Following are quick outlines of how to setup Jamf Pro Policies for specific tasks. These should be used as a guideline only! As always TEST policies on a small group of devices before deploying them to an entire Group or Site.
Basic Endpoint Protection Standard
Other Interesting Software
Use a Jamf Policy to install DetectX as a supplement to Apple’s XProtect.
Two policies are needed to ensure proper install and scanning.
Full documentation is on the DetectX Setup for Jamf Pro page.
Create a Jamf Pro policy to install the latest version of Spirion Identity Finder available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 1.
Use a Apple Configuration Profile in Jamf Pro to ensure that the Login Window option has setting for:
1) Window tab is set to show Name and Password Fields for the Login Prompt as in Figure 2.
2) Options tab is set to Disable Automatic Login as in Figure 3.
Use a custom Apple Configuration Profile that enables the Firewall and enables Stealth Mode. In Jamf Pro upload into the Configuration Profiles tab the custom profile that manages just the firewall preferences in the com.apple.security.firewall preference domain from
While Jamf Pro does have a Security & Privacy Option payload, setting just the Firewall in this option locks out the management of other important settings from user control. The by uploading the custom profile only the needed settings are locked.
Use a Jamf Pro policy with a Files and Process option to run Apple’s command line software update tool on a monthly basis. Use the install and all command line switches
/usr/sbin/softwareupdate --install --all
in the EXECUTE COMMAND field to install all macOS updates. NOTE: with 10.14 and beyond this will not install updates to App Store apps as it did with earlier versions. See Figure 4 for example of Jamf Policy.
On macOS 10.13 and beyond Apple software updates can be forced even at the Login Window by using the SoftwareUpdateLauncher instead:
/System/Library/CoreServices/Software\ Update.app/Contents/Resources/SoftwareUpdateLauncher.app/Contents/MacOS/SoftwareUpdateLauncher" -RootInstallMode YES -SkipConfirm YES
NoLoAD can be used without NoMAD by simply leaving the NoMAD package out of the policy. If there is no need to retain kerberos tickets for services like DFS shares NoMAD is not needed.
Create a Jamf Pro policy to install the latest version of both NoLoAD and NoMAD (nomad.menu web site) available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 5.
Create Admin Users instead of Standard Users
As provided, the value for CreateAdminUser setting is false and all users created will be Standard Users. Folks with technicians assisting end users should consider setting the preference CreateAdminIfGroupMember in a Profile or using:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins' 'whatever'
If there is need for an end user to be and administrator on the device us a Profile or set with:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdmin 1
Display a Different Logo on NoLoAD Login Window
To change the graphic on the login window simply replace /Library/Application\ Support/NoLoAD/logo.png with a different PNG file of choice.
defaults write /Library/Preferences/menu.nomad.login.ad EULATitle "Warning Notice";
defaults write /Library/Preferences/menu.nomad.login.ad EULAText "This is an NC State Information Technology resource that may only be accessed and used by authorized individuals. By using this system, all users acknowledge notice of and agree to comply with NC State’s Computer Use Regulation REG 08.00.02, available at
http://go.ncsu.edu/computeruse. Unauthorized access or use of this resource may subject violators to criminal, civil, and/or administrative disciplinary action. By using this computer system, users understand that they have no expectation of privacy with regard to any records/data stored on, archived on, or passing over NC State IT resources. NC State may examine the content of both personal and work-related electronic information stored on, archived on, or passing over NC State IT resources."
These commands should be separated by a “;” and the policy will look like Figure 6. Note this is not required if using a Configuration Profile.