Jamf Setup Manager and Jamf School

Back in 2019, IBM announced to the world their ‘Mac@IBM’ programme, complete with eye-watering savings that they were making by switching to Mac. Included in their programme was some cool on-boarding software that would present the user with an informative splash screen whilst a Mac initially set itself up, keeping them updated about the progress of the installation of all of the apps and settings. IBM also kindly open-sourced their provisioning workflow, which then spawned a raft of similar solutions: we got this working via Jamf Connect on our school’s Macs with Jamf Pro, but it was set up for us by an external support company and I never could quite figure out how it worked to be able to troubleshoot it or update the settings.

In 2022 we made the jump to Jamf School for our iPads, and then in 2023 for our Macs. This bought a lot of simplicity to our enrolment workflow but also meant that we no longer could have a cool notification splash screen as part of the process. It wasn’t the end of the world, as all of the required apps and settings would just quietly install on the login screen of a freshly enrolled machine, but there was no way of knowing how the installation was progressing or when it was finished.

Enter Jamf Setup Manager.

This had been floating around in private beta since JNUC in 2023, but wonderfully made its official debut towards the end of 2024. It still remained a little fiddly thing to get working on Jamf School, until an update to Jamf School dropped just before Christmas that enabled the ability for a select few packages and profiles to be installed on a Mac as part of the enrolment process. Plus, iMazing Profile Editor have also added a preference manifest for Jamf Setup Manager, meaning that it’s now easy to create and edit the required configuration file in a lovely GUI rather than hacking away in an XML file. With all of these pieces of the puzzle in place, I gave it a go and was able to get it working to my satisfaction!

So, what does Jamf Setup Manager do?

Once it’s been installed, along with the corresponding configuration file, it launches during enrolment and informs the user about the progress of any installations. Here are the main moving parts:

All of the text and images for the splash screen are customisable within the configuration profile. Comprehensive documentation about the structure and contents of the file is available.
Each installable item is called an ‘action’. These have a label (i.e. the name of the app being installed) and an icon. The URL of the image can either be locally on the machine or hosted on the Internet. I have discovered that a right click on the app icon in Jamf School provides a fully-functioning web location that can be used for this.
One of the possible actions to run is a shell command and its accompanying arguments. This can be used to replace any onboarding scripts that you might normally run.
There is also a cute feature with icons, in that you can leverage Apple’s SF Symbols to create an icon for an action, e.g. symbol:clock for a shell command to set the default time zone.
To actually install apps, there are two mechanisms:
- The first one relies on Jamf School to do its thing and install the apps as normal, either using VPP Mac App Store apps or via App Installers. Jamf Setup Manager handles this with a ‘watch path’, where it will keep monitoring a specific directory (usually the /Applications folder) until the app appears before moving onto the next action. This can, however, take quite some time as Jamf Setup Manager has no way of telling Jamf School which order to install the apps in and so just has to sit around until the specified app has been installed.
- To counter this, Jamf Setup Manager can also make use of second method, specifically Installomator ‘labels’. Installomator is an epic script for installing applications, through specific instructions about how to fetch, download and install the correct package for any given app. This whole script is built into Jamf Setup Manager, so you just have to specify which app to install and it will do the rest. There is handy list of possible apps on GitHub, which just have to be specified in the configuration profile. The app can still be updated using App Installers in Jamf School, but using Installomator for the initial installation adds a lot more control to the onboarding workflow.

Once it’s all configured properly, Jamf Setup Manager does work like a dream. Testing can be a little time consuming, as the Mac has to be wiped in order to be set up again, but this is a quicker process now thanks to ‘Erase All Contents and Settings’.

I would love it if Jamf were to build this tool completely into Jamf School so that it was just a tickbox in the settings to activate, perhaps with the ability to choose apps from those already in Jamf School. But for now, it’s definitely a big step forwards in making Jamf School an increasingly viable MDM option for the Mac in education.

Orphaned Profiles in Jamf School

Jamf School is great for managing iPads.

Jamf School for Macs is a less clear proposition:

+ Cheaper

+ All in one place

+ A few nice touches (see previously)

– Not as powerful

– Doesn’t have an on-device management binary

– Some things are downright fiddly to do!

One such area of challenge I have come across is with how custom profiles are managed. Jamf School has lots of built-in profile creation options (including the ability to build and manage the dock…gasp!). But if there are areas that aren’t catered for, it’s perfectly happy to push out a custom profile built elsewhere.

This works fine.

The only issue comes when you want to update a custom profile for Mac. There is a very inviting ‘replace profile’ button that — in theory — allows you to upload a new profile to replace an existing one.

This is where the fun starts.

If the profile identifier of the new profile is not the same as the old profile, the old profile will remain on the scoped managed computers with the new profile installed as well. Invariably, this means that the settings you want changed won’t take effect because there is a conflict between the two profiles.

If we then remove this new profile, the older profile will remain on the Mac because Jamf School no longer knows the identifier of the old profile to remove it. And as it is an MDM installed profile, only MDM can remove it.

If you’re an organised sort of person and have kept a copy of all custom profiles saved elsewhere, simply upload it to Jamf School, scope it to the affected Macs and then remove/unscope/delete it. This will then trigger the MDM command to remove it.

If, however, you don’t have the original custom profile, fear not: all is not lost!

On the Mac with the orphaned profile, simply open Terminal and run the following command:

profiles -C -v

This will then spit out a list of all the profiles installed on the Mac in sufficient detail so that you can find the ‘profile identifier’ name of the offending profile.

Simply recreate a profile (perhaps using iMazing) with this same profile identifier, upload it Jamf School and then scope and then remove/delete the profile. Jamf School will then happily remove the old profile in question.

From now on, I will definitely add a new profile on Jamf School rather than replacing an existing one!

Managing Macs like they’re iPads

Over the last year, we have been migrating all of our iPads over to Jamf School, which has gone really rather well. Jamf School’s focus on education really pays off I believe, making lots of things you might need to do or manage in a school really easy. Given this wonderful success, could we move over our Mac fleet as well, migrating those computers from from Jamf Pro?

The case for moving the iPads was easy: it was a little bit cheaper (which adds up when you’re doing a school-wide 1:1 project), it had some neat education features like Jamf Teacher, and it was the direction that Jamf seemed to be taking things in the education space. What about then for the Mac?

In terms of price, Jamf School costs the same whether you’re managing an Apple TV, an iPad or a Mac, so this makes for nearly a 50% saving over Jamf Pro. Whilst that doesn’t add up to huge amounts of money as we don’t have the same number of Macs as we do iPads, every little helps in these days of inflation.

But what about functionality? Jamf Pro is a mature and fully-featured product, with a long history of wrangling the consumer-centric Mac into some sort of enterprise compliance, and has all sorts of hooks and tricks for getting Macs to do what you want. Whereas Jamf School is basically just the MDM side with a basic scripting add-on and a Jamf School ‘self service’ menubar extension that allows users to install apps, profiles, documents and natty wallpapers.

The question then became, could we set up our Macs the way we wanted them, basically using the same tools available for managing iPads? Here is a bit of my adventure and some things I’d love for Jamf to fix!

Adventure Highlights

Plugging the Macs into Device Enrollment was pretty straight forward. This allows Macs to be supervised over the air, with users unable to remove the supervision profile. One neat thing about this is that we could preload asset numbers and device names into Jamf School, meaning that we didn’t need to run any fancy scripts post install to gather that information. Rather than manually adding in the Mac’s location in the school once the device was enrolled, I included that in the machine’s name instead.
Getting Jamf Connect working wasn’t quite as straight forward as on Jamf Pro. It basically just involved installing the various Jamf Connect packages and then building a configuration profile using the tool that Jamf provide.
Mac App Store app installation is super easy. 3rd-party apps were less straight forward, depending on how complex the installer packages were. I was able to sort out most common apps (Chrome, Office etc) with help from support when I got stuck.
Creating configuration profiles was reasonably straightforward. And joy of joys, I was able to create a profile for the dock within Jamf School (looking at you Jamf Pro). For custom profiles, I found iMazing to be a very powerful tool.

Wish List

Here are some features I’d love for Jamf to add:

Better Jamf Connect integration. A single button in settings would be sweet!
Better 3rd party app management. And it turns out that my wish is their command, as Jamf have just added App Installers, a list of packages that Jamf maintains and updates. Amazing!
Onboarding screens. The highly skilled out there are able to weave together beautiful onboarding screens when first setting up a Mac. I’ve had a look, but it seems to require a lot of scripting, so I would love it if Jamf could build such a thing into their product. I can but dream…

Is it worth it?

Having been through the switch, which did involve wiping and setting up again all of the Macs in the school, I would say that it has been worth while. Managing all of our devices in one place is great, and the simplicity of Jamf School is also a bonus. If you have a simpler Mac set up then Jamf School is definitely worth a look.

An Ode to Jamf School

We’ve been using Jamf Pro (formerly Casper Suite) at school since 2015 to manage our Macs and iPads. And it’s been generally great, and certainly better than any other MDMs on offer.

However, upon visiting and presenting at BETT earlier this year, it became clear that Jamf were positioning their Jamf School product (formerly Zuludesk, acquired by Jamf in 2019) as the best solution to use in education. After chatting with some Jamf engineers and then their sales team, it turned out that they were perfectly happy to give us complementary licences for Jamf School for the year for us to try it as we were already paying for Jamf Pro and then we could migrate our devices from Jamf Pro at our own pace.

And trialing it is what we’ve done. Moving MDM is not an insignificant task, as every device has to be reenrolled (involving a wipe and fresh setup), but as we were refreshing our KS2 iPads and tweaking our KS1 setup (no more ‘shared iPad’ mode), this seemed like a good opportunity.

And the verdict? We love it!

So much so that I am going to write a blog post where I literally count the ways in which Jamf School is so great…

It’s easy to get started. There’s a friendly onboarding process that gets you plugged into all of Apple’s systems from the outset, such as Apple School Manager, sorting out push certificates etc.
Authentication with Microsoft is also easy. Compared with Jamf Pro, sorting out authentication with a 3rd party provider is really straightforward and lets you add that to the device enrolment workflow.
Syncing accounts with Apple School Manager is simple. Once ASM is plugged in, all of the various student and teacher accounts can be imported into Jamf School, complete with class groupings and everything.
Making groups is fun. In Jamf School, when you make a static or smart group, assigning apps and profiles to that group is part of the creation process. It’s a small thing, but it’s so much quicker as you just ‘click, click, click’ to add the apps you want, rather than going to each app individually and changing the scope.
Making profiles is more straightforward. Rather than just presenting profile options in all their complexity, profile creation is organised in a way that makes more sense for a school. For example, designing Home Screen layouts includes a lovely drag and drop GUI that shows what it will look like as you create it.
The Jamf Teacher/Jamf Student apps are cool. Rather than the Self Service app in Jamf Pro, Jamf Teacher combines the classroom control functionality and resource/app/books catalogue into one place. Which is nice.
There is a plethora of payload variables on offer. Jamf Pro had a few ways of pulling in device/user information in places, but Jamf School has way more of this. One particularly handy place this is implemented is with device naming. Rather than just having the option of a the device serial number, we can craft our own custom naming schema, with the default being the useful ‘iPad of %FullName%’. It’s a little thing, but it makes AirDrop in a school of hundreds actually doable as students can easily see the iPad of their classmate, rather than just the serial number.
Student photos on Apple Classroom becomes a thing. Ever since Apple Classroom came out, it’s been possible to put your student’s photos to appear when showing which child has which iPad. However, for most MDMs it’s required hosting the photos of the students on a private web server, which is way beyond my competence level. But with Jamf School, you can just upload the photos to the child’s profile and then they appear automagically in Apple Classroom. Or even the teacher can take a photo in the Jamf Teacher app and then they appear in Apple Classroom too. Cool huh?
Different app settings in one place. In Jamf Pro, if I wanted to have an app automatically install for one group but be a manual install for another group, this was possible but involved adding an app multiple times to the catalogue. Whereas in Jamf School you can just pick the distribution method when you pick the group for the app.
The App catalogue just shows the apps you have licences for. Rather than having to add apps by searching the entire App Store catalogue, Jamf School just shows you all the apps you have volume purchase licences for. And if you don’t want to use any given app any more, you can just hide it from the list. It’s so easy AND tidy!
Assigning books just works. Want to add a book? It will already be in the catalogue of books if you have a licence for it and then you just scope it to the users you want to have it. Jamf School sorts out inviting all the Managed Apple IDs with a simple tick of a box.
You can put devices in groups, enter their asset tag number and rename them before they are enrolled. This is hugely powerful because you no longer need to think of sneaky ways to get a device to end up back in a group should it ever be wiped or deleted from Jamf School.

I probably could go on.

All in all, it’s been an experience with the continual delight of ‘hey, that’s a much better way of doing things’. Admittedly, some ways of doing things is different to Jamf School (such as the idea of automatically reinstalling apps if a user deletes them – the correct method is to remove it via the Jamf Teacher or Jamf Student app). But once you begin thinking in a Jamf School kinda ways, it becomes much easier!