Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common Pitfalls of Jamf Administration and How to Fix Them

November 13, 2019

Common Pitfalls of Jamf Administration and How to Fix Them


November 13, 2019


  1. © JAMF Software, LLC
    Common Pitfalls of Jamf
    Administration and How to Fix Them
    10:15 - 11:00 AM

    View full-size slide

  2. © JAMF Software, LLC
    Matthew Phillips
    Implementation Engineer


    View full-size slide

  3. © JAMF Software, LLC

    View full-size slide

  4. © JAMF Software, LLC

    View full-size slide

  5. The Struggle is Real
    Most Common Non-Technical Blockers

    • No buy in from upper management

    • Conflict from other teams: infoSec, networking, infrastructure

    • Money / Time / Staff

    • Tradition

    • Misunderstandings

    • Knowledge deficit

    View full-size slide

  6. The Struggle is Real
    Blockers come in all shapes and sizes

    • Political Issues

    • Following the mythical “Best Practice”

    • Legacy Workflows

    • Analysis Paralysis

    • No time or place to Test

    View full-size slide

  7. Common Pitfalls and how to fix them

    • Get out of that Bind

    • Can we practice “Best Practice”?

    • Help for your Analysis Paralysis

    • Document the documentation documents and document it

    • Imagine the best way

    • Using the tools you have

    View full-size slide

  8. © JAMF Software, LLC
    Almost every reason to
    bind a Mac has an
    alternative approach.
    What are you actually
    getting from binding?
    Get out of that Bind

    View full-size slide

  9. Get out of that Bind
    “But we need to bind our Macs because…”

    • Certificates! and we use those for WiFi and VPN and stuff.

    • Network Shares and Printers.

    • Off-boarding and termination.

    • GPOs and AD group membership.

    • Consistent password experience.

    • Honestly, we don’t know why.

    View full-size slide

  10. © JAMF Software, LLC
    Get out of that Bind
    Azure AD

    Conditional Access
    ADCS Connector JIM

    View full-size slide

  11. Can We Practice… “Best Practice”
    Every environment is different.

    • There is no silver bullet

    • Unicorns don’t exist

    • You have to build your own Easy Button

    • Santa Clause Isn’t Real

    • It won’t work Every Single Time. That’s Okay.

    View full-size slide

  12. Can We Practice…“Best Practice”
    Pro Tips from our Jamfs in the field:

    • Eliminate redundant effort

    • Less Steps = Less Issues

    • Avoid Shotgun policy triggers

    • Sites are probably for someone else

    • Advanced Search whenever possible

    • Smart Group Abuse

    • Naming. Naming. Naming.

    View full-size slide

  13. © JAMF Software, LLC
    Eliminate Redundant Effort
    Do not add the same
    package to multiple
    similar policies.
    Creates trouble and
    more work later.

    View full-size slide

  14. © JAMF Software, LLC
    Eliminate Redundant Effort
    DO: reference the main
    installation policy by
    using the custom trigger
    name: install_chrome
    Scope and frequency is
    controlled by each policy.

    View full-size slide

  15. © JAMF Software, LLC
    Less Steps = Less to go Wrong
    Hey Rube Goldberg…
    Uh, It didn’t work‽
    Clever policy chains are risky.
    Script it whenever possible.
    No shame in having Hundreds
    of policies if organized.

    View full-size slide

  16. Shotgun Policy Triggers
    Usually its best to pick just One Trigger

    • “Why did that policy run?”

    • Custom triggers are powerful

    • To many triggers looses control

    • Scripting allows for full control

    • Move past “once per computer”

    View full-size slide

  17. Sites are probably for someone else
    Very few cases where it is helpful

    • Sites should be reserved for multiple
    distinct admin groups.

    • Used when different devices are managed
    separately in very different ways.

    • Meant to make things easier not to make
    more work for the jamf admin.

    View full-size slide

  18. Advanced Search - Hero. Friend.
    Do This.

    View full-size slide

  19. Advanced Search whenever possible
    • Doesn't Calculate until time of viewing

    • Not for scope, just metrics

    • No Excess Server Load

    • Great for reporting!

    View full-size slide

  20. Smart Group Abuse
    Constantly being Calculated

    • IS installed vs IS NOT installed

    • Too Many Criteria

    • Nested Groups in Nested Groups in Nested Groups…

    • Name it what it Does not what its For

    • Naming is so very important

    View full-size slide

  21. Whats in a Name?
    You decide. But please, Stick to it.

    • Be Specific. Be Accurate.

    • Little notes to Future You. ~Thanks Past Me.

    • Avoid naming TEST, Working, DONT DELETE ME

    • Stop with OLD, Disabled, DO NOT USE.

    • Clean House. Now is always the time.

    • Document the Naming Scheme!!!

    View full-size slide

  22. Paralysis from Analysis
    Fear of Change - common complaints:

    • Jamf management can be overwhelming.

    • Switching workflows is a really big deal.

    • Testing and getting approval takes too long.

    • We cant have an outage of any kind. ever.

    • “If it aint broke dont fix it.”

    View full-size slide

  23. Paralysis from Analysis
    Break it down in to easy to handle pieces

    1. Identify each issue that can be solved separately

    2. Solve each piece individually in a dev environment

    3. Figure out how to bolt them together

    4. Move it over into UAT or Pre Production Server.

    5. Success. Profit?

    View full-size slide

  24. Paralysis from Analysis
    Ideal Setup

    • Multiple Jamf test environments

    • VMs and Hypervisor are your best friends

    • Backups of Backups. Not Snapshots.

    • Do you really need Hot Spares?

    • Clean. Lean. Fighting Jamf Machine!

    View full-size slide

  25. Your Server Setup
    Even Jamf Cloud Customer’s can have one.

    • On prem servers are easy when it’s a test environment

    • Sandbox for playing

    • Test / Dev for testing and building

    • UAT / Preproduction for real world sanity checks

    • Jamf tools to move from one to the other

    View full-size slide

  26. Your Server Setup
    Do you even backup, Bro?

    • First, Have Backups

    • Snapshots are not backups and should not be trusted.

    • Backups of Backups.

    • Disaster recovery vs Hot spares

    • Clean. Lean. Fighting Jamf Machine!

    View full-size slide

  27. © JAMF Software, LLC
    Level Up your Upgrade Game
    Read the Red.
    Read every single
    piece of relevant

    View full-size slide

  28. © JAMF Software, LLC
    Level Up your Upgrade Game
    Release Notes are
    your Friend.
    When in doubt…
    Ask jamf

    View full-size slide

  29. © JAMF Software, LLC
    Level Up your Upgrade Game
    Beta Program.
    Get around it.
    How good?
    So Good.

    View full-size slide

  30. Level Up your Upgrade Game
    Lessons We’ve Learned.

    • Clean. Lean. Fighting Jamf Machine!

    • Give yourself enough time.

    • Backup. Then, restore backup to your Dev Server.

    • Dry run the upgrade.

    • Check available drive space on all servers.

    View full-size slide

  31. © JAMF Software, LLC
    Document the Documentation
    Write everything down and make it available.

    • It’s about more than Job Security

    • No Detail is too small

    • Imagine if you had to do it all again.

    View full-size slide

  32. © JAMF Software, LLC
    Document the Documentation
    Remember thy name!

    • Naming of everything is important.

    • Versioning of Package names

    • Consistency is key

    • Consider date, and creators name

    View full-size slide

  33. © JAMF Software, LLC
    Document the Documentation
    Whats in a name?

    • It’s about more than Job Security

    • Versioning of Package names

    View full-size slide

  34. © JAMF Software, LLC
    Imaging the Best Way
    You can still do it… doesn’t mean its right.

    • Out of box experience?

    • White glove treatment?

    • Network / Bandwidth concerns?

    • IT staff size?

    • Time? Speed, down time turnaround.

    View full-size slide

  35. © JAMF Software, LLC
    Square Peg in a Round Hole
    Never ever force it.

    • Mistakes happen, but don’t have to be public.

    • Someone else’s solution might not be right for you.

    • Don't make extra work for you or the users

    • Patching intervals aren't necessary

    View full-size slide

  36. © JAMF Software, LLC
    TL;dr… cheat sheet
    Key Take-Aways

    • Mistakes compromise faith in the management framework.

    • Someone else’s solution might not be right for you.

    • Don't make extra work for you or the users.

    • Build a test server and use it.

    • Simple approach is best approach.

    • Document and Share Everything.

    View full-size slide

  37. © JAMF Software, LLC
    Q & A

    Open Discussion

    Time for you…

    View full-size slide

  38. © JAMF Software, LLC
    Thank you

    View full-size slide

  39. © JAMF Software, LLC
    Thank you for listening!
    Give us feedback by
    completing the 2-question
    session survey in the JNUC
    2019 app.
    Tailor Machine Setup for Both IT and Employees
    11:30 - 12:15 PM

    View full-size slide