Following are quick outlines of how to setup Jamf Pro Policies for specific tasks. These should be used as a guideline only! As always TEST policies on a small group of devices before deploying them to an entire Group or Site.
Basic Endpoint Protection Standard
Other Interesting Software
Use a Jamf Policy to install DetectX as a supplement to Apple’s XProtect.
Two policies are needed to ensure proper install and scanning.
Full documentation is on the DetectX Setup for Jamf Pro page.
Create a Jamf Pro policy to install the latest version of Spirion Identity Finder available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 1.
Use a Apple Configuration Profile in Jamf Pro to ensure that the Login Window option has setting for:
1) Window tab is set to show Name and Password Fields for the Login Prompt as in Figure 2.
2) Options tab is set to Disable Automatic Login as in Figure 3.
Use a custom Apple Configuration Profile that enables the Firewall and enables Stealth Mode. In Jamf Pro upload into the Configuration Profiles tab the custom profile that manages just the firewall preferences in the com.apple.security.firewall preference domain from
While Jamf Pro does have a Security & Privacy Option payload, setting just the Firewall in this option locks out the management of other important settings from user control. The by uploading the custom profile only the needed settings are locked.
Use a Jamf Pro policy with a Files and Process option to run Apple’s command line software update tool on a monthly basis. Use the install and all command line switches
/usr/sbin/softwareupdate --install --all
in the EXECUTE COMMAND field to install all macOS updates. NOTE: with 10.14 and beyond this will not install updates to App Store apps as it did with earlier versions. See Figure 4 for example of Jamf Policy.
On macOS 10.13 and beyond Apple software updates can be forced even at the Login Window by using the SoftwareUpdateLauncher instead:
/System/Library/CoreServices/Software\ Update.app/Contents/Resources/SoftwareUpdateLauncher.app/Contents/MacOS/SoftwareUpdateLauncher" -RootInstallMode YES -SkipConfirm YES
NoLoAD can be used without NoMAD by simply leaving the NoMAD package out of the policy. If there is no need to retain kerberos tickets for services like DFS shares NoMAD is not needed.
Create a Jamf Pro policy to install the latest version of both NoLoAD and NoMAD (nomad.menu web site) available from the Jamf Pro packages distribution. This should be triggered as desired but only run once per computer as in Figure 5.
Create Admin Users instead of Standard Users
As provided, the value for CreateAdminUser setting is false and all users created will be Standard Users. Folks with technicians assisting end users should consider setting the preference CreateAdminIfGroupMember in a Profile or using:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdminIfGroupMember -array 'Tech Support' 'Domain Admins' 'whatever'
If there is need for an end user to be and administrator on the device us a Profile or set with:
defaults write /Library/Preferences/menu.nomad.login.ad CreateAdmin 1
Display a Different Logo on NoLoAD Login Window
To change the graphic on the login window simply replace /Library/Application\ Support/NoLoAD/logo.png with a different PNG file of choice.
defaults write /Library/Preferences/menu.nomad.login.ad EULATitle "Warning Notice";
defaults write /Library/Preferences/menu.nomad.login.ad EULAText "This is an NC State Information Technology resource that may only be accessed and used by authorized individuals. By using this system, all users acknowledge notice of and agree to comply with NC State’s Computer Use Regulation REG 08.00.02, available at
http://go.ncsu.edu/computeruse. Unauthorized access or use of this resource may subject violators to criminal, civil, and/or administrative disciplinary action. By using this computer system, users understand that they have no expectation of privacy with regard to any records/data stored on, archived on, or passing over NC State IT resources. NC State may examine the content of both personal and work-related electronic information stored on, archived on, or passing over NC State IT resources."
These commands should be separated by a “;” and the policy will look like Figure 6. Note this is not required if using a Configuration Profile.
Printers are either very trivial or overly complex to deploy on macOS depending on who made the printer and what features need to be supported. The most reliable method is not the default printer setup provided by Jamf Pro.
Jamf provides printer mapping not printer creation.
The two (2) methods that actually work either a) use an “Air Print” Configuration Profile uploaded from the Profile Creator.app.(https://github.com/ProfileCreator/ProfileCreator) which will work for basic printing from the majority of modern printers or b) setup the printer using the lpadmin Unix command line tool that configures CUPS. Starting with macOS 10.15.x Apple has restricted network printing to the ipp or ipps protocol (direct attached USB should work ongoing and smb based printing still seems to work but I would not expect it to be there in future versions of macOS.)
Configuration Profiles – the easy way to setup most printers
Most modern printers do support ipp or ipps print protocols. These should be setup up as “Air Print” printers by IP Address using Profile Creator.app. Note here that what Apple calls Air Print has 2 parts, one for self discovery of printers that uses DNS SD and one for actually printing to the printers which uses ipp/ipps protocols. By using Configurations Profiles to setup these printers we get to skip the first, discovery part and direclty add the printer by IP address or DNS Name.
See example at https://www.jamf.com/jamf-nation/feature-requests/6026/add-airprint-as-a-macos-configuration-profile-payload-option
Printer Setup with lpadmin – when noting else works
When configuration profiles have been tried and they don’t work, then we need to know what type of printer protocol is used. For most of these “other” printers the most reliable setup is to create a Jamf Pro Policy that has a “EXECUTE COMMAND” set on the “Files and Processes” option to use the lpadmin command line tool. WARNING: Most printers that need lpadmin to deploy ALSO require additional software beyond the printer setup and may require multiple install packages installed in a specific order to make them work.
The general command is:
lpadmin -P SomePrinter -D “Some Printer” -E -v ipp://example.ncsu.edu/queuename -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/Generic.ppd
Best practice here is to set up the printer on a macOS device so you know it works. Make a list of any extra installer packages and configuration files that it takes for an actual print out to work. After everything works, look at the file /etc/cups/printers.conf file.
The printers.conf file will have 1 or more entries wrapped in the xml tags <Printer somename> </Printer> like
MakeModel Generic PostScript Printer
JobSheets none none
We need 2 strings out of the printers.conf file: a) the name part from the first tag (in example here would be WolfPrint_BlackAndWhite) and b) DeviceURI (here ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite).
The lpadmin command would look like:
lpadmin -P WolfPrint_BlackAndWhite -D “WolfPrint_BlackAndWhite” -E -v ipps://print.ncsu.edu/printers/WolfPrint-BlackAndWhite -P /System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/PrintCore.framework/Versions/A/Resources/Generic.ppd
Some good information is at:
Again these are of printers that use ipp and have no special setup requirements (thus can use the Generic.ppd printer description file. These are color or black and white, postscript or PCL printers that are single or double sided printing on 8.5″x11″ paper with no more than 2 paper trays (manual feed usually works too).
For printers that use other network protocols like lpd, smb, etc the DeviceURI will be different so just copy/paste from printers.conf.
If the prinrters are multi-function, there will be additional setup packages required.
If you want to explore more complex printer setup have a look at:
The installation of the Cisco Jabber software for macOS here at NCSU requires an InCommon Certificate that is not included with macOS by default. The certificate must be added to the user’s keychain. To install the certificate for users in a Jamf Site the following macOS configuration profile can be used with slight modification to update the uuid number for the profile identifier. Here are the steps:
- Download the template configuration profile at:
- Unzip the file by double clicking on it.
- Download and install Profile Creator.app from
- Run Profile Creator.app and Open the template configuration profile named NCSU-Campus-InCommon RSA Server CA for Cisco Jabber.mobileconfig. In the General section look for the Identifier field.
- The uuid number in the Identifier field needs to be unique in all of JAMF. Generate a new uuid number by opening the Terminal. app and using the uuidgen command. Will look something like this:
- Now copy and paste the newly generated uuid number into the Identifier field in Profile Creator.app and save the profile by first Selecting Save from the File menu and then Selecting Export from the File Menu to create a new copy for uploading to Jamf Pro.
Here is a little trick for those interested in creating a jamf policy that either launches an app or runs a policy to install it.
There is an interesting way to use the Files and Processes option in a Jamf Policy and the || operator from the shell to make this happen. If a command line tool fails then the || operator provides for another command to run. The general idea is:
/usr/bin/open -a “some application” || /usr/local/bin/jamf -event someCustomTrigger
So we use the open tool with the -a switch to try and open a named application and bring it to the front most window. If this fails then we run the jamf binary to execute the existing custom trigger policy.
/usr/bin/open -a “TextEdit” || /usr/local/bin/jamf -event installTextEdit
Remember of course that the policy called but the custom trigger would have to exist already (usually one of your existing policies but just add a custom trigger).The policy can be added to the Jamf category -Launcher to make it easier to find.
The policy in Jamf Pro would look like this: