My thoughts on JAMF

Turns out managing macs is quite fun!

Posted by Nekunekus on 2021-10-16 01:15

My job as a Sysadmin includes a lot of AD and Windows in general, I'm not super fond about that since I prefer Linux and MacOS... But wait, we're gonna roll out a new system to manage the Mac's?? And I'm leading the project??? How fun!

Turns out Mac's don't like to be managed, not that easily at least but after you've gotten the hang of the interface and policies/profiles together with a lot of scripts it becomes a breeze compared to AD and GPO's. However you cannot control some permissions in MacOS like screen recording which for example TeamViewer needs to function, it's just one click for the user to give it permission and it's not that big of a deal but it still bothers me. I guess it provides some level of protection against malware.. But still.

Connecting JAMF to Okta (or any other idP) instead of AD makes for a very smooth enrollment for new users or Mac's due to them just logging in and JAMF captures all the needed info. Using JAMF Connect together with Okta syncs the users Okta password with the Mac (it even works with File Vault!) hence the idea is that you use one unified login for everything.

DEPNotify and similar scripts is a great for on boarding and setting up the Mac before the user can interact with the OS since you can configure it to basically take over and not allow the user to exit before it's done.

So what can you control using JAMF? EVERYTHING! It's very close to being a rootkit, but hey that's great for managing devices..Right?

In general I'm a but worried about all endpoint/management systems, running a root service which can control everything introduces risks of it being exploited. :(

At least Catalina and Big Sur with APFS & SIP mitigates some of the risk of the core system being tampered with. :)

Idk, just wanted to spill my brain worms about it. Goodnight!