Jamf at SoM FAQ
What is Jamf Pro?
Jamf Pro, developed by Jamf, is a comprehensive management system for Apple macOS computers and iOS devices. With Jamf Pro, TDS and University IT Technicians proactively manage the entire lifecycle of all Apple devices. This includes deploying and maintaining software, responding to security threats, distributing settings, and analyzing inventory data.
If you would like to learn more about Jamf Pro, please visit http://www.jamf.com
Who is TDS?
Technology & Digital Solutions (TDS) is the team formed when SoM IRT was unified with Stanford Health Care's IT department. We provide computing support for SHC and SoM users.
Why is Jamf Pro being installed?
Jamf Pro was chosen by the University to replace BigFix on all University and School of Medicine Macs. Stanford University has been using IBM BigFix to deploy patches and updates to Windows and MacOS computers for many years. BigFix is administered by the Information Security Office in collaboration with IT organizations across the University. Due to changes in the MacOS architecture, BigFix is no longer able to perform the tasks needed by Stanford University and the School of Medicine. Jamf will be administered by the same Stanford teams administering BigFix.
We will be deploying Jamf Pro across the School of Medicine. Initially Jamf Pro and BigFix will both be on the machines. Jamf Pro will be used for patching, software deployment, and self-service application installation/configuration. BigFix will be used for reporting purposes until Jamf Pro is fully integrated with compliance reporting.
What are the benefits of Jamf Pro?
Reliability: Your Mac will quickly receive software updates and patches with little to no interaction on your part.
Time Efficiency: You will stay more productive as deployment and updating processes run in the background, freeing up more time for teaching and research.
Security & Compliance: TDS will manage the security of your device so you don't have to, ensuring that software patches, antivirus protection, firewalls, and compliance with Stanford University minimum security standards are well maintained.
Confidentiality: Your data and files will remain confidential; no personal data is scanned, indexed, or transmitted off your device. UIT servers also keep full audit logs of any actions performed by TDS and University IT. Adherence to the privacy policy as defined in admin guide 6.1.1 will be maintained at all times.
How does Jamf Pro work?
Jamf Pro consists of a management server cluster, known as the JAMF Software Server (JSS), a small software utility known as an "agent" on enrolled macOS computers, and a Mobile Device Management (MDM) profile on enrolled macOS and iOS devices.
The agent on a macOS client checks in with the JSS at computer start up and every 15 minutes thereafter, consuming 2KB of network traffic, 4MB Real Memory, and 0.10% CPU. In addition, computer inventory is uploaded to the JSS once a day, causing less than 200KB of network traffic, 8MB Real Memory, and 3.74% CPU. On average the inventory process takes 30 seconds to complete.
All client/server communication is encrypted by a certificate pair configured when the agent/profile is installed.
What information does Jamf Pro collect?
The University IT implementation of Jamf Pro has been customized to collect only the data needed to support macOS computers and iOS devices. This information includes:
Hardware Specifications
Installed Applications
Services Running
Available Software Updates
Compliance Status
Connected Peripheral Devices
No personal information is collected, such as the contents or names of personal files (documents, email, etc.,) or browsing history.
This data will be used to:
Confirm current device ownership
Verify machines physical location
Confirm device enrollment information
How will Jamf Pro be used?
TDS will manage the security of your device so you don't have to, ensuring that software patches, antivirus protection, firewalls, and compliance with Stanford University minimum security standards are well maintained.
OS upgrades
Verification/maintenance of compliance with School of Medicine and University IT security policy
Application Actions (Installations, Removal, Updates):
Stanford required software
Anti-virus (Currently this is ESET, in the future this will be Crowdstrike)
BigFix (Removed upon leaving the University)
Others as needed
Stanford provided software
Office
Code42/Crashplan (Backup)
Others as needed
Department specific software
As Requested
How is the Jamf Pro agent installed?
TDS will enroll your device remotely or by sending you an invitation by email. A manual user approval component will be required in either case.
What devices does Jamf Pro support?
UIT’s Jamf Pro will support macOS X 10.13 and above.
What changes does Jamf Pro make to a Mac?
A service account will be created on the Mac with administrative privileges to carry out tasks from the JSS. This account is hidden from the general user interface and no human knows the password to this account. The service account password is maintained and randomized by the JSS at regular intervals. SSH will be turned on and access will be restricted to the service account.
For OS X 10.13 and later, a Mobile Device Management (MDM) profile will be installed. This profile allows Jamf Pro administrators to remotely configure settings on the Mac. Basic security settings will be set at enrollment to ensure compliance with Stanford University and School of Medicine policies.
At some point in the future, Jamf self-service will be deployed. This will allow for content such as software, printers, maintenance tasks, links, and other documentation to be available to users.
How will software be installed on my computer?
TDS may push software as required for compliance or as requested by the user.
Who has access to my computer?
TDS has the ability to manage your macOS with Jamf Pro.
Will I still have administrative access to my Mac?
There will be no automatic changes to the privileges of your device.
What policies are enforced?
Jamf Pro will be used in conjunction with BigFix to report on and correct issues affecting compliance with University requirements. Adherence to the privacy policy as defined in admin guide 6.1.1 will be maintained at all times.
How do I update my Data and Device Attestation and how often do I need to do so?
The Data and Device Attestation can be found here: https://amie.stanford.edu/attestation and is required to be completed once per year, and whenever there is a change in device counts.
How can I check my current compliance status?
For users attesting to high-risk data, compliance status is found on AMIE (https://amie.stanford.edu/datasecurity/amie/). For low-risk data users, compliance status is found on MyDevices (https://mydevices.stanford.edu).
More information regarding device compliance can be found here: https://uit.stanford.edu/guide/encrypt/faq
How can I get a compliance exception?
If your computer cannot meet compliance requirements you will need to have an exception granted. Exceptions can be requested at https://uit.stanford.edu/security/exception#endpoints.