Secure Computing - Endpoint Management Guide Mac

CU Marketplace Purchases

New computers purchased through the Apple punchout on CU Marketplace will be automatically enrolled in Apple School Manager (ASM) instance and assigned to Automated Device Enrollment (ADE) workflow once the program launches. This ensures all devices will be automatically added to the Secure Computing site in Jamf Pro.  

Customers of OIT’s Jamf Pro service will have access to ASM with Device Manager permissions. This will allow them to re-assign devices to their location in ASM which will in turn ensure their devices enroll in their Jamf Pro site. Devices must be re-assigned before booting into setup assistant. Devices that reach setup assistant before being re-assigned in ASM will become generic Secure Computing devices. The OS will need to be erased and re-installed after ASM reassignment for the device to enroll under the customer’s site.  

On go-live, all unassigned devices in ASM will be added to the Secure Computing location. The next time they’re re-imaged, they will become generic Secure Computing Devices.  

Units interested in becoming a Jamf Pro customer should contact EMS via oithelp@colorado.edu

Instructions for Purchases Made Outside the Apple Punchout in the CU Marketplace

OIT Jamf Pro customers with Device Manager permissions in ASM and physical access to the machines can use Apple Configurator to add Apple Silicon and Intel (with T2 security chips) devices to the program. Such devices can then be managed identically to devices purchased through the punchout.

Management Areas and Basic Information

Apple School Manager & Automated Device Enrollment

Apple School Manager (ASM) is Apple’s portal for education customers to manage device assignments to Mobile Device Management (MDM) services and untaxed software purchases from the App Store. Devices in ASM will go through the Automated Device Enrollment (ADE) process for their assigned location.  

ASM locations are bound to a corresponding site within Jamf Pro which provides the endpoint management. OIT Jamf Pro customers can access ASM with an EMS provided Managed Apple ID. Personal Apple IDs cannot be used with this program. Each employee requiring ASM access must be issued an individual Managed Apple ID. Shared accounts will not be issued per Apples best practices.  

Devices going through the default ADE process enroll in the Secure Computing site in Jamf Pro. OIT customers must change the location in ASM in order for devices to enroll in their site. Default devices should be fully compliant with the new security policy without further customization. 

Jamf Pro

Jamf Pro is the cloud MDM platform OIT uses to support Apple Devices. This includes system deployment, application installation, application updates, and OS updates. ASM and ADE in conjunction with Jamf Pro provides an Out of Box Experience that brings devices into Secure Compute compliance without IT intervention.  

OIT Jamf Pro customers can manage their devices through the Jamf Pro administrative interface. They cannot however view the inherited framework objects directly. Inherited settings can be viewed on devices the same as customers and ITPs from other areas. They can choose to inherit the framework or manage requirements themselves. This must be a conversation between EMS and the customer as the framework cannot be simply over-written. They also have the full flexibility of Jamf Pro to support their devices.  

ITPs from other areas cannot view any portion of Jamf Pro. However, they can view settings applied to individual devices by viewing the Profiles Preference pane. This can be found by opening System Settings.app from the Applications folder on macOS Ventura or newer. In the application, select Privacy & Security from the list on the left. A list of options will appear under Privacy & Security to the right of the main list. Near the bottom of this new list will be a section called Profiles. Double clicking on Profiles will replace the Privacy & Security list with a list of Profiles. Double click on any title to view the related settings.

Jamf reference image

While end users will have administrative privileges on their devices by default, they cannot permanently override the framework Jamf Pro deploys. For managed settings, including FileVault encryption, the related local options are disabled in the OS or application. Another notable overridden setting is that users can log into iCloud and enable iCloud Drive, but iCloud Desktop & Documents is disabled and no exemption is available. Required software can be deleted by an administrative user, but Jamf Pro will re-install it.  

Exemptions for specific framework features will be available through a regular exemption process (not yet completed) and do not require paid access into Jamf Pro to accomplish for individual machines. The planned exemptions are: 

  • Full exemption from everything
  • Alertus
  • Eracent
  • Microsoft Defender
  • O365, full exemption
  • O365, redirection location of OneDrive
  • Rebooting schedule
  • Third party patching
  • FileVault encryption

Other Notable technologies

Always On VPN (AOVPN)

The AOVPN is a Cisco VPN that uses machine certificates for authentication rather than user credentials. It is enabled as a machine boots up. This is provided as a convenience for macOS users to access campus only resources without having to manually run AnyConnect. This VPN will automatically disconnect if a user engages another Cisco VPN connection (such as any private departmental campus VPN). The management tunnel does not automatically disconnect for non-Cisco VPNs such as Juniper. To utilize those, macOS users must opt-out of AOVPN via Self Service.   

Defender for Endpoint

Defender for Endpoint is configured as a standard part of the ADE deployment. It’s done by an Jamf Pro workflow that delivers the software and an enrollment profile that tells the device to relay security information to UCB’s Azure tenant. Customers using Jamf Pro customizations may also have their Endpoints tagged in Security Center (not to be confused with Group Tags) so that they can be viewed in the Security Center Azure Portal.

Jamf Connect

Jamf Connect provides the capability to log into systems with IdentiKeys without binding to the Active Directory. This is accomplished through an Azure application. The created accounts are local to the device and can be used offline. Jamf Connect keeps the account’s password in sync with the IdentiKey’s password. Only IdentiKeys will work by default.  

In addition to the Login Window, Jamf Connect provides a menu bar icon which contains links to Self Service, the support website for the device, CU Red Folder and other options.  

Nudge

Nudge is a utility that prompts end users to install macOS updates within a required timeframe.  

Self Service

Self Service allows end users to install optional software as well as perform other automated tasks. This is provided as a convenience and does not override a user’s ability to install software via standard methods.