UNC General Administration has worked out a license template that is approved for use across the UNC System Institutions for purchase of JAMF Software’s JAMF Pro management tools for Apple Devices. Details on the UNC System Agreement – JAMF Software JAMF Pro are available from each institution’s Combined Pricing Initiative (CPI) representative or UNC GA.
The UNC Wide JAMF Pro Service is a deployment of the UNC System Agreement – JAMF Software’s JAMF Pro license that uses a shared JSS server hosted by JAMF Software at nc.jamfcloud.com to provide secure, federated, enterprise managment of Apple devices across participating UNC System Institutions. The service makes use of a network of JAMF Distribution Servers (JDS) which are automatically and securely synced across the various participating servers. NC State maintains 4 JDS servers, in 2 independent, hardened machine rooms one of which is currently the Master JDS for the service and JAMF hosts a JCDS that is also available.
What is required to use the UNC Wide JAMF Pro Service?
What is the requirement for access to a campus directory (AD or LDAP)?
Are there firewall requirments to use the UNC Wide JAMF Pro Service?
Does the UNC Wide JAMF Pro Service have Apple GSX access for automated lookup of Apple Devices?
Can JAMF Software’s SCCM Plug-In be used with the UNC Wide JAMF Pro Service?
Are NetBoot or Software Update Servers Provided with the UNC Wide JAMF Pro Service?
Resources and Contacts
What is required to use the UNC Wide JAMF Pro Service?
0) An authorized agent of the institution must sign and comply with the UNC Wide JAMF Pro Memorandum of Understanding for security and compliance purposes.
Request access to the MOU at https://go.ncsu.edu/caspermou
1) Insititutional groups must purchase at least 10 licenses for either OS X or iOS devices (or 10 OSX and 10 iOS if both are required) to have their own JAMF Pro Site.
UNC Institutions should contact their CPI representative for costing and purchasing details
2) Each Insititutional group will have their own JAMF Pro Site for secure federated management. Note that all packages are shared and evey group is responsible for license compliance with each vendor for the packages used at that group’s institution.
Each Site owner must provide secure (ldaps) access to a supported directory (AD or ldaps) containing a group of people that are the administrators of their JAMF Pro Site.
NOTE: If the secure ldap connection requires a non-standard certificate (i.e. directory uses self-signed certificates) special arrangements will have to be made with JAMF support to get the correct certificate chains added to the hosting server.
Only READ ONLY access to the User Name (typically uid or sAMAccountName), User ID (uidNumber) and Group Membership (memberOF) attributes of the User record and the Group name (cn) and Group Id (gid or uSNCreated, this is a number) attributes of the Groups record is required unless the directory uses a different configuration (most commonly this would be acess to the Member attribute of the Group record instead of User>MemberOf). JAMF Pro is designed for machine management, however features like User Self-Service are also availabe but requires access to a broader institutional user information than a simple group of machine administrators. NOTE: Accounts can not be created on the central JSS for institutional individuals or groups.
It is strongly suggested that institutional directory access be granted via a special, read only, service-user account with permissions engineered and used for this purpose only.
4) Each site owner must ensure that institutional firewall access is granted on the required ports for directory ldaps access (typically 636 or custom ports) and client access over the standard HTTPS port (443) to the hosted JSS. Information on configuration is available from the UNC Wide Casper Administration (UWCA) Team.
5) Optionally: Those wanting to package software should provide an additional directory group containing the people who can package software. Software packagers for each site will have read, create, and change permissions but not delete for the following features in the JSS: Categories, Packages, Scripts, Printers, Directory Bindings, Dock Items, Configurations, NetBoot Servers, Extension Attributes, Peripheral Types, Removable MAC Addresses, Buildings, Departments, Network Segments.
NOTE: Each unit is required to name packages with INSTITUTION-unit prefix. Example: Packages made by OIT at NC State would be named:
This avoids issues with other UNC system schools in the hosted environment.
It is also important for those repackaging licensed software to create packages that can apply licenses via policy after installation.
The UNC Wide Casper Administration team will delete packages and other created features upon verified request of the Site Owner and reservers the right to delete any package of feature that is causing system failure without prior notification. In general packagers from individual institutions should create packages and features that clearly identify the institution which created them and work to avoid conflicts.
6) Each site is strongly encouraged to train at least one person for either the Certified JAMF Administrator (CJA) or Certified JAMF Expert (CJE). See JAMF Software Training at: www.jamfsoftware.com/training
7) Optionally: One CCA or CJA trained, person from each UNC Institution can join the UNC Wide Casper Administration(UWCA) Team to help with conflict resolution and routine maintance tasks. A representative from NC State and Applicaian State form the initial UWCA Team.
8) Optionally: If a Site would like to host a JAMF Distribution Server (JDS) they should work with their Casper Administration Team member or the UNC Wide Casper Administration Team to setup.
9) Optionally: Sites desiring other types of JAMF Pro Access (API, Reporting Only, Add Machine Only, etc) should work with their Casper Administration Team member or the UNC Wide Casper Administration Team to setup.
10) Any conflct resolution or requests will be handled by majority agreement of the UNC Wide Casper Administration Team.
11) The UWCA team will provide UNC GA with a report of total seat usage across the UNC System on September 15 annually to help inform institutions in meeting the required 8000 seat goal.
12) Organizations that have existing JAMF Pro Licneses or wish to purchase Jump Start, CJA or CJE training should contact email@example.com for information on license conversion, license prorating, and training costs.
Yes the UWCA Team has created a unique Apple ID for GSX access which provides information on purchased devices as expected in the JSS. Since lookups are based on hardware only this is useful for all system instititutions.
The current implementation of JAMF Software’s SCCM Plug-In allows only 1 instance to be attached to a single JSS making direct use of SCCM Plug-Ins from multiple institutions not possible. The UWCA believes there might be a work-around using a shadow, reporting only, JSS streamed via the JSS-toJSS Plug-In but this would need to tested and impemented in the future and is not available at this time. If interested please work with the institutional Casper Administration Team member or the UWCA.
It is up to each institution to provide their own NetBoot Servers and/or Software Update Servers (SUS). These types of servers usually provide much faster service the closer they are to the client machines in terms of network topology. For details on creating and administrating these type servers for you institution please see:
Production service: https://nc.jamfcloud.com:443/
Test service : https://nccloudtest.jamfcloud.com:443/
UNC Wide Administrators: firstname.lastname@example.org