Apple Device Management
iPhones, iPads and Macs have a built-in framework that supports mobile device management (MDM). You can find furter information from Apple's support web pages, introduction to mobile device management.
MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device. MDM capabilities include updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. College-owned Mac devices are enrolled in MDM automatically using Apple School Manager.
Imperial College London uses Jamf Pro as their MDM provider.
You can watch our video below to show you how to setup your College Mac device and visit our JAMF frequently asked questions for further information and support.
How to set up your College-owned Mac
What is JAMF Pro?
JAMF is the leading Apple (macOS and iOS) device management platform, allowing for simple and efficient administration of all Apple devices.
JAMF offers the following functionality:
- Apple Deployment and Management
- System Security and Software Updates
- Software distribution and Application Management
- System Administration and Inventory
Can I create a local account?
The account that you use to log in is a local admin account, based on your Imperial College London credentials. If you wish to change the mac to a ‘multi-user’ device please contact the ICT Service Desk who will be able to help.
All accounts on the Mac must use Imperial College London credentials and collaborators should be given guest accounts so transparency and visibility of users on the Mac remain.
Why is JAMF Pro being installed?
The number of attacks on organisations has grown in the past few years and ransomware attacks/virus infections now present one of the biggest risks to the university. As a result, ICT is working on reducing the likelihood that this type of attack against Imperial would succeed. A significant part of this work is improving our understanding of the risks that we face. By managing Imperial endpoints we are able to understand the risk they present to the organisation:
- Has security been installed?
- Is antivirus software running?
- Are the security definitions up to date?
Having managed machines and up-to-date security patches are also a requirement of Cyber Essentials which the College is trying to obtain. If the College does not have this certification, the University’s ability to get funding might be impacted.
What are the benefits of JAMF Pro?
Reliability: Your Mac will quickly receive software updates and patches with little to no interaction on your part.
Time Efficiency: You will stay more productive as deployment and updating processes run in the background, freeing up more time for teaching and research.
Security & Compliance: ICT will manage the security of your device so you don't have to, ensuring that software patches, antivirus protection, firewalls, and compliance with Imperial College London’s minimum security standards are well maintained.
Confidentiality: Your data and files will remain confidential; no personal data is scanned, indexed, or transmitted off your device. ICT servers also keep full audit logs of any actions performed by technicians.
What information does JAMF Pro collect?
We have customized JAMF to only collect the data that is required to support macOS devices. This includes:
- Hardware Specifications
- Installed Applications and Usage
- Services Running
- Available Software Updates
- Local User Accounts
- Security Status (Firewall, SSH, etc)
- Connected Printers
We do not collect any personal information, such as the contents or names of personal files (documents, email, pictures, browsing history, etc) and are fully GDPR compliant.
What changes does JAMF Pro make to my Mac?
A Mobile Device Management (MDM) profile is installed. This profile allows JAMF Pro administrators to remotely configure settings on the Mac. Basic security settings will be set at enrollment to ensure compliance with Imperial College London policies.
An application called Self-Service is installed. This allows for content such as software, printers, maintenance tasks, links, and other documentation to be available. If a department has software that they wish to make available through Self Service they should submit a Service Desk ticket.
An application called JAMF Connect is installed. This allows syncing of your Imperial College London account password with the password on the Mac.
Will I still have admin rights to my Mac?
The person setting up the Mac is given admin rights. This allows installing/uninstalling of applications as well as configuration changes and macOS updates.
How do I install unknown or unsigned applications?
Since macOS 10.15 Catalina, all software installed on macOS needs to be both signed by the developer and notarised by Apple. Read more about this on the Apple web pages.
ICT enforce these settings using MDM. If you wish to install any applications which are not signed and notarised by Apple you can submit a Service Desk ticket for a security exception.
Once the security exception is granted and you have accepted the risk you will be able to override gatekeeper and install any unsigned or unknown applications you wish. This is a one-time process (per machine) so there is no need to apply every time after this.
Can I use Migration Assistant?
For usual scenarios, it is recommended to store files in OneDrive, which has the benefits of being able to be accessed from any machine.
And for Research Data it is recommended to use the Research Data Store.
For applications, it is recommended to freshly install any needed on the new mac. A number of applications can be found in the Self Service app (which can be found in the Applications folder). If your department has applications that you would like served through Self Service please contact the Service Desk.
If it is important for your work that you use Migration Assistant to transfer data from an old mac, you may do so providing the new mac has been updated to macOS Ventura (13).
Can I use Time Machine?
Time machine is a great tool for home use scenarios and although we do not restrict its use it is not supported for College work or by ICT. For files and data, it is recommended to use OneDrive or the Research Data store service. If you wish to restore data from an old mac to a new one please make sure the new mac is updated to macOS Ventura (13) ahead of restoring.