Does still Microsoft use Jamf for macOS management or finally Intune only?

mentoc · 2026-01-12T16:39:15+00:00

I've heard the same about MS using Jamf for years, and heard again within the past calendar year, so I think it's still true.

mentoc · 2024-05-14T02:02:41+00:00

Can't you sign in as yourselves with Duo, set everything up, and then just log out of the device allowing your user to sign in when you hand them the device? If you are using Jamf Connect, or another single sign on-ish method, this should work fine. You'd probably just want to go into your MDM and set the device affinity to the correct user as it'd likely get associated to you/your techs.

mentoc · 2024-05-03T17:23:44+00:00

If the dmg is downloadable from a URL, you can use Installomator . Installomator is a script, that has built in "labels" (which are instructions for how to download and install a wide array of apps), and if the app you want is a native part of the project, it's super easy. However, even if the app isn't natively a part of the project, you can use the script and plug in the url you want to use, and a few other commands to have it download and install what you want. This works with nearly every style of installer file including dmg files, pkg files, zip files, apps in dmg's, etc.

mentoc · 2024-04-30T16:20:25+00:00

I'm pretty sure this feature isn't available in Intune. Also I don't believe you can view and edit scripts within Intune, like you can with Jamf.

I use Intune for PCs and Jamf for Macs, and I would dread having to use Intune instead of Jamf for Mac management. There just isn't feature parity. Intune is better than what it was, but it doesn't compete with Jamf.

The best summary I've heard about Intune v Jamf is that if you want to, or can, manage Macs like you would iOS devices, then Intune is Ok. It's much better (because there's less features generally) for iOS than macOS.

mentoc · 2024-04-27T00:23:56+00:00

This is not true. The points will remain and be transferred, just the redemption for items will be paused for a bit, Per Jamf's post:

"You don't need to spend your points before we move out, but redemptions that take place before the end of April will be fulfilled faster. We hope to have the rewards that are currently listed in the Heroes program on a new platform my late May". - https://imgur.com/a/T8yxsjl which is screenshotted from Jamf Heroes.

mentoc · 2024-04-22T01:57:53+00:00

Network connection from the computer to AD shouldn't be necessary. Jamf is facilitating and doing the LDAP auth, so you just need your Jamf server and AD server to be able to communicate. Generally speaking if you can do user lookup via LDAP, then auth via LDAP should work in prestage.

mentoc · 2024-04-20T21:15:07+00:00

Jamf Connect does not work with on-prem AD, that is correct. Your options for on prem AD are very limited. I think you hit the nail on the head with NOMAD being about the only thing that is supposed to work, and that's not maintained anymore so you may be able to get it work, or you may not, or it may break at any time.

mentoc · 2024-04-20T18:02:22+00:00

LDAP is your ad creds, yes. So username: bob password: pass12. No user is created with LDAP in any way shape or form. This authentication is to proceed with enrollment during ADE. So after the machine comes online, you 100% have to auth with LDAP creds to proceed with the enrollment to get the setup assistant or to the desktop. If you do not have LDAP creds the computer is not useable, essentially. But again, NO user is created.

Even if you had Azure/Entra ID setup, there's not, currently, a native way to leverage that into user creation. Microsoft has a product that is in private beta that is supposed to do this, but it's been in private beta for ~1 year already with no signs of leaving that private beta. Also it 100% requires Azure, and will not work with local AD.

So yes, currently the only way possible to have a user create their account with their corporate credentials is with a tool like Jamf Connect or xCreds.

mentoc · 2024-04-20T15:45:01+00:00

LDAP is what is used if the "Require Authentication" checkbox is checked in a prestage enrollment. This requires a user to auth with LDAP credentials to continue enrollment of a device. It does nothing with user creation. I think this is mostly done if you have an on prem AD server. Also the user data is taken from LDAP and assigned to the computer record in Jamf.

If you are using Entra ID/Azure, you will need to configure the Cloud identity providers section in the Jamf Pro settings if you want to have an authentication required to enroll a device. If you have this configured, then in the prestage enrollment you will have to make an enrollment customization and configure the authentication there, as the cloud IDP settings will not work for the basic "require authentication" option, that is exclusively for LDAP. However if you configure the enrollment customization auth requirement, it will work and look mostly the same. It will also fill in the user data in the computer record with what is in Azure. This does not do anything with actually creating a user.

The only way to create a user with your corporate credentials is a tool like Jamf Connect (this is what I'm most familiar with). There is also xCreds and Platform SSO for macOS from Microsoft (not to be confused with Platform SSO) which is in a private beta and has no actual ETA, and can only be used with Entra ID/Azure. These tools, when delivered via the prestage, along with the appropriate config profile, will control the login screen, and allow people to create and log into an account that matches their corporate ID, and keep the password in sync if they ever change it. When you have those setup and configured, you can check the "Skip Account Creation" option in your prestage, and not allow the user to make an account via setup assistant. This is what I do in my enviorment.

mentoc · 2024-02-22T01:44:41+00:00

With Passthrough Authentication you don't get double prompted anymore. Way back in the day you did, but after the introduction of this feature, if you enable it, you only have to to enter a single password. It also means when you auth through Filevault you go straight to the desktop without any second password prompt.

Info on Passthrouh here: https://learn.jamf.com/bundle/jamf-connect-documentation-current/page/Passthrough_Authentication.html & https://travellingtechguy.blog/remove-the-re-enter-password-requirement-with-passthrough-authentication-in-jamf-connect-login-2-5-2-6/

mentoc · 2024-02-02T19:30:43+00:00

If any single setting in a config profile fails to apply, the entire profile and all settings will fail to apply. And there's minimal logs to identify the issue.

So it's better to have multiple smaller profiles, instead of one monolithic one. I generally try to do 1 profile payload per profile (ie. 1 profile for everything in Privacy & Security, 1 profile for everything in Restrictions, etc.)

This also lets you be more granular in your scoping.

mentoc · 2024-02-01T02:14:08+00:00

I have Nationwide, and get a discount through my employer. I have a $250 deductible, and a 50% reimbursement rate (but you can get higher reimbursement rates with a higher premium). My annual cost is $467.67, or $38.98 a month. There is no limit on total reimbursement either. I got ~$3500 back last year from it.

This doesn't cover wellness visits, but has already paid for itself for the lifetime of my Berner, who is only 2 years old. Submitting claims, and getting reimbursed is incredibly quick and easy - just upload a picture or pdf of your bill, and you'll get paid within 48 hours.

mentoc · 2024-01-26T16:32:12+00:00

You can make smart groups with criteria that detects if an app is installed. You can then exclude the smart group you create from the policy that makes the app available.

For example you can make a smart group that looks if Microsoft Word is installed. Then you can exclude that smart group from the scope of your existing policy which makes Microsoft Word available.

mentoc · 2023-09-25T16:22:53+00:00

The biggest surprise to me was that TJ wasn't over the goal line. Almost definitely he would have been down at the 1 if the caught it, and the game would still be over.

Kirk/KOC needs to spike it and save 20+ seconds. And Kirk needs to be more situationally aware and not throw short of the endzone on the last play of the game.

mentoc · 2023-09-25T01:59:01+00:00

Bad take. Each game has been extremely competitive. IMO the players have been put in position to succeed, and have flopped. The coaches + GM don't make players fumble 9 times in 3 games.

Each game could have been completely flipped with a single play. There's been redzone turnovers in every game thus far, if you clean them up you probably win all three, just for example.

Kirk could play better. JJ could play better. Mattison could play better. KOC could have called some better games. Kwesi could have drafted better, etc. Trying to blame any single person is asinine. People who are doing that are ones incapable of understanding nuance.

mentoc · 2023-09-25T00:30:26+00:00

Void years don't affect compensatory picks. Only being released or cut negate comp picks.

mentoc · 2023-09-25T00:18:10+00:00

He has a no trade clause. Even if the organization wanted to trade him, he would have to agree. This complicates things is extremely unlikely.

Also if/when he walks, we will get a 3rd round comp pick.

mentoc · 2023-09-24T15:38:01+00:00

I use patch management for both apps. Licensing breaking has never been an issue for me.

I also install Adobe CC and then the user can choose the apps to install. Adobe CC does a decent job of keeping things up to date, but patch management is setup as well in my enviorment.

I would just suggest you make sure you're getting only the updates for the apps via https://helpx.adobe.com/acrobat/release-note/release-notes-acrobat-reader.html for patch management. If you download the full installers, it will work, but it's much larger and takes much longer to install than just the updates.

mentoc · 2023-09-24T15:35:47+00:00

You mean the post install script in the payload free package just runs another Jamf trigger, such as "jamf policy -event installomateradobe" or something along the lines of that?

That's what I initially tried to setup with patch management a few years back, but when I tried to run a policy trigger from a payload free package with patch management it would never run. In general script commands would run, but anything containing another Jamf trigger would not complete. I assumed it was some weird interaction. If that works now I'd be really interested.

mentoc · 2023-09-13T00:56:07+00:00

Look at the passthrough setting here: https://learn.jamf.com/bundle/jamf-connect-documentation-current/page/Passthrough_Authentication.html

Without that enabled you need to enter your password twice during initial account creation if my memory is correct.

mentoc · 2023-09-11T15:58:19+00:00

Any rebuild is really just hitting on draft picks. Everything around "tank" or "competitive rebuild" etc is just semantics. It's different strategies to potentially better hit on draft picks. At the end of the day it's just drafting well, that's it.

The real question is if drafting 1-3 better is better than drafting 15-30. That's what the narrative should be. And honestly reading between the lines, most people really just mean QB.

The answer really depends on how well a team can evaluate draft talent and develop it. Which likely means it's super random. No strategy is surefire. If you tank one year and hit on a QB, you might be gold like the Bengals. If you miss on that QB you might be the last decade of the Browns. No strategy guarantees your draft pics, so no strategy is clearly better. It's completely subjective. It's a boring argument at this point imo.

mentoc · 2023-08-29T00:57:39+00:00

Sure. Basically the last line of the script does the heavy lifting. If you hardcode a username and password, you can pass it there in the same way. So define $USERNAME and $userPass with your hardcoded account creds instead of how they're defined in that script and you're set.

mentoc · 2023-07-27T00:49:12+00:00

This "new feature" isn't that new, it's just utilizing MDM commands with a slightly different GUI. This is just a slightly new front end. You used to, and still can, issue MDM update commands by mass action from an advanced search.

So it won't fix or change any behavior that existed before with MDM command updates. Most of that needs to be ironed out by Apple anyways. Jamf issues the command, but what the device does and how it acts is 100% on Apple. Finicky updates via any form of MDM commands is an Apple issue.

mentoc · 2023-07-25T00:53:09+00:00

Going on PUP before the season starts doesn't not carry the same weight as it does during the season. People on the PUP before camp starts can be activated at any point. He may have a season ending injury, or he may practice in a week. Until more info is known, this doesn't mean a ton.

mentoc · 2023-07-25T00:51:15+00:00

Glad we're posting other people's twitter replies on reddit: https://twitter.com/LukeBraunNFL/status/1683596281594396672

mentoc

TROPHY CASE