First impressions of Apple School manager & Jamf Pro

Getting Started Sep 06, 2018

With the recent changes to macOS that make life hard for anyone not using DEP, the University has been making strides towards using Apple School Manager (ASM). I recently got a chance to figure out the interface, I thought I'd write down some initial observations about integrating it with Jamf Pro, in the context of Higher Education.

Segmentation

ASM

Within ASM you've got the ability to define locations. The official documentation suggests using this based on different schools within a school district. Depending on how your IT organization is split up, you may want to make one for each school or major IT group. I'll refer to them throughout the rest of this post as locations, regardless of their usage.

Jamf Pro

Jamf Pro looks has a way to split into different sites or zones as well. I'll refer to them as zones through the rest of the post.

Integration

Each location in ASM can be assigned one MDM server. For Jamf to know which zone to assign devices and VPP purchases to, it looks like the integration requires a one-to-one mapping of Jamf zone to ASM location.

Users

Roles

Content Manager

It looks like you can assign several different roles. At the early stage, the one that stands out to me the most is Content Manager. You can assign content managers to either the institution or locations. Depending on the purchasing policies at the institution, you can assign the purchasing department institutional level content manager permissions and let them purchase and assign licenses to locations. You can also grant content manager permissions to someone at the individual locations. With the policies at my University, this would allow the central store to make bulk purchases of paid applications or one-off purchases with large price tags; while letting individual IT departments make limitless "purchases" of free apps and buy small batches of paid ones.

Password policies

These don't seem necessarily seem to be the password policy on the website. This may just be the password policy on iOS devices. This may take more testing.

Assignments

The first thing I managed to test in here was an iOS device I had on my desk. I enrolled it in DEP via Configurator 2. I still needed to manually assign it to the group I wanted it in via serial number in the device assignments tab.

Ryan Buzzell

Computer Systems Engineer @ Eastman School of Music | Find me on the macadmins slack @rbuzzell https://macadmins.herokuapp.com/