When supported by Jamf Pro, computers will see changes to their applications, accounts, and settings. This article provides an overview of what changes to expect on a computer that is supported by Jamf Pro.
This article covers:
Changes made to all Jamf Pro supported devices
Applications
Default Applications
By default, Cisco Secure Client and Microsoft Endpoint Protection will be installed on new computers. Select applications will be kept up-to-date through automated methods. Due to security, Microsoft Endpoint Protection will be reinstalled automatically if removed. An exception process for automated updates is available for this offering. Please email [email protected] for details.
Self Service Applications
The Self Service application is the gateway to customize a macOS workstation. Self Service can be found in the Applications folder on your computer. Check it frequently for new applications, self-support for common issues, links to websites and other helpful information.
Accounts
Jamf Pro Management Account
A management account called oit-ssh-admin will be automatically created after enrolling with Jamf Pro. The password for this account is used only by the Jamf Pro service itself.
The security policy defined for IT staff using Jamf Pro prohibits them from remotely viewing your screen other than through Bomgar. All remote screen access will go through the Bomgar tool which is only active on your computer when you've run the Bomgar client on your computer.
Departmental Admin Account (optional)
The user's computer support group may deploy a local administrative account for local support staff to use when troubleshooting reported issues. For OIT supported units, this account is called uofmsupport.
Settings
Network Shares
Jamf Pro will deploy a configuration to help the Mac be a better network citizen.
Certificates
Various security certificates may be automatically installed, including the trust for University of Minnesota wireless networks.
Remote access
Jamf Pro uses SSH to securely run remote support tasks. Only management accounts are authorized to log in through this method and only when the computer is on the University of Minnesota network or while connected to the University's VPN.
Settings based on Data Security classification
Jamf Pro is used to manage a computer or device's security settings. Standard security settings are applied to all devcies enrolled into Jamf Pro in compliance with University Information Security Standards. Additional security controls are depolyed based on the type of data and use case of the device.
Standard
To comply with University of Minnesota Information Security policy, the following changes will be deployed to the device.
- Screen sharing & Remote Management (ARD) will be disabled
- A complex password with a minimum of 16 characters is required on macOS computers
- Log-in and unlock screens will display user and password field, not a list of available users
- Screen saver lock after 30 minutes
- Password is required immediately after going to sleep or screen saver turns on
- FileVault full-disk encryption is required
- Administrator User Accounts will be converted to Standard User Accounts. This means you may not be able to "unlock" settings that require Administrator passwords. For example, global system settings may be locked in System Preferences
- Administrative accounts are not permitted unless a University Information Security exception has been approved
- Automatic installation of software and security updates is enforced
Health Care Component
The following settings will be deployed to devices within the University Of Minnesota Health Care Component in addition to standard settings.
- Software and services enabling the movement of data off the devices is limited
- iCloud Drive access and related features are locked out
- 3rd Party cloud storage software other than Box will be un-installed
- Apple AirDrop is disabled
- Apple "Share To" services are limited to e-mail and your reading list
- Apple Proximity sharing services are disabled