passwords are jamf123

 

[4jasontv]

Yeah micromanagement without relying on a middle manager! If you can't replace the worker with a bot than replace the boss.

 

[iObama]

I’m an IT guy in a public K-12 setting, so I love Jamf — while knowing it’s full of flaws . We provide all teachers and administrators with MacBooks.

I completely understand why employees don’t love it, but Jamf saves their asses more than they realize, mostly due to the security we’re able to provide.

Our users are not admins, but we definitely work with them to get apps and tools they use, like Spotify, into the Self Service app so the machines don’t feel completely locked down. (Self Service is like a custom app store for your organization.)

Our remote support software notifies the users that we’re remoted in. We don’t use it for monitoring, but legit to support people remotely.

Jamf also allows partial enrollment for personal devices, so a company can say... enforce a device passcode in order to give you your apps, but not be able to see any personal device data.

If there was a huge patch we had to push out, it was legit done via installing via USB drive on 500+ machines. Jamf, usually after much trial and error 😂, allows for a one click upgrade. It’s magic.

 

[PinkyMacGodess]

Jamf? Never heard of them. Weird...

 

[mannyvel]

End users always hate management tools until it saves their behind. Then they complain that they would have done it anyway except for the d*** management tool.

The fact is, you can't trust end users. Sorry end users, we know one (some) of you is (are) going to try to view inappropriate content during work hours. Nope. And you can't see that website when you're at home either - use your own equipment for that.

 

[technole]

Jamf is pretty good, even Apple uses it internally. Basically like most MDMs you can mail say an iPad or MacBook to an employee and they can get everything corporate configured right away. From a basic level you can lockdown say a user from upgrading to a macOS beta, or have only a segment like devs allowed to use betas.

The haters generally don't know how it works, or only become thankful when it saves them when they lose their MacBook.

 

[960design]

My company would switch to Jamf in a heartbeat if they would support location tracking on deployed devices. We have roughly 1500 devices across the country.

Jamf (and all basic MDMs I am familiar with) include location tracking in several formats: heartbeat ( last location ), request location ( ping device ), lost mode ( actively lock device for tracking / recover ).

 

[diggy33]

I'm just hoping that with Jamf's recent acquisition of Kinobi that their patch management becomes more robust.

 

[960design]

At what point does Apple decide that JAMF has become too powerful, and therefore must be cut out of the equation?

Apple has never wanted to control the MDM*. They built a fantastic API early on that any developer could tinker with. Currently Apple requires an Enterprise Developer account to access white papers.

*Apple built a 'mock-up' MDM back in the early days (>10years ago) that had the explicit use case of "No more than 500 devices." It crashed quite often.

 

[williamyx]

I’m an IT guy in a public K-12 setting, so I love Jamf — while knowing it’s full of flaws . We provide all teachers and administrators with MacBooks.

I completely understand why employees don’t love it, but Jamf saves their asses more than they realize, mostly due to the security we’re able to provide.

Our users are not admins, but we definitely work with them to get apps and tools they use, like Spotify, into the Self Service app so the machines don’t feel completely locked down. (Self Service is like a custom app store for your organization.)

Our remote support software notifies the users that we’re remoted in. We don’t use it for monitoring, but legit to support people remotely.

Jamf also allows partial enrollment for personal devices, so a company can say... enforce a device passcode in order to give you your apps, but not be able to see any personal device data.

If there was a huge patch we had to push out, it was legit done via installing via USB drive on 500+ machines. Jamf, usually after much trial and error 😂, allows for a one click upgrade. It’s magic.

So that's what self service was for. I volunteer at a local school and was confused by the self service stuff on the computers.

 

[960design]

We use JAMF's basic service. For $2 a month per device they are hard to beat.

Mosyle is Free or ~$5/device/year ( a bit less with a three year contract ), but tailored for Education.

 

[960design]

These types of tools are spyware and a privacy nightmare. As folks move to single BYOD for personal and work, enterprise endpoint protections should come in standalone apps for enterprise applications, not through complete OS-wide surveillance. The above comment about wanting location tracking is worrisome, and that mindset just normalizes workplace surveillance.

Jamf and most other MDMs are not spyware.
Apple devices notify the end user when the device is being 'watched'. We are too busy to care what/where you are up to with the company car / computer / cell phone / tablet. The only time I would look for your device is if you lost it or it was reported stolen by you.
It is in your office. You are welcome.

 

[960design]

We use Jamf to manage several hundred shared student iPads in a higher education setting. Without Jamf, it would be very difficult, if not impossible, to correctly and efficiently manage that number of iPads.

Hear! Hear! I manage over 10k devices.

 

[quietstormSD]

There will be a decline in corporate customers in the next 5 years due to Apple silicon, without good VM solutions for Windows applications. Everyone knows that in the corporate world we have programs that only work on Windows. And all of us "corporate customers demanding Macs" will have no choice but to go to a Windows machine when upgrading in order to effectively do our jobs when there is no intel alternative.

I'm dreading it.... at least I got a new top of the line 16" MacBook Pro in 2020 that should last me a good 4-5 years.

 

[960design]

I don't allow it on any of my personal devices. My employer has to supply me with the equipment (and cell plan) if they want to get access to it.

I get that. I have company managed computers and non managed iPhone/iPad. We only require management of your device if you want access to our 'secret sauce' while using your device ( the few hundred that fall into this category get the least restrictive profiles I can create ). You may BYOD all you want ( saves me a support call! ).

 

[960design]

...there are a few missing features that would make the solution "complete" for a lot of people but would also lead to questions about privacy (this is my personal wishlist, others may have different ideas):

• remote desktop
• true no-touch software update
• all system settings exposed via plist or other means

I can't say much about mac or AppleTV management, though might bring our AppleTV's if we need to deploy a dedicated conference room app to them.

Remote Desktop:
We deploy SplashTop to remotely manage devices ( works on iPads & iPhones, well just about everything ). For iPhones & iPads we can only view the screen and walk the user through the 'fix', we do not have remote control of the device, but it works 60% of the time, everytime.

No Touch software update
Just a button click for 10k+ devices. What part is causing you to touch the device?

All system settings exposed via plist or other means
Accessed through the console, but is limited by Apple.

 

[960design]

all system passwords are jamf123

Changing my admin password now...

 

[yurc]

lol, thankfully my employer doesn't managed by published MBP into JAMF tools, instead they trusted brand new 15" MBP 2018 to myself back then, all they do is just device activation for first time, the rest is configured myself, including clean install.

Previously I given 13" 2017 one, but somehow they contact me to swap with newer, larger model.

 

[iObama]

So that's what self service was for. I volunteer at a local school and was confused by the self service stuff on the computers.

Yep! It's pretty cool. For instance, the latest Zoom update (either the app or the mechanism) broke Zoom audio for a lot of our teachers today, and it was asking them all for admin credentials, which they don't have. We got probably 10 tickets in an hour or so about it.

I was able to find a script on a Jamf forum that someone else had used a year ago to fix the same problem, test it on a machine or two in my office, then put it in Self Service with a forced restart, a pretty icon and called it Zoom Audio Fix. We directed them all to Self Service, and voilà! Problem fixed on ten machines remotely in under an hour.