Mac Administration with JAMF, Part 1: Overview

At my current job, we have several computer labs with Mac computers used by our Visual Communications program. We now use a product called JAMF to manage the fleet statewide, but things were not always so nice - initially, each service area within our system configured and administered their Macs in their own way, so the actual images and techniques used to build them varied from campus to campus.

In our service area, we used the "golden master" image creation technique: one Mac would get a fresh-from-Apple image, requested software would be installed, necessary configurations would be made, and then a full-disk image from that Mac would be captured and deployed to Macs via DeployStudio. This was obviously labor-intensive - each time a change needed to be made to the image, or if any problems were discovered, either each Mac needed to be manually updated, or the "golden master" had to be re-built, re-captured, and re-deployed. While DeployStudio has some ability to push software to Macs, we did not have the infrastructure set up for that, so we effectively had no central management capabilities at all.

Enter JAMF. Originally called Casper Suite, JAMF provides a host of management and administration tools for Macs approaching the breadth and depth of SCCM on the Windows side of things: imaging, software deployment/removal, settings management, configuration profile deployment, inventory, reporting, etc., all things sorely needed in our statewide environment. While the basic ideas of JAMF are similar to those of SCCM and other management systems, some of the terminology may differ, so I'll try to explain what everything is and how we use it in our environment. (Since we implemented JAMF, a newer version called JAMF Pro has become available, which has slightly different names for some of its software tools; this discussion refers to JAMF/Casper Suite 9.101, which is what we currently use.) Each of these will be discussed in more detail in further posts.

Tools

JSS - The JAMF Software Server is the central management point for the JAMF system. This is a piece of server software that runs on a virtual machine in our central data center. Interestingly, even though JAMF is a management system for Macs, the JSS need not run on an Apple operating system - ours runs on Windows Server 2012R2. The JSS also provides the web interface/administration console for the system.

Casper Admin - This is a Mac OS application that provides an interface to upload and work with packages and imaging configurations (please see below). Among other things, Casper Admin allows you to index packages, which makes it possible to uninstall them from managed Macs using JAMF (though this only works with certain types of packages).

Casper Remote - A Mac OS application that replicates a lot of the capabilities of the Apple Remote Desktop application focused on the JAMF environment. Using Casper Remote, not only can you view and control managed Macs' screens, you can also deploy software, run scripts, collect inventory information, and otherwise administer the remote computer more easily than via SSH.

Casper Imaging - JAMF imaging, at least traditionally, involves the creation of a NetBootable Mac OS environment that runs the Casper Imaging application. Casper Imaging allows you to specify a name for the Mac, select which imaging configuration should be used to image it, and other related tasks.

Composer - A Mac OS application that allows you to capture and build packages that can be deployed to Macs. Packages are usually things like software installations, but can include most any file type, and using preinstall and postinstall scripts, can even be used without a payload to run an arbitrary script on a Mac. Composer can produce Apple-style .pkg packages, as well as JAMF-specific .dmg packages, which have the advantage of being indexable (using Casper Admin) and uninstallable via JAMF, but cannot be used with certain workflows (like osinstall-based imaging).

Recon - A Mac OS application that allows you to remotely enroll Macs into JAMF (import their information, and if possible, push the client binary via SSH). In our environment, the IT department enrolls Macs as we receive them, so this doesn't get much use, but this would be very handy in BYOD environments or where users at remote sites do not have the technical skills to enroll the devices themselves upon delivery directly from a retailer.

Self-Service - A Mac OS application installed by default on all JAMF-managed Macs that functions similar to the App Store. The JAMF administrator can specify a set of policies, apps, etc. that are runnable or installable by the user here, and can determine which are available to which users at what times. In our environment, we don't use this, as we centrally manage as much as possible, but in a BYOD environment or zero-touch configuration environment this would be very useful indeed.

Terminology

Policy - Policies are the main management tool in JAMF. Various "payloads" may be set for a Policy, including a set of packages to install (or uninstall), scripts to run (with various inputs that may be specified), printers to install, AD bindings to apply, etc. They can be set to run once per computer, once per user, on a recurring basis, or only between certain times or dates. Policies apply only to Macs that are within their "scope", and may be set to run automatically at the check-in interval or to be available in the Self-Service application to be run by the user.

Configuration Profile - Configuration profiles use Apple's own APNS push notification-based MDM technologies to enforce settings on managed Macs much like can be done for iOS devices. Configuration profiles are oriented more toward managing the same settings that can be found through the System Preferences application; they cannot do things like install software or run arbitrary scripts, and as they are pushed through Apple's system, it is sometimes hard to control when they do or do not get applied to client Macs.

Imaging Configuration - An imaging configuration is like a Task Sequence in SCCM - a base image is specified, along with a set of packages or scripts to run after the image is applied. This replaces the "golden master" style of imaging with one that is more configurable and updatable. Imaging configurations are applied using the Casper Imaging application.

Package - A package is either an Apple-style .pkg installer, or a JAMF-style .dmg installer, either created by Composer or downloaded directly from a vendor's website. Composer-created .dmg packages can be made uninstallable by indexing them using Casper Admin.

Script - JAMF supports shell and Python scripts, which can be run as part of a Policy or via Casper Remote. The system automatically correlates command-line parameters to GUI fields to make it easy to specify arguments to scripts.

NetBoot - Apple devices (except those that include the T2 chip, as of this writing) support booting from network-based images, similar to PCs that can start up from PXE. The JAMF system uses this to provide imaging capabilities via the Casper Imaging application. In our environment, we host NetBoot images from Mac Minis at each campus, which also serve as Distribution Points.

Distribution Point - JAMF policies pull packages from local distribution points in order to reduce the amount of bandwidth used on the statewide WAN. Distribution points, which are simple SMB or AFP file shares, can reside on any device capable of serving them; we use SMB shares on Mac Minis, which also serve as NetBoot image servers.

This concludes a brief overview of the tools and terminology of the JAMF system. In future posts, I will explore each of these in more detail.