Final project report for "Investigate the new centrally managed Mac desktop"

Project Description

Investigate the new centrally managed Mac desktop and consider/research whether it would be of any benefit to Mac users within the School.

Project page

Project updates (minimal)

Documentation/Links

JAMF Pro

Informatics documentation

IS docs - user-facing

IS docs - comprehensive documentation

JAMF web interface

EdLAN DB

AD user lookup/editing

Issue tracker

How it works

Installation and Configuration

The University centrally provided managed mac desktop is based on JAMF Pro.

Conversion to a managed mac is performed through installation of the QuickAdd package, as found on IS support pages.

The procedure is slightly different for laptops and desktops - this is well documented on IS support pages. For both, there is a concept of a "primary user" to be associated with the machine. For laptops, this is used to generate the machine name, for use by the JAMF web interface and in AD.

Desktops must be registered in EdLAN DB. The machine name in DNS must match the netbios name (case is irrelevant). Informatics netbios names begin with 'INF-'. A dns alias is acceptable, e.g. the machine with a netbios name of INF-CUYP is named 'cuyp' locally and has a DNS cname of inf-cuyp.

Desktops allow network logins for anyone in Active Directory, without requiring a local account on the machine. For this to work, the active directory record for a user wishing to log in must not have an AFS home directory path (as many of ours do).

Further configuration as the primary user will probably be required following the installation of JAMF software and subsequent reboot, e.g. eduroam and VPN (for laptops), configuration of OneDrive.

Accounts and Software

The conversion to managed Mac does not affect any accounts or software already on the machine, nor affect the ability to add either subsequently.

The SelfService application lets users easily install additional applications (from a list of approximately 90 - both free and otherwise licensed), add printers and network shares.

Informatics has an admin support account added by default on all informatics managed macs, name: infsupport, password: ask Jennifer/Toby.

The 'uoemanage' admin account is created by JAMF on all managed macs and is used for running policies.

Administrative rights

Admin rights for accounts on managed macs can be added/removed as described in IS documentation. Note that editing Active Directory needs to be done using the "taskpad" application on a Windows MDP machine.

OS updates

The version of MacOS is kept up to date by JAMF - it will prompt the user, with increasing urgency, to upgrade to the latest version. It will give a date by which the OS must be installed, and eventually insist (via an undismissable dialog box) that the update is performed. It doesn't give any information as to what updates are installed (although details can be found via System Information->Software->Installations).

Disk Encryption

This is mandatory for laptops, optional for desktops - if enabled, the FileVault recovery key is held by JAMF, and can be accessed via the JAMF web interface.

Remote access

Graphical remote access can be enabled on a client via System Preferences->Sharing->Remote Management. This can be accessed via the Screen Sharing application on a support Mac.

API access

There is a JAMF API which can be queried. This offers authenticated access only (requiring an EASE username/password).

e.g. to obtain a list of managed devices within Informatics:

curl -u <uun> https://uoe.jamfcloud.com/JSSResource/computergroups/id/404 -o ./jamf-out.xml -s

There seems to be no way of querying this service without supplying a password. Should we wish to make automated use of this API, we could consider using a functional account with a password stored locally.

Removal

JAMF can be completely removed from any managed mac by running the SelfService "Remove JAMF Management" utility, when logged into SelfService as the 'infsupport' user. This facility is comparatively new, but seems to work well. In the early stages of this project it was something we identified as something we would like.

Potential Issues for Informatics

The default use of ED.AC.UK credentials can be annoying for a user who wishes to remain authenticated within the INF.ED.AC.UK realm - authenticating to the screen-saver refreshes the former in the user's default credentials cache. This would, for example, require re-authenticating to INF.ED.AC.UK for gssapi ssh connections to work. There are technical solutions which could be investigated should this prove to be an issue.

Some users may not be happy with relinquishing control of some aspects of their machine (e.g. OS updates, FileVault recovery key, allowing remote access).

Support

There is extensive documentation on the IS support pages. IS have been helpful and responsive to our many questions via Unidesk. There is also an issue tracker for submitting bugs/queries/requests.

Local documentation

Documentation by/for us.

Conclusions

The centrally managed mac support looks to be potentially useful, particularly for less experienced users. It should be noted that it doesn't take complete control of a machine, in that local management is still possible. It will probably be used more for individual laptops (and is already in use for at least two users in the school/college), but installation on a desktop provides an easy way of providing a multi-user Mac without having to manage accounts.

Our recommendation is that requests for new macs, particularly laptops, should be assessed for suitability for the managed mac programme by user support and then monitored afterwards.

Other issues

The issue of who is responsible for supporting non-Informatics staff in Bayes should be clarified.

Time spent

  • Toby: 61 hours (~8.7 days) + time spent on operational issues
  • Jennifer: 12.5 hours (~1.8 days) + time spent on operational issues
  • Total: 73.5 hours (10.5 days)


-- TobyBlake - 08 Apr 2020

Topic revision: r7 - 01 Jul 2020 - 13:53:53 - TobyBlake
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies