Following are quick outlines of how to setup Jamf Pro Policies and Profiles for specific tasks. These should be used as a guideline only! As always TEST policies on a small group of devices before deploying them to an entire Group or Site.
Endpoint Protection Standard
Encrypted Network Communication
File Integrity Monitoring
Full Disk Encryption (with key escrow)
Least Privilege Access
Sensitive Information Identification and Remediation
Web Reputation Filtering
Other Interesting Software and Tips
Use a Jamf Policy to install DetectX as a supplement to Apple’s XProtect.
Two policies are needed to ensure proper install and scanning.
Full documentation is on the DetectX Setup for Jamf Pro page.
Create a Jamf Pro policy to install the latest version of Spirion Identity Finder available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 1.
Use a Apple Configuration Profile in Jamf Pro to ensure that the Login Window option has setting for:
1) Window tab is set to show Name and Password Fields for the Login Prompt as in Figure 2.
2) Options tab is set to Disable Automatic Login as in Figure 3.
Additionally use a Jamf Configuration Profile to enable the built-in Apple Kerberos Single Sign On Extension(SSOE) provided with every macOS devices running 10.15 or newer. This built-in security feature of macOS will keep the local account password in sync with the campus WOLFTECH directory. See:
This control is met by patching macOS and not disabling the built-in System Integrity Monitoring, Xprotect, MRT, and Gateway process.
Use a custom Apple Configuration Profile that enables the Firewall and enables Stealth Mode. In Jamf Pro upload into the Configuration Profiles tab the custom profile that manages just the firewall preferences in the com.apple.security.firewall preference domain from
While Jamf Pro does have a Security & Privacy Option payload, setting just the Firewall in this option locks out the management of other important settings from user control. The by uploading the custom profile only the needed settings are locked.
Meeting this control is simply setup methodology where accounts are not created with full administrative access to the device. In macOS Apple allows creation of Administrator, Standard, and Sharing Only accounts. Creating new users with the account type Standard will meet the control. Commonly you will hear complaints from end users that this does not allow them to install software. The intent of this control is to protect the data stored on the device NOT to keep software from being installed! In today’s world software can be run from external storage like key drives or even directly downloading to the home directory and running from there where no extra permissions are required. Best practice for software installation is the direct clients to use Jamf Self Service.app as no elevation of permissions are needed. If software installation permissions are needed these can be granted using the authorization database without giving full administrative access.
To allow installation of software only create a Jamf policy which configures the Files and Processes Option to have an Execute Command of:
security authorizationdb read system.install.software > /tmp/authrul;plutil -replace group -string staff /tmp/foo;security authorizationdb write system.install.software < /tmp/authrul
This uses the security command line tool to read the system.install.software rule in the authorization database replace the value of the group setting with the group wheel and write it back again. All users are in the wheel group and this will not interrupt the builtin Apple install mechanisms nor those used by configuration management.
For situations where full administrative access is actually the least privilege required, time limited privilege elevation can be granted using the Privileges.app from https://github.com/SAP/macOS-enterprise-privileges The installer for Privileges.app is available in the campus configuration management system. Read the documentation for setup as there are several options.
When an Apple device is enrolled into the campus configuration management system (Jamf Pro) a software inventory is automatically collected and updated on a daily basis. Some policies also update the device inventory after running. To force the inventory to update use the jamf command line tool in Terminal.app to run: /usr/local/bin/jamf recon
This control is met by installing and patching modern web browsers such as Safari or Google Chrome since these browser vendors have built in safeguards against known bad browsing sites.
Deny Application Execution
Use the Jamf Pro Restricted Software feature to set restrictions on applications that are not allowed to run by the process name. Using the process name means that moving or renaming the app will not circumvent the control. In Jamf under the Computers tab, click on Restricted Software in the side bar and add a new restriction. Here we will restrict the Chess.app game from running.
First we need to find the process name by viewing the contents of the application bundle. Right clicking on the Chess.app icon in the Applications folder and selecting “Show Package Contents” using the Finder will show the application’s bundle contents. Look in the Contents folder inside the MacOS folder as shown:
Once we have the correct process name “Chess” we can complete the restriction as shown:
Fill out the Display name with something descriptive, put the exact, case sensitive process name in the Process Name field and check at least the Kill process box. One may choose to have the application Deleted, and/or send email on violation. A restriction must be made for each application process to be denied. Be aware that some applications may have frameworks and libraries that are not removed by the Jamf Delete Application option and an uninstaller from the vendor or a custom script may be needed for complete uninstall.
Allow Application Execution
Use a macOS Configuration profile with the Parental Controls: Application Access (id: com.apple.applicationaccess.new) payload to create an allow list for applications that can run. Download the NCSU-Allow Applications-Template.mobileconfig file that can be modified with Profile Creator.app to add the desired apps. When desired applications are added just use the Upload button in the Configuration Profiles side bar of the Computers tab in Jamf Pro to import and scope.
Be aware that there are other methods that could be used to allow or deny application execution.
Apple requires all applications to get permission to use certain resources on a device. These resources are called entitlements and they can be denied using various profiles mostly associated with the Security & Privacy System Preferences panel. While none will deny applications running, they can deny access to entitlements like Full Disk Access, Files and Folders, etc in a way as to make the app unable to access data rendering it useless.
Here are some additional resources:
Apple Profile Documentation
3rd Party workflow for Blocking Apps
Using GateKeeper to create allow/deny lists
NOTE: This is pre-deployment documentation as of 07242020 and is subject to change where indicated.
Part of meeting the Encrypted Network Communication control of the Endpoint Protection Standard is to make it as easy as possible to use the eduroam encrypted network available on campus and at supporting institutions around the world. To do this create a Jamf configuration profile that uses device certificates to automatically join our eduroam wireless network.
- Use the side bar under the Computers tab to select Configuration Profiles and create a new profile using the +New button.
- In the General option give the profile a descriptive name, description, and leave Distribution Method set to “Install Automatically”.
- Select the Certificate option and configure to add 3 certificates.
- Name the first Certificate “NCSU-Device-Eduroam” or something appropriate
Use the Select Certificate Option drop down to pick “North Carolina State University Root CA256-RSA”
Set the Certificate Subject to “CN=$SERIALNUMBER@WOLFTECH.AD.NCSU.EDU” NOTE: this must be exact and case matters
Set the Subject Alternative Name Type to “DNS Name” from the drop down.
Set the Subject Alternative Name Value to “$SERIALNUMBER@WOLFTECH.AD.NCSU.EDU” NOTE: again must be exact and case matters
Set the Template Name to “NCSU-eduroam-JAMF” NOTE: yes again must be exact and case matters!
Finally check the box for “Allow all apps access” but leave “Allow export from keychain” unchecked
- Use the + button to add a second certificate by uploading a copy of the InCommon RSA Server CA.cer from
https://drive.google.com/file/d/1EcwQbNT_c4SiF_d2qUuWTa-dpbnmhBSq/view?usp=sharing Note: login required to download.
Name the certificate InCommon RSA Server CA or something appropriate. Leave the passwords blank and leave all check boxes as configured.
- Use the + button to add a 3rd and final certificate “North Carolina State University Root CA256-RSA” by uploading
https://drive.google.com/file/d/1eljlWE3nngEqMQw4e2sbZkVD0BS7cM2D/view?usp=sharing Note: login required to download
Name the certificate North Carolina State University Root CA256-RSA or something appropriate. Leave the passwords blank and leave all check boxes as configured.
- Name the first Certificate “NCSU-Device-Eduroam” or something appropriate
- Now the Certificate option is finished and a Network option in this same profile must be configured
- Select the Network option from the side bar and configure the Network Interface to WiFi checking the Hidden Network and Auto Join options
- Set the Service Set Identifier (SSID) to “eduroam”
- The Proxy should remain as None
- Set the Security Type to “WPA2 Enterprise” from the drop down menu.
- Under the Protocols tab select TLS check box
- Set the User Name to “$SERIALNUMBER@WOLFTECH.AD.NCSU.EDU” NOTE: must be exact and case matters
- Now select the Identity certificate as “NCSU-Device-Eduroam” ( or the name you gave the first certificate created earlier).
- Leave everything else default and select the Trust tab and make that the Username and Identity Certificate are the same as on the Protocols tab.
- Next under Trusted Certificates check the boxes beside the other 2 certificates uploaded earlier: InCommon RSA Server CA and North Carolina State University Root CA256-RSA to have macOS automatically trust them for all users in the KeyChain. This is so the client will not see a dialog asking for them to be approved when the profile installs.
- At the bottom check Allow Trust Exceptions
Finally scope and save the profile as desired.
See these screen shots for example profile settings:
The easiest way to meet this control is to edit the template custom configuration profile for Apple’s FileVault2 encryption:
with Profile Creator, signing it, and uploading it to our configuration management system (Jamf Pro). The template profile manages only the FileVault 2 settings and does not lock other setting in the Security & Privacy system preferences panel. This profile has been tested on macOS versions 10.15.0 and newer and may not work on earlier OS versions. Note: Most Apple devices use flash storage with APFS volumes and not spinning hardware disks. This is important when off-boarding encrypted devices for surplus as they should be cryptographically erased for best data security.
Considerations -Please Read
Usernames who can decrypt the storage volumes on device startup is limited to a) usernames created with either the Setup Assistant or b) usernames created with the Users & Groups system preference panel. These usernames have what is called a Secure Token allowing them and only them to decrypt the disk. To be clear usernames that are network users (like most <UNITY>.admin accounts), local accounts created with NoLoAD, sysadminctl, or Jamf policies will not be able to decrypt the disk without manual work. The template profile is setup to escrow the recovery key which can be used to decrypt the disk both for login and disk repair and will require a password change when used. For devices managed using the configuration management system (JAMF Pro) and running macOS 10.15.3 or newer on devices with the T2 security chip, another encryption key is saved called the Boot Strap token. This Boot Strap token should be used by the configuration management system to grant usernames created using policies Secure Tokens allowing them to decrypt the data volumes.
For versions of macOS before 10.15.x, other methods maybe needed to escrow keys or grant secure tokens to usernames. Best practice is to upgrade all devices to macOS 10.15 or newer. Several of these posts provide great information and guides to working with FileVault2 on earlier versions of macOS: https://derflounder.wordpress.com/category/filevault-2/
1) Offering Apple software updates to the end user allowing them to defer updates. This is the best way to entice your end users to patch with out disrupting anything critical (teaching, video conferencing, etc) they might be doing. This is the preferred way of setting up patching.
Use a monthy Jamf Pro policy with a Software Updates option where Allow Deferral has been allowed in the User Interaction tab. Note that in Jamf Pro version10.21.0 and beyond deferral can be configured for a number of days or a specific date. Best practice is to use day based deferral when possible. It is also best practice to enable this policy for Self Service so clients can update as they please to get better compliance.
2) Forcing an update regardless of what the user is doing.
This is not polite nor kind, will forcibly disrupt whatever the client is doing, and will cause data loss, interruption of presentations, teaching, video conferencing, etc.
Also note that Apple has indicated this may change in macOS beyond 10.15.x
Use a Jamf Pro policy with a Files and Process option to run Apple’s command line software update tool. Use the install and all command line switches
/usr/sbin/softwareupdate --install --all
in the EXECUTE COMMAND field to install all macOS updates. NOTE: with 10.14 and beyond this will not install updates to App Store apps as it did with earlier versions. See figure for example of Jamf Policy.
On macOS 10.13 and beyond Apple software updates can be forced even at the Login Window by using the SoftwareUpdateLauncher instead:
/System/Library/CoreServices/Software\ Update.app/Contents/Resources/SoftwareUpdateLauncher.app/Contents/MacOS/SoftwareUpdateLauncher" -RootInstallMode YES -SkipConfirm YES
3) To force a major macOS update or update to a specific version
On macOS 10.15 or newer use a Jamf Pro policy with a Files and Process option to run this command:
/usr/sbin/softwareupdate --fetch-full-installer --full-installer-version 10.15.7 && '/Applications/Install macOS Catalina.app/Contents/Resources/startosinstall' --agreetolicense --forcequitapps --nointeraction
This command would upgrade (but not down-grade) to version 10.15.7 of macOS. If you need to **destroy all the data on the device**, format the boot volume, and start over add these switches to the command:
--eraseinstall --newvolumename 'Macintosh HD'
With macOS 11.0+, authentication as a local administrator account is required to force a silent, unattended macOS install. The command is
/usr/sbin/softwareupdate --fetch-full-installer --full-installer-version “11.1” && /usr/bin/su -l <localadminuser> -c "echo <localadminpass> | /Applications/Install\ macOS\ Big\ Sur.app/Contents/Resources/startosinstall --nointeraction --agreetolicense --forcequitapps --user <localadminuser> --stdinpass"
Again to do complete Erase and Install add
--eraseinstall --newvolumename 'Macintosh HD'
Of course the version of macOS desired and the actual admin user and password should be substituted(angle brackets<> are not needed). Be aware that this may not work if the device is at the login window with no user session and a local account with administrative privileges must exist(tho one could create a local admin, run the command and then remove the admin).
NOTE: NoLoAD can be used without NoMAD by simply leaving the NoMAD package out of the policy. If there is no need to retain kerberos tickets for services like DFS shares NoMAD is not needed.
Create a Jamf Pro policy to install the latest version of both NoLoAD and NoMAD (nomad.menu web site) available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 5.
Create Admin Users instead of Standard Users
As provided, the value for CreateAdminUser setting is false and all users created will be Standard Users. Folks with technicians assisting end users should consider setting the preference CreateAdminIfGroupMember in a Profile or using:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins' 'whatever'
If there is need for an end user to be and administrator on the device us a Profile or set with:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdmin 1
Display a Different Logo on NoLoAD Login Window
To change the graphic on the login window simply replace /Library/Application\ Support/NoLoAD/logo.png with a different PNG file of choice.
defaults write /Library/Preferences/menu.nomad.login.ad EULATitle "Warning Notice";
defaults write /Library/Preferences/menu.nomad.login.ad EULAText "This is an NC State Information Technology resource that may only be accessed and used by authorized individuals. By using this system, all users acknowledge notice of and agree to comply with NC State’s Computer Use Regulation REG 08.00.02, available at
http://go.ncsu.edu/computeruse. Unauthorized access or use of this resource may subject violators to criminal, civil, and/or administrative disciplinary action. By using this computer system, users understand that they have no expectation of privacy with regard to any records/data stored on, archived on, or passing over NC State IT resources. NC State may examine the content of both personal and work-related electronic information stored on, archived on, or passing over NC State IT resources."
These commands should be separated by a “;” and the policy will look like Figure 6. Note this is not required if using a Configuration Profile.
Printers are either very trivial or overly complex to deploy on macOS depending on who made the printer and what features need to be supported. The most reliable method is not the default printer setup provided by Jamf Pro.
Jamf provides printer mapping not printer creation.
The two (2) methods that actually work are either a) use an “Air Print” Configuration Profile uploaded from the Profile Creator.app.(https://github.com/ProfileCreator/ProfileCreator) which will work for basic printing from the majority of modern printers or b) setup the printer using the lpadmin Unix command line tool that configures CUPS. Starting with macOS 10.15.x Apple has restricted network printing to the ipp or ipps protocol (direct attached USB should work ongoing and smb based printing still seems to work but I would not expect it to be there in future versions of macOS.)
–Configuration Profiles – the easy way to setup most printers
Most modern printers do support ipp or ipps print protocols. These should be setup up as “Air Print” printers by IP Address using Profile Creator.app. Note here that what Apple calls Air Print has 2 parts, one for self discovery of printers that uses DNS SD and one for actually printing to the printers which uses ipp/ipps protocols. By using Configurations Profiles to setup these printers we get to skip the first, discovery part and direclty add the printer by IP address or DNS Name.
See example at
Here are the configuration profiles for the WolfPrint FollowMe print queues. Remember to change the uuid numbers to avoid conflicts in Jamf Pro.
–Printer Setup with lpadmin – when noting else works
When configuration profiles have been tried and they don’t work, then we need to know what type of printer protocol is used. For most of these “other” printers the most reliable setup is to create a Jamf Pro Policy that has a “EXECUTE COMMAND” set on the “Files and Processes” option to use the lpadmin command line tool. WARNING: Most printers that need lpadmin to deploy ALSO require additional software beyond the printer setup and may require multiple install packages installed in a specific order to make them work.
The general command is:
lpadmin -p SomePrinter -D “Some Printer” -E -v ipp://example.ncsu.edu/queuename -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/AirPrint.ppd
Best practice here is to set up the printer on a macOS device so you know it works. Make a list of any extra installer packages and configuration files that it takes for an actual print out to work. After everything works, look at the file /etc/cups/printers.conf file. WARNING: In macOS 10.15.0+ Apple has added this note to the lpadmin man page “Note: PPD files and printer drivers are deprecated and will not be supported in a future version of CUPS” This means the -P will stop working in future versions of macOS.
The printers.conf file will have 1 or more entries wrapped in the xml tags <Printer somename> </Printer> like
MakeModel Generic PostScript Printer
JobSheets none none
We need 2 strings out of the printers.conf file: a) the name part from the first tag (in example here would be WolfPrint_BlackAndWhite) and b) DeviceURI (here ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite).
The lpadmin command would look like:
lpadmin -p WolfPrint_BlackAndWhite -D “WolfPrint_BlackAndWhite” -E -v ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/AirPrint.ppd
Some good information is at:
Again these are for printers that use ipp/ipps and have no special setup requirements (thus can use the Generic.ppd printer description file. These are color or black and white, postscript or PCL printers that are single or double sided printing on 8.5″x11″ paper with no more than 2 paper trays (manual feed usually works too).
For printers that use other network protocols like lpd, smb, etc the DeviceURI will be different so just copy/paste from printers.conf.
If the prinrters are multi-function, there will be additional setup packages required.
If you want to explore more complex printer setup have a look at:
If you need to set some Pre-Sets for printers on macOS (preferences for Double Sided, etc) have a look at this link:
The installation of the Cisco Jabber software for macOS here at NCSU requires an InCommon Certificate that is not included with macOS by default. The certificate must be added to the user’s keychain. To install the certificate for users in a Jamf Site the following macOS configuration profile can be used with slight modification to update the uuid number for the profile identifier. Here are the steps:
- Download the template configuration profile at:
- Unzip the file by double clicking on it.
- Download and install Profile Creator.app from
- Run Profile Creator.app and Open the template configuration profile named NCSU-Campus-InCommon RSA Server CA for Cisco Jabber.mobileconfig. In the General section look for the Identifier field. NOTE: On the first run of ProfileCreator.app the preferences will need to be changed to show the Identifier field. Do this by clicking the Gear Icon in the upper right of the window and check “Hidden” next to “Show Payload Keys: “.
- The uuid number in the Identifier field of every configuration profile needs to be unique in all of JAMF.
Generate a new uuid number by opening the Terminal. app and using the uuidgen command.
The command will look something like this:
- Now copy and paste the newly generated uuid number into the Identifier field in Profile Creator.app and save the profile by first Selecting Save from the File menu and then Selecting Export from the File Menu to create a new copy for uploading to Jamf Pro.
Here is a little trick for those interested in creating a jamf policy that either launches an app or runs a policy to install it.
There is an interesting way to use the Files and Processes option in a Jamf Policy and the || operator from the shell to make this happen. If a command line tool fails then the || operator provides for another command to run. The general idea is:
/usr/bin/open -a “some application” || /usr/local/bin/jamf -event someCustomTrigger
So we use the open tool with the -a switch to try and open a named application and bring it to the front most window. If this fails then we run the jamf binary to execute the existing custom trigger policy.
/usr/bin/open -a “TextEdit” || /usr/local/bin/jamf -event installTextEdit
Remember of course that the policy calls a custom trigger which would have to exist already (usually one of your existing policies but just add a custom trigger).The policy can be added to the Jamf category -Launcher to make it easier to find.
The policy in Jamf Pro would look like this:
Use the Template macOS Configuration Profile that sets the time zone to America/New_York and configures the Date and Time system preference panel to use time.ncsu.edu. Remember to change the uuid number to avoid profile conflicts in Jamf Pro
Many popular apps for Apple devices are available in the App Store and can be easily installed as Device Licensed applications.
The steps are:
1) Login to school.apple.com and select Apps and Books under the Content section on the left side bar. Note: The id must have Content Management permissions in Apple School Manager.
2) Find the app you want (Word, etc). Warning here is that many apps, MS included, have both iOS and macOS versions. To make it easier click on the blue and white sort icon (ice cream cone shaped) and set the Type to “Mac”, etc.
3) “Buy” for $0.00 the number of copies needed by filling in the Quantity and pressing the Get button. This will start the license generation process.
4) WAIT until an email confirms the licenses are ready.
5) In Jamf Pro, select Computers> Mac App Store Apps> +New
6) Search for desired app and click the Add button on the far right.
7) Set a category, Self Service details, etc, add Scope like any other policy.
8 ) Now click save.
9) Now that the App Store App is created, edit it a 2nd time, click Managed Distribution (right most tab) and check the box Assign Content Purchased in Volume
10) Verify that Total Content matches the licenses you purchased (or the total purchased if more than one purchase of the same app has been made) and Click Save again.
NOTE: The In Use number does not always equal the number physically installed. It just means that the license is assigned and that many devices have confirmed with the JSS they will use the license. The install may not have happened yet especially if deployed using Self Service. If VPP numbers don’t match, wait about 1 hour and confirm again. For very large purchases 1,000 + copies it may take 4 or more hours to finish the license generation so wait for that confirmation email.