- 06 Oct 2023
- 3 Minutes to read
- DarkLight
- PDF
macOS Corporate Owned
- Updated on 06 Oct 2023
- 3 Minutes to read
- DarkLight
- PDF
Corporate-owned macOS devices are the workhorses of most organizations. These are devices purchased by the organization and issued to users as their primary device to get work done.
Fortunately, Apple and Jamf have made the on-boarding of new macOS devices in management – thereby becoming sanctioned – extremely easy.
The overall process is:
- An organization purchases new devices via their authorized Apple reseller
- The device is drop-shipped to the end user
- The user unboxes and powers on their device
- The device is automatically enrolled into the organization's Jamf Pro instance
- A local user account is created on the device using the employee's IdP credentials.
Configuring Zero-Touch Device Deployment
We strongly recommend utilizing Apple's Automated Device Enrollment (formally "Device Enrollment Program") capability to automatically on-board devices into device management without IT having to manually pre-configure them. This will enable devices acquired via authorized suppliers – Apple, carriers, or other resellers – to automatically become "sanctioned" by enrolling to MDM upon first boot.
To adopt this deployment method, follow the below steps:
- If you don't already have a Apple Business Manager or Apple School Manager account, create one per these Apple Sign Up Instructions.
- Setup Automated Device Enrollment in Apple Business/School Manager.
- If this is your first use of Jamf Pro, follow the Jamf Pro Getting Started Guide.
- Complete the steps to Integrate Jamf Pro with Automated Device Enrollment (video).
- Configure Computer PreStage Enrollments to define how new devices should behave once enrolled from Automated Device Enrollment.
At this point, all new devices purchased from the indicated authorized suppliers will automatically enroll into Jamf Pro out-of-the-box!
Deploying Jamf Connect
Jamf Connect complements automated device enrollment into Jamf Pro by providing IT administrators with additional capabilities:
- Creating a local standard or administrator macOS account based upon the user's IdP credentials and group memberships.
- Providing an enhanced and customized zero-touch onboarding experience.
We recommend configuring Jamf Connect to bind your end users' macOS corporate managed devices with their cloud identity:
- Configure Jamf Connect to integrate with your organization's identity provider.
- Create a Jamf Connect Configuration via Jamf Pro.
- Configure multi-factor authentication to enhance endpoint activation security.
- Deploy Jamf Connect via Jamf Pro.
Now when users on-board their new macOS device, their device will not only be enrolled into Jamf Pro, but they will have their local user account created per the identity provider identity and entitlements. Cool!
Customizing Zero-Touch Enrollment
You can further customize the on-boarding process in an advanced, script oriented manner. This allows you to present text, images, and even videos during the initial macOS provisioning process to help on-board your user into your organization.
See Customizing the Zero-touch macOS Onboarding Experience blog article for details.
Deploying Jamf Protect
Jamf Protect provides comprehensive and zero-touch deployed on-device and in-network threat protection on macOS devices.
The Jamf Trusted Access solution necessitates the deployment of Jamf Protect to actively guard devices from threats while assessing a device's risk level, which influences risk-based access to organization data.
- Get started by setting up your Jamf Protect environment. For a more guided set up, see the Jamf Protect Evaluation Guide.
- Deploy Jamf Protect via Jamf Pro to guard against on-device threats and help maintain device compliance.
- Configure and deploy Network Threat Prevention to actively block malicous network traffic from impacting the endpoint.
Deploying Jamf Trust
The Jamf Trust app is required to enable various security services on macOS devices, including Jamf Private Access.
Private Access is used in the Jamf Trusted Access solution to enable access for trusted devices to company resources. The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via Jamf Pro:
- Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
- Configure and deploy these additional profiles to streamline the Jamf Trust activation process:
- Bootstrapping the Jamf Trust App Activation: Be sure to define Jamf Protect as a required security app as advised to reduce threat exposure.
- Pre-Authorizing VPN Installation: Eliminate the user to have to authenticate to their device to install a VPN configuration for Private Access.
- In Jamf Pro, configure the "Jamf Trust" app to be automatically deployed to target devices via Volume Purchasing:
- Configure Volume Purchasing Integration.
- "Purchase" a large number of licenses of the "Jamf Trust" app in Apple Business/School Manager.
- Deploy the Jamf Trust app via the Volume Purchased App Deployment process.