Changes made to Jamf Pro supported Apple Computers

When supported by Jamf Pro, computers will see changes to their applications, accounts, and settings. This article provides an overview of what changes to expect on a computer that is supported by Jamf Pro.

This article covers:

Changes made to all Jamf Pro supported devices

Applications

Default Applications

By default Microsoft Office, Google Chrome, Mozilla Firefox, & Microsoft Endpoint Protection will be installed on new computers. Select applications (including those previously listed) will be kept up-to-date through automated methods. Due to security, Microsoft Endpoint Protection will be reinstalled automatically if removed. An exception process for automated updates is available for this offering. Please email [email protected] for details.

Self Service Applications

The Self Service application is the gateway to customize a Macintosh workstation. Self Service can be found in the Applications folder on your computer. Check it frequently for new applications, self-support for common issues, links to websites and other helpful information.

Accounts

Jamf Pro Management Account

A management account called €˜oit-ssh-admin' will be automatically created after enrolling with Jamf Pro. The password for this account is used only by Tier 2 and Tier 3 for background support purposes only.

The security policy defined for IT staff using Jamf Pro prohibits them from remotely viewing your screen other than through Bomgar. All remote screen access will go through the Bomgar tool which is only active on your computer when you've run the Bomgar client on your computer.

Departmental Admin Account (optional)

The user's computer support group may deploy a local administrative account for local support staff to use when troubleshooting reported issues. In the case of OIT supported units, this account is called €˜oitadmin'.

Settings

Network Shares

Jamf Pro will deploy a configuration to help the Mac be a better network citizen.

Certificates

Various security certificates may be automatically installed, including the trust for University of Minnesota wireless networks.

Remote access

Jamf Pro uses SSH to securely run remote support tasks. Only management accounts are authorized to log in through this method and only when the computer is on the University of Minnesota network or while connected to the University's VPN.

Settings based on Data Security classification

Jamf Pro is used to manage a computer or device's security settings. Security settings are determined by the type of data or kinds of applications the device can access. There are three levels of security: Low, Medium and High. For detailed information, please visit the University's Data Security Classification Policy page.

High

To comply with University of Minnesota Information Security policy, the following changes will be deployed to the machine.

  • Screen sharing & Remote Management (ARD) will be disabled
  • Screen saver lock after 15 minutes
  • Password is required immediately after going to sleep or screen saver turns on
  • FileVault full-disk encryption is required
  • Administrator User Accounts will be converted to Standard User Accounts. This means you may not be able to "unlock" settings that require Administrator passwords. For example, global system settings may be locked in System Preferences
  • A secondary administrative account is not permitted

Medium

To comply with University of Minnesota Information Security policy, the following changes will be deployed to the machine.

  • Screen sharing & Remote Management (ARD) will be available at the end user's discretion
  • Screen saver lock after 15 minutes
  • Password is required immediately after going to sleep or screen saver turns on
  • FileVault full-disk encryption is enabled by default. The end user may disable it, but it is not recommended
  • Administrator accounts are allowed

Low

To comply with University of Minnesota Information Security policy, the following changes will be deployed to the machine.

  • Screen sharing & Remote Management (Apple Remote Desktop, ARD) will be available if ther user chooses to enable it
  • FileVault full-disk encryption is recommended but not enforced