UNC System Office has worked out a license template that is approved for use across the UNC System Institutions for purchase of JAMF Software’s JAMF Pro management tools for Apple Devices. Details on the UNC System Agreement – JAMF Software JAMF Pro are available from each institution’s Combined Pricing Initiative (CPI) representative or UNC SO.
The UNC Wide JAMF Pro Service is a deployment of the UNC System Agreement – JAMF Software’s JAMF Pro license that uses a shared JPS server hosted by JAMF Software at nc.jamfcloud.com to provide secure, federated, enterprise management of Apple devices across participating UNC System Institutions. The service makes use of the Jamf Cloud Distribution Service (JCDS) which is hosted by JAMF Software to distribute installer packages.
0) An authorized agent of the institution must sign and comply with the UNC Wide JAMF Pro Memorandum of Understanding for security and compliance purposes.
Request access to the MOU at https://go.ncsu.edu/jamfmou
1) Insititutional groups must purchase at least 10 licenses for either OS X or iOS devices (or 10 OSX and 10 iOS if both are required) to have their own JAMF Pro Site.
UNC Institutions should contact their CPI representative for costing and purchasing details
2) Each Insititutional group will have their own JAMF Pro Site for secure federated management. Note that all packages are shared and evey group is responsible for license compliance with each vendor for the packages used at that group’s institution.
3) Each Site owner must provide secure (ldaps) access to a supported directory (AD or ldaps) containing a group of people that are the administrators of their JAMF Pro Site.
NOTE: If the secure ldap connection requires a non-standard certificate (i.e. directory uses self-signed certificates) special arrangements will have to be made with JAMF support to get the correct certificate chains added to the hosting server.
Only READ ONLY access to the User Name (typically uid or sAMAccountName), User ID (uidNumber) and Group Membership (memberOF) attributes of the User record and the Group name (cn) and Group Id (gid or uSNCreated, this is a number) attributes of the Groups record is required unless the directory uses a different configuration (most commonly this would be acess to the Member attribute of the Group record instead of User>MemberOf). JAMF Pro is designed for machine management, however features like User Self-Service are also availabe but requires access to a broader institutional user information than a simple group of machine administrators. NOTE: Accounts can not be created on the central JSS for institutional individuals or groups.
It is strongly suggested that institutional directory access be granted via a special, read only, service-user account with permissions engineered and used for this purpose only.
4) Each site owner must ensure that institutional firewall access is granted on the required ports for directory ldaps access (typically 636 or custom ports) and client access over the standard HTTPS port (443) to the hosted JSS. Information on configuration is available from the UNC Wide Jamf Administration (UWCA) Team.
5) Optionally: Those wanting to package software should provide an additional directory group containing the people who can package software. Software packagers for each site will have read, create, and change permissions but not delete for the following features in the JSS: Categories, Packages, Scripts, Printers, Extension Attributes, Peripheral Types, Removable MAC Addresses, Buildings, Departments and Jamf Content.
NOTE: Each unit is required to name packages with INSTITUTION-unit prefix. Example: Packages made by OIT at NC State would be named:
NCSU-OIT-packagename.
This avoids issues with other UNC system schools in the hosted environment.
It is also important for those repackaging licensed software to create packages that can apply licenses via policy after installation.
The UNC Wide Jamf Administration team will delete packages and other created features upon verified request of the Site Owner and reservers the right to delete any package of feature that is causing system failure without prior notification. In general packagers from individual institutions should create packages and features that clearly identify the institution which created them and work to avoid conflicts.
6) Each site is strongly encouraged to train at least one person to the Jamf 200 or better level. See JAMF Software Training at:
https://training.jamf.com and https://www.jamf.com/training/in-class-learning/private-course/
7) Optionally: One Jamf 200 level or better certified, person from each UNC Institution can join the UNC Wide Jamf Administration(UWCA) Team to help with conflict resolution and routinemaintenance tasks. A representative from NC State and Applicaian State form the initial UWCA Team.
8) Optionally: If a Site would like to host a JAMF Distribution Server (JDS) they should work with their Jamf Administration Team member or the UNC Wide Jamf Administration Team to setup.
9) Optionally: Sites desiring other types of JAMF Pro Access (API, Reporting Only, Add Machine Only, etc) should work with their Jamf Administration Team member or the UNC Wide Jamf Administration Team to setup.
10) Any conflct resolution or requests will be handled by majority agreement of the UNC Wide Jamf Administration Team.
11) The UWCA team will provide a report of total seat usage across the UNC System annually to help inform institutions in meeting the required 10,000 seat goal.
12) Organizations that have existing JAMF Pro Licneses or wish to purchase Jamf Certification training should contact support@jamfsoftware.com for information on license conversion, license prorating, and training costs.
Yes the UWCA Team has created a unique Apple ID for GSX access which provides information on purchased devices as expected in the JSS. Since lookups are based on hardware only this is useful for all system instititutions.
Production service: https://nc.jamfcloud.com:443/
Test service : https://nccloudtest.jamfcloud.com:443/
UNC Wide Administrators: uswca@googlegroups.com
Slack @uswca