Jamf Pro Overview

Jamf Pro is a comprehensive management system for Apple macOS computers, iOS and tvOS devices. With Jamf Pro, OIT can proactively assist you with the management of the entire lifecycle of your university Apple devices. This includes deploying and maintaining university required software and responding to security threats. 

During the setup process, new University Mac computers, iPhones, iPads and Apple TVs are automatically enrolled in Jamf Pro.

Connecting your personally owned Apple device to the Princeton network will not enroll your device in Jamf. 

No personal information is collected, such as the content or names of personal files (documents, email, etc) or any browsing history. See "Information Collected" section for more information.

A mandatory minimum password requirement is applied for enhanced security.

Princeton's MDM server manages central software and password settings.

Department MDM Admins, typically SCAD/DCS, can push operating updates to their department Apple devices, if appropriate. OIT will only provide this service if requested by the user assigned the device.

Managed Device Overview

Jamf Pro is recommended for University Apple devices.  For best setup experience use most recent Apple operating systems versions.  Jamf Pro can be installed on:

• University Mac computers (10.13 or above)
• iPhones, iPads (11 or above)
• Apple TVs (4th Gen. Apple TV or above) 

Benefits

• Mislaid devices can be locked giving users peace of mind while they search for the device
• For iOS devices, enabled lost mode feature is available ny contacting your SCAD/DCS member or the SOC
• Lost or Stolen devices can be wiped or locked as soon as the device reconnects to network
• It's difficult for individuals not associated with university to set up the device
• SCAD/DCS and OIT SOC can lookup the information for device associated with user when user requests assistance even  if user doesn't know the device name.
• Data encrypted at rest.
• Antimalware software automatically enabled
• Assistance is available if device login password is forgotten.
• Only a user with a Princeton Active Directory account can set up university iOS devices purchased through the Princeton Apple Store, Verizon and AT&T Resellers.
• SRA VPN App is automatically configured with Princeton server information.

Limitations & Known Issues

• Does not support macOS 10.12 and below; iOS 11 and below or pre-Apple TV 4K.
• macOS 10.14 and below may experience a FileVault issue when FV enables user which requires a reboot.
• Data and Profile migration from old computer to new computer is not seamless and requires a cable (Contact your SCAD/DCS member)
• If you use Migration Assistant, you cannot check "Computer & Network Settings" to migrate over to the new computer
• If you send a "disable remote management command" to a computer, it cannot be re-enabled unless you run Recon or inventory
• The Account Creation step of the Setup Assistant can fail to complete when enrolling computers with Jamf Pro using a PreStage enrollment
• During startup, you may see "connecting to mme-casper.princeton.edu", this is because a policy is installing that is scoped for startup, the length of time this shows, depends on how large the installation of the package is.
• If you are stuck on a "waiting for management screen" in Setup Assistant:
  
  • Press Command-Q to shut down the computer
  • Restart the computer and continue through the Setup Assistant screens
  • When the Desktop appears, open System Preferences > Profiles
  • If profiles are shown, continue setting up the computer as normal.

    sudo jamf recon

  • If there are no profiles, open Terminal and run the following command

    sudo profiles renew -type enrollment 

macOS Software

Automatically installed:

• Anti-malware Software
• Princeton IT Self Service
• Firefox Browser
• Vulnerability Scanning Software
• Zoom Full Client (Video Conferencing Client)
• Jabber Client (Chat and Soft Telephone Client)
• Microsoft 365 Office Suite
• Jamf management account. A local account named 'depprodadmin' is created during enrollment and given a random 128 character password that is unique to each computer.

Additional Software Available to be installed:

• VPN Software
• Backup and Restore Software
• Microsoft Remote Desktop

iOS Software

Automatically installed:

• VPN Software
• GlobalProtect (Campus Primary VPN Client)
• SonicWall Connect
• Duo Mobile
• Princeton Mobile
• Princeton Timeline
• TigerSafe
• Princeton IT Self Service App

Additional Software Available to be installed:

• Cisco Jabber
• Microsoft Remote Desktop
• Zoom

Device Information Collected

Jamf Pro can only collect the data needed to support the Apple device. This information includes: 

• Hardware Specifications
• Installed Applications & Usage
• Services Running
• Available Software Updates
• Local User Accounts and Login/Logout Timestamps
• Security Status (Firewall, SSH, etc)

No personal information is collected, such as the content or names of personal files (documents, email, etc) or any browsing history. 

Jamf Pro does NOT allow administrators to see location or users' private data stored on their Apple devices such as messages in university or personal email accounts, pictures, videos, phone calls, and text messages.  MDM Administrators will only enable internet activity monitoring and location upon request from the user of a missing iOS mobile device.

Check if your Mac is already Jamf enrolled

1. Navigate to System Preferences
2. Select Profiles
3. Check for MDM Profiles
   
   

macOS Setup: SCAD/DCS

SCAD/DCS support staff should use the setup instructions in  KB0010210 Mobile Device Management Environment - Enterprise and Site Admin Console Documentation

macOS Setup: End Users

Setup: Before You Start

Duo Two-Factor Authentication

The Setup Assistant on University-owned Mac computers, iPhones and iPads is protected by Duo Two-Factor Authentication. For general information about Duo, see Duo: Two-factor authentication - Get started

Before setting up your Apple device, please have your default Duo device available and powered on, with sound on, so you can hear and respond to a Duo prompt. Setup Assistant will not alert you that a Duo prompt was sent to your default Duo device.

You must respond to the Duo prompt in order to proceed with setup process.

Tip: Duo prompts can be redirected to another device through the use of Duo Append Mode. For example, if you previously added your office phone to your list of Duo devices, you can send a Duo prompt to it by appending its device identifier to the end of your password (e.g.: MyPa$sw0rd,phone2). For more information about Duo Append Mode, see Duo: Two-Factor Authentication - Frequently Asked Questions

 

Are you On-Campus or Off-Campus?

• On-Campus
  If you are on-campus, use the Eduroam network. Authenticate to Eduroam using your Princeton netid in the form of netid@princeton.edu. Do not use an email alias. For more information about connecting to Eduroam at Princeton, see Article 8020 - Eduroam: Connecting to the eduroam wireless network 

• Off-Campus
  Be sure you know your Wi-Fi network name and password before starting the setup process.
  
  

Setup: Get Started

Some Setup Assistant screens are hidden by the Princeton Jamf Pro Enrollment Configuration. macOS features such as Siri, Passcode and Apple Pay may be configured after setup is complete. 

1. Start the computer
   
   • If the computer does not display a Setup Assistant screen (i.e. it displays a login screen or Finder desktop), this is an "in use" Mac computer and must be completely erased before attempting to set it up. You will need to back up any data you want to keep before erasing the computer.
2. Follow instructions in the macOS Setup Assistant screens
3. On the Select your Wi-Fi network screen, select a network
   
   • You must connect to a network. The setup process will fail without a network connection and require the computer to be erased before attempting to set it up again.
   • If you are off-campus, select an available network and enter the password required to connect to that network
   • If you are on-campus, select Eduroam and authenticate using your Princeton netid in the form of netid@princeton.edu. Do not use an email alias. For more information about connecting to Eduroam at Princeton, see Eduroam: Connecting to the eduroam wireless network
4. Click Continue on the Remote Management screen
   
   • If the Remote Management screen does not appear, restart the computer and reconnect to the network
   • If the Remote Management screen still does not appear, contact your SCAD/DCS support person or the OIT Suppport and Operations Center (SOC).
5. When prompted, enter your Princeton netID and password and click OK
   
   • Omit the @princeton.edu
   • Do not use an email alias
6. Respond to the Duo prompt on your default Duo device. Setup Assistant will not alert you that a Duo prompt was sent to your default Duo device.

   You must respond to the Duo prompt in order to proceed with setup process.

7. Continue through the remaining Setup Assistant screens
8. On the Create a Computer Account screen, enter your netID or your name in the Full Name field. Keep the default account field and change the default password (which is the Princeton credentials used to set up the computer) to a secure password (see kb.princeton.edu/9928) and click Continue.
   
   • The initial account created in this step is an Administrator account. For more information on creating additional macOS user accounts after setup is complete, see the following Apple article: Set up users, guests, and groups on Mac
   • If account creation fails, try again using a password containing at least 10 characters or using a different user name and account name.
9. Select Customize Settings and select your preferences in each of the remaining macOS Setup Assistant screens
10. When the Desktop appears, reconnect to your Wi-Fi network and wait for the following apps to be installed:
    
    • CrowdStrike
    • Firefox
    • Rapid7
    • Microsoft 365 Office Suite
    • Cisco Jabber
    • Zoom
11. Enable FileVault by restarting the computer and entering your macOS password at the prompt that appears during the restart process.
    
    • Enter the password for the currently logged-in macOS account
    • If prompted to save the FileVault encryption key, click Continue
    • Jamf will store the recovery key automatically. This key is available from your department SCAD/DCS member or the Support and Operations Center (8-HELP)

Setup: Finishing Up

After you have enabled FileVault and rebooted the computer, log in as the primary user of the computer to complete the setup process.

• Activate Microsoft Office
  
  • Start Microsoft Word and sign into the app with your Princeton credentials. If you are using a sponsored account see Getting started with Microsoft 365.

• Install Code42 Crashplan
  
  • Confirm the computer name
    
    • The computer name is shown in System Preferences > Sharing
    • If the computer name is not correct, use the 'Change computer name' item (in the MDM-Utilities category) in Princeton IT Self-service to change the name.
  • Launch the Princeton IT Self-service app from the Applications folder
  • Find CrashPlan and click the Install button below the app icon
  • See Sign into CrashPlan in Article KB0011418 to complete the setup of Code42 CrashPlan

• Install additional recommended apps from self service:
  
  • Microsoft Remote Desktop (RDC)
  • GlobalProtect VPN

Princeton IT Self-service

Users who do not have administrative rights on their computer can use the Princeton IT Self-service app to install apps, or in some cases, modify computer settings. 

How to use the Princeton IT Self-service app:

1. Launch the Princeton IT Self-service app from the Applications folder
2. Select an app or item and click the action button below the app icon

iPhone/iPad Setup: SCAD/DCS & End Users

Step-by-step instructions for setting up an Apple device running iOS or iPad OS are published in Article KB0013128.

Restore an iTunes or iCloud backup

How to restore an iTunes or iCloud backup to an iPhone/iPad running an older version of iOS

Princeton NetID and password required during setup of an iOS device purchased with university funds.

Resolve an "Invalid Profile" Error

A few iOS devices experience issues with MDM enrollment and iCloud restores. Apple is investigating the problem i.e. The configuration for your iPhone could not be downloaded from Princeton University. Invalid Profile"

1. Restore the device to factory default using the following Apple instructions: https://support.apple.com/en-us/HT201252
   
2. Start setup as a new iPhone
3. Import iCloud settings via an iCloud restore.

Configurations applied to all devices managed by this service

The "Campus Base Configuration Profile" prompts the user to enter a passcode consisting of at least four (4) characters. The configuration also includes the Princeton SRA/VPN server setting for the SonicWall Connect Mobile app. Any additional distribution of configuration profiles are the responsibility of individual departments. If you have any questions about what additional profiles are enforced on your University-owned device, please contact your IT support group.

Lost/Stolen Device

Contact your SCAD/DCS member or the Support and Operations Center (SOC) at (609)258-HELP if you've misplaced your Mac, iPhone or iPad. If your iOS device is enrolled in the MDM program and is supervised, they will confirm your identity and then remotely lock your mobile device or, at your request, wipe the iOS device. If someone else gets possession of your device, the lock screen prevents access to log into the device. After the device is locked, you have time to think about your next steps or search for your device while leaving its contents intact.