top of page

Iron Men

Public·4 Brothers
Mason Campbell
Mason Campbell

Jamf After Dark: Managed App Config

The Jamf Pro Invitation is a unique string that is generated by Jamf Pro. The Jamf Pro Invitation ensures that the MDM server the device is managed by matches the server specified in the com.jamf.config.jamfpro.url key-value pair.

Jamf After Dark: Managed App Config


The advantage of such a specification (following the standard) is that MDM solutions can interpret the configuration and use intelligent form editors to guide MDM administrators when setting managed app configuration values.

You can use a different MDM solution, but I found the simplicity and pricing aspects for testing purposes really good. Initially, I wanted to test with Jamf. But their basic product line Jamf Now (Plus), allowing to manage up to 3 devices for free, cannot deploy a managed app configuration. This capability is available starting with Jamf Pro, which has a 14 day trial period and then requires to purchase licenses for a minimum of 50 devices :(

That said, I started with a working setup for both Jamf Connect Login 2.x and Jamf Connect Menu Bar App and the first thing to deploy and configure Jamf Unlock was to add the additional redirect URI in my existing Azure app: jamfunlock://callback/auth

For com.jamf.config.idp.oidc.client-id you need to put the app ID of the Jamf Connect OIDC app you have configured in Azure, just like you have it in the Jamf Connect Login and Menu Bar.

Instead, the two (2) methods that actually work are eithera) use a Printing configuration profile for the domain like the example XML profile from OIT named (click to download)orb) setup the printer using the lpadmin Unix command line tool that configures CUPS after installing the additional required software packages for the printer. Starting with macOS 10.15.x Apple has restricted network printing to the ipp or ipps protocol (direct attached USB should work ongoing and smb based printing still seems to work but I would not expect it to be there in future versions of macOS.)

Jamf is an Apple device management solution used by system administrators to configure and automate IT administration tasks for macOS, iOS, and tvOS devices. The current project will focus solely on macOS devices. All macOS devices used by GitLab Team Members for the purposes of fulfilling the responsibilities of their role as a GitLab Team Member are required to be enrolled and managed by Jamf.

With the Apple Device Enrollment Program, it is possible to remotely register, configure, and deliver the device directly to the end user in a zero-touch approach. It means that the dvice is practically ready to use immediately after unpackacging. All relevant configurations and settings are automatically installed at the first device start-up. That significantly relieves the IT department.

An international company had a centrally managed antivirus system, which was nonetheless divided into many servers and configurations due to differences between geographic regions. Each user had to choose the right software with the suitable configuration, leading to cases of poorly chosen configuration or even a lack of antivirus software on the devices.

Configuration Profiles from Jamf Pro are awesome. They are managed settings coming from the MDM that the user cannot change. We can set configurations on the devices that are permanent until we make changes inside the MDM itself. A great example of a configuration profile that we use includes the FileVault payload. We can enforce encryption on the computers while also escrowing the personal recovery key inside Jamf Pro. If a user ever forgets their FV password, we can provide the key that is escrowed.

A device can be in compliant, non compliant or in a stale state. A device will be in a stale state when it does not have any movement for more than 15 days. You can configure the number of days. You can see the devices that do not follow the compliance in the table below the charts. The table shows the device host name, type, managed/unmanaged state and the services it is compliant and non-compliant. Click on the device host name to see a detailed device risk summary page.


Serving the community, our church, and each other in love.


bottom of page