JAMF - HSIT Operating Procedures

JAMF Introduction

If you have never seen JAMF before, please review JAMF 100 Course.  Takes about an hour but will save you many more instead of struggling.

Initial Setup or Resets

There is no traditional imaging with out-of-box Apple devices.  HSIT uses configuration profiles and policies to setup the devices to the desired state. This should be a touch less or near touch less experience for the technician and end user.

You can factory reset a computer with a policy in Self Service. This is done by adding a computer into the Static Device Group within JAMF of the OS you want to use.

iOS/Pad/TV devices can be reset to out of box experience from within JAMF management app itself.  

It is the preference of Health Sciences IT that new or reformatted machines ARE NOT MANUALLY ENROLLED though the enrollment portal. Manual enrollment is mitigation, not a comprehensive configuration. This process is to only onboard machines that have been previous used in the field (aka found misconfigured) and are not candidates for a full reset. Please utilize the automations to ensure a consistent device experience.

Internet Locations

Cloud Management Console

https://pittedm.jamfcloud.com

Manual Enrollment

https://pittedm.jamfcloud.com/enroll

Pitt IT service documentation

Link to Chris OneDrive. Link will definitely never break one day.

New Apple Devices / Computers Check List

 

  1. Receive new Apple computer or device.  

  2. BEFORE OPENING THE PLASTIC, verify that the serial number matches the PO that matches the order.  Serial Number is on the box near a barcode.

  3. Verify product purchased ONLY from SHI.  By contract we are only allowed to purchase Apple equipment via SHI.  CDW / Apple direct / etc MUST be returned unopened.  

  4. Submit email to helpdesk@pitt.edu asking for the serial number to be added to Health Sciences IT within Apple School Manager.

  5. Once you receive confirmation from the NOC that the device is added, paste reply into the setup ticket in TDX.

  6. Computers assigned to a specific individual such as a MacBook Pro, add device into the pre-stage enrollment HSIT - macOS Non-AD Bind.

  7. Computers assigned to a computer lab with a fixed ethernet connection ONLY may be added into HSIT - macOS Local AD Bind. The university does not wish to use AD for non shared computers.  There are also conflicts with FileVault and unlocking the disk. Any device bound to AD will NOT be encrypted. Only Low Risk data is appropriate to be process on a device bound to AD.

  8. 1:1 devices will need to be added into HSIT - Shared - End User 1:1 iPads for iPad/iOS.  Devices are pre-staged by function.  Specialty applications may have their own custom pre-stage such as Dental Medicine's Thalamus Patient Education app. After a device is added into pre-stage, it may take up to 29 minutes for a synchronization for it to be ready for the next step.

  9. Once the device is in pre-stage and the sync is complete (no "!" next to the device name) you can schedule the install with the end user.

  10. Unbox the device with the end user and connect to either a wired or non-WPA Enterprise only network.  Pittnet-Guest is fine - just be aware there is a captive portal to accept if going wireless.  Pre-configured USB ethernet dongles are fine for laptops with no wireless around.  Let auto-enroll and auto-configuration do the thing.  If you are not getting an MDM setup after a minute of connecting to the internet automatically, check if wireless is passing data / correct, then ask the infrastructure team.

  11. Software will install, machine will name itself.  The administrator account automatically created to the Apple password format.  Device will encrypt and open firmware password set.  DO NOT DO THIS STAGE WITHOUT THE END USER.

  12. Once the end user has the device, afterwards VERIFY that Building and Department are correct in the JAMF console.  This is needed for smart groups to add the printer and any network drives.  Devices missing information will result in an internal ticket from the infrastructure team to the pod to remediate.

Manually enrolling Macs that cannot be added into JAMF via ASM

  1. Go to the JAMF enrollment page and log in as a pitt account.  Assign end user and the correct site in the dropdown.

  2. Accept the CA certificate and install.  Install MDM cert.  If you are remotely configuring through a bomgar session, you cannot install the management cert remotely.  End user will need to physical click.

  3. Add into static groups for licensed software in JAMF as needed. Be sure to check the licensing SharePoint for proper record keeping. Devices which do not have a valid entry will be removed as this is audited regularly.

  4. Profiles will download and Self Service will appear under 5 minutes.

  5. Once the end user has the device, afterwards VERIFY that Building and Department are correct.  This is needed for smart groups.  Devices missing information will result in an internal ticket from the infrastructure team to the pod to remediate.

Enrolling Existing iPad/iPhone/Apple TV.

  1. Don't lose data - make a backup first if it's not a generic device.  iPad / iPhone can go into iCloud (if a 1:1 assigned device) or local Music backup.  

  2. Full reset will have you go through the setup process.  The process is based off the pre-stage enrollment group the device is in.

  3. Once the end user has the device, afterwards VERIFY that Building and Department are correct.  This is needed for smart groups.

Reformatting Existing macOS computer

  1. Get the Serial Number of the macOS computer.

  2. Go into JAMF cloud:
    Computers -> Static Device Collection -> select HSIT - Set Self Service - macOS xx.x - Erase Install -> Assignments -> Edit.  Check the box to the left of the computer name.  Click Save.  Cmd-R in Self Service a few seconds later on the computer and you can run the reformat Policy.

  3. Once the OS is fully reset and you are back at the Hello screen, you can go through the setup process with the end user.

  4. Remove the manual add into the static collection once it is done.  End users might accidentally wipe their own machines otherwise.  

Updating Existing macOS computer to a new major OS version

The university is actively blocking manual installs of major OS versions for managed devices. Self Service must be used.

  1. Open the Self Service application.

  2. Find the macOS Upgrade application and click Upgrade. Example: macOS 15.3 Sequoia Upgrade.

  3. If a laptop, the computer must be plugged into power.

Suggestions

  1. Apple sometimes no longer ships with MAC addresses printed on boxes. This is troublesome for iMac, Mac Mini, Mac Pro, and Mac Studio OOBE setup. We recommend using an ethernet adapter until the device is setup and the hostmaster request for the actual device is completed. You are able to collect the adapter after the IP reservation is completed. If this is not possible, you may use wireless-pittnet or pitt-guest-wifi but please not performance might not be the best.

  2. If software is out of date, you may put a ticket in with HSIT Infrastructure. Include the requested version and a link to the vendor website would be helpful. If a login or password is needed, provide the best contact information.

  3. If the SharePoint license tracker is wrong, you may put a ticket in with the origination pod to find the PO.

  4. If you are stuck at any point, contact the HSIT infrastructure team.

Print Article