Jamf - Glossary of Terms


MDM

Mobile Device Management (MDM) includes the administration of mobile devices (this is any iPhone, iPod Touch, iPad or Mac). MDM solutions are third party products (such as Jamf) that have management features for mobile devices.

DEP

Device Enrollment Program (DEP) is a program from Apple that allows organizations to link Apple devices to their MDM solutions.

VPP

Volume Purchase Program (VPP) is a program from Apple that allows organizations (education organizations and organizations with a DUNS number) to purchase apps on the iOS and Mac App Store using a centrally managed account.

APNs

The Apple Push Notification Service (APNs) is a service from Apple that forwards notifications of third party applications to the Apple devices. These include badges, sounds or custom text alerts. MDM commands are sent via APNs.

ASM

Apple School Manager is a simple, web-based portal for IT administrators that provides a fast, streamlined way for you to deploy Apple devices that your organization has purchased directly from Apple or from a participating Apple Authorized Reseller or carrier. You can automatically enroll devices in your mobile device management (MDM) solution without having to physically touch or prepare the devices before users get them.
https://support.apple.com/guide/apple-school-manager/welcome/web

MDM server in Apple School Manager

In Apple School Manager, a mobile device management (MDM) server is used to enroll/assign devices (Apple devices that your organization has purchased directly from Apple or from a participating Apple Authorized Reseller or carrier) automatically into Jamf without having to physically touch or prep the devices. With Jamf integration, you can further simplify the setup process for users by removing specific steps in Setup Assistant, so users are up and running quickly.

Server Token

A Server Token (.p7m) is used to authenticate MDM servers in Apple School Manager with Automated Device Enrollment settings created in Jamf.

Automated Device Enrollment

Enrollment is the process of adding computers and mobile devices to Jamf Pro. This establishes a connection between the computers and mobile devices and the Jamf Pro server. The Automated Device Enrollment settings allow you to integrate Jamf Pro with Automated Device Enrollment (formerly DEP). This is the first step to enrolling a device with Jamf Pro using a PreStage enrollment. After Jamf Pro is integrated with Automated Device Enrollment, you can use Jamf Pro to configure enrollment and device setup settings.

PreStage Enrollments

A PreStage enrollment allows you to create enrollment configurations and sync them to Apple. This enables you to enroll new computers with Jamf Pro, reducing the amount of time and interaction it takes to prepare computers for use.

User-Initiated Enrollment

You can allow users to enroll their own computers by having them log in to an enrollment portal where they follow the onscreen instructions to complete the enrollment process.

Sites

Sites are components that Jamf Pro administrators can create to determine which objects (for example, computers, mobile devices, or apps) Jamf Pro users can view and manage. Sites and the objects within sites do not have to be organized based on physical location.

Categories

Categories are organizational components that allow you to group policies, packages, scripts, and printers in Jamf Admin and Jamf Pro. You can also use categories to group policies, configuration profiles, apps, and books in Jamf Self Service. This makes these items easier to locate.

Self Service

Jamf Self Service for macOS allows users to browse and install configuration profiles, Mac App Store apps, and books. Users can also run policies and third-party software updates via patch policies, as well as access webpages using bookmarks.

Policies

Policies allow you to remotely automate common management tasks on managed computers. Using a policy, you can run scripts, manage accounts, and distribute software. When you create a policy, you specify the tasks you want to automate, how often it should run (“execution frequency”), when the policy should run (“trigger”), and the users and computers for which it should run (“scope”). You can also make policies available in Self Service for users to run on their computers as needed.

Configuration Profiles

Configuration profiles are XML files (.mobileconfig) that provide an easy way to define settings and restrictions for devices, computers, and users.
You can use Jamf Pro to create a configuration profile or you can upload a configuration profile that was created using third-party software, for example, Apple's Profile Manager or Apple Configurator.

Restricted Software

Restricted software allows you to prevent users or groups of users from accessing certain applications.

Smart Computer Groups

Jamf Pro allows you to create smart groups for managed computers, mobile devices, or users. You can create smart groups based on one or more inventory attributes.

Static Computer Groups

Static groups give you a way to organize computers, mobile devices, or users by assigning them to a group. These groups have fixed memberships that must be changed manually.

Table of Contents

Introduction

Developer access to UT CMP is managed through Active Directory (AD) groups. If your department does not already have groups that you can use, your department will have to set up new AD groups as a prerequisite for signing up for the service.


Identify your Active Directory (AD) Department OU Owner

In order to create the required AD groups for authorization to UT CMP, you need to identify your Active Directory (AD) Department OU owner.

Only the AD Department OU owner can create new groups using the university's Group AD Tools.

Need help finding your AD Department OU owner?

  • Browse the AD tree to try to find your Department OU owner.
  • If you cannot find the owner, reach out to your department's Network Technical Support Contact (TSC) or Desktop Support Team.
  • If you are still unable to identify your Department OU owner, then you can reach out to the AD Service Team for help.

Browse the AD Tree

You can use a tool like ldapsearch or ApacheDirectoryStudio to browse the tree to the security group locations and find your Department OU owner.

  • Reach out to your technical support or desktop support contact if you need help with these tools.

Understanding the AD Tree Structure

If you're interested in learning more, the Active Directory extends and provides variations for Lightweight Directory Access Protocol (LDAP).

Structure ComponentDefinitionExample + AD Tree
Department OU

Departments get an OU assigned to them in Active Directory. If your department doesn't have one, the AD team can make one.

OU stands for "Organization Unit," basically a folder in the Active Directory tree

e.g., OU=GRAD

OU=[DEPARTMENT OU],OU=Departments,DC=austin,DC=utexas,DC=edu

Note: DC stands for "domain component."

Owner Security Groups

Department OUs have Owner Security Groups, typically IT directors or managers are group members.

Owner security groups are stored as "CN," which stands for "common name," and have "-Owners" appended to the Department OU.

These owners can use the User AD Tools and Group AD Tools to make more owners/administrators/users, and to make groups.


e.g., CN=GRAD-Owners

CN=[DEPARTMENT OU]-Owners,OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu

Administrator Security Groups

Also stored as a "CN" but with "-Administrators" appended to the Department OU.

Administrator Security Group have special privileges.

e.g., CN=GRAD-Administrators

CN=[Department OU]-Administrators,OU=[Department OU],OU=Departments,OU=Administrative,DC=austin,DC=utexas,DC=edu

Security GroupsSecurity groups are how users are assigned access to resources; in the case of UT CMP, developers who can access staging and production projects in Rancher and users who can access logs will be added to three specific groups.

e.g., CN=GRAD-CMP-Group-Managers, CN=GRAD-CMP-Developers-Staging, CN=GRAD-CMP-Developers-Production, CN=GRAD-CMP-UTSPLUNK

CN=[Group name],OU=[Department OU],OU=Managed,OU=Groups,DC=austin,DC=utexas,DC=edu