Видео

Another great video! Definitely going to share this one out. Hope your clothes came out dry!

Thank you for doing this investigation; it would be interesting to have a periodic follow up in which the feature gaps between Jamf Pro and Intune are re-evaluated as both products improve. I was considering performing an investigation like this - but between my limited time and not needing to reinvent the wheel by doing what you've already done, I can focus on winning the argument to keep an Apple specific device management platform in my organization.

Thank you Graham for creating this script! I stumbled onto it a few years back and it has been invaluable when managing my small fleet.

Thanks for this tutorial, allot of it makes sense, i found this because we have global users who sometimes have to procure their own devices, can you tell me if by doing this process, this will add the device in this case a macbook to ABM so in the future it will be able to utilize ADE?

Looking for the talk about the SCEP and ADCS certification audit and reissues to the mac device like expired and reissue and how to audit and fix the missing certificate ecttt

Account-Driven Enrollment for prez 2028!!!

That was a well put together video, well done. I was wondering if you'd be able to help me out before I create a case with Jamf? I posted on the Jamf Nation community that I had to re-imaged my computer labs from Monterey to Sonoma. I tried to login to one of my laptops this week and found it wasn't accepting my local account admin password. I tried on another laptop and no dice. I did some research and came across LAPS and a guy from Jamf Nation believes this is the case. I noticed that you need Ventura and up for it to work so by upgrading it is now in effect. Here is the kicker, I never turned it on. I checked my jamfinstance/api an under PUT /v2, local-admin-password/settings. autoDeployEnabled is set to false and autoRotateEnabled: false. I also checked Settings:Computer Management: Security and Enable LAPS for PreStage accounts is NOT selected. Yet when I go to a computer Inventory: Local Users Accounts I see View under Password. My account was created in PreStage I noticed yours was with Jamf Binary. The guy on Jamf Nation suggested I erase and re-install. Like you said, yea that's not going to happen. But even if I did, I think LAPS would still affect them. My question is, where else would it be enabled? I want to turn it off. Thanks!

Too bad its available only for cloud members. For others, Installomator is taking care of the job

Make a video zero touch deployment on windows environement

What is better for MacBook and Iphone management. WorkSpaceOne or Jamf ?

Good info to see it all together. Title is a little misleading in that Jamf also can manage mobile devices, Apple TV, Vision Pro (which is addressed in the video intro). I know the video would be longer, but in the spirit of completeness... it may be also good to compare mobile device management between the two; I don't think Intune can handle AppleTV and Vision Pro yet, even though AppleTV has been out there for a while.

Thank you guys missed JNUC but i love you videos. Want to join the meetups in the future . Is there a way to do it?

Great job Chris, thankyou

Hey Chris. Thanks for sharing this. Just one question if i want to re enable users to install sequoia then how do i do that?

Would love to "up" my certification

Just tested this, did not work as it is showing in Software Update with only major updates selected. Will have to make sure to add restriction in the sidebar setting to stop the installer app

Nice old school JAMF shirt....I think I still have one

Use Safe Practices! Supply chain attacks have happened to even the most security-conscious organizations. Caution should be exercised when using this app just as with any content sourced from the internet. Be aware that this application incorporates content from a number of Jamf and non-Jamf sources. Initial implementation of a new process in a test environment improves the chances you’ll catch problems before they can effect something important. Always do a careful inspection of any content uploaded to Jamf Pro before scoping it to user devices to make sure you fully understand what it’s doing. Deploy and test new content gradually, initially scoping it to a small number of non-production test devices, then expanding the scope over time to increasingly larger groups of user devices.

Awesome giveaway!

if you already had a profile that does this, I think you have to remove it first, and then reapply. the timer is one time use (according to jamf) so you have to reset the clock by removing it. Its not perpetual.

In case anyone slips in, Ive already observed Sequoia breaks wifi / radius auth via eap-ms-chap

I had stopped using the Restricted Software record for the past few years because is seemed to stop working. Thankfully, I'm seeing reports on Reddit that it's working for some environments now, so I've added it back. Strangely, we had switched to using a Config Profile with "major updates" deferred for 90 days, but already have about 20 computers that slipped through the cracks. Very frustrating.

We have both the configuration profile and restricted software block in place. For the config profile, our previous engineer set the Defer Updates field to "All software, applications and non-OS updates" for 7 days, with the "Include major software updates" checked with a delay of 90 days. We are less concerned about point updates or other software than we are with macOS upgrades. The only difference I can see between selecting "All software, applications and non-OS updates" vs "Software updates" in the drop-down menu is that the latter lacks the "Set different delay for minor software updates" checkbox. We also include the Software Update payload in the same config profile, enabling everything except macOS beta installs and administrator user only installs. Overall, both the config profile and the restriction block seem to work just fine as-is for us. Even after 90 days, presumably the Restricted Software block should continue to block the Sequoia installer, even though the System Settings app will show the upgrade badge and show the Sequoia entry in Software Update.

Just adding the majorOS block did work for us and as a back up we added the restriction payload as well.

Thanks Chris!

thanks, great guide

Graham thank you for keeping this open source!

When I run the scripts, I end up with 30 failing tests for CIS Level 1. Are they not supposed to fix all of those?

Guess I have not heard anyone choose Intune because it is a good product - they choose intune because it is "free" and part of their MS license already. Price is of course an important indicator - but in larger Mac enviroments, Intune would is really a struggle. If you have few mac´s then Intune could work I guess

Intune enrollment with Mac is a nightmare. many prompts and also different behavior depending on default browser used on client. Often devices suddenly are "kicked" off intune as there is no connection - so conditional access fail, as device no longer are registered - and then need to delete intune entry - and do new registration.

How is Conditional Access a "Legacy feature"?....😖

How did you create an apple business manager / school account? also how did you verify your business, please guide

Highly biased, natural for a Jamf integrator. :D Intune dont have beatiful screens or ready-to-use settings such Jamf.

Is JAMF more Mac-centric, sure. But a few of the noted "can't dos" just aren't true. You CAN: manage the dock. Disable activation lock. If it is enabled, you have recovery passwords auto-generated for each device record. Haven't had a problem with FileVault, but we might just be lucky. We use mostly Intune for the very reasons you list, but are managing several hundred Macs with them. Long before MDM, we used Munki and it definitely takes a lot of Intune's shortcomings away. I doubt we could manage Macs with Intune alone without it.

Hugely biased comparison of not much use sadly

Great info and huge thanks for compiling all this and presenting to the community, well done 🎉🎉

Any way to get this presentation, may be only as "read only". Thank you.

When it comes to Jamf Connect you should have taken a look into Microsoft Platform SSO that is already available. As you've mentioned User Affinity can't be compared to Jamf Connect. Regarding Zero Touch Provisioning: I recommend taking a look into Baseline in combination with Installomator. That's working well for me enrolling devices via Intune.

Love the channel and info, but do not underestimate the need for quality audio. Don't think AirPods Pro are gonna cut it. A professional mic definitely when making these videos.

We appreciate your time and efforts to show how Intune is still far behind from Jamf

Man if you are coming from Jamf(like me) Intune totally sucks

At 00:28:54 I talk about the Device Check-in Frequency. Since I created this video, I've gotten several people claiming different things about Intune's check-in frequency. Some people say 8 hours, others say 24 hours, and still others say 5 minutes. An Intune SME who worked for Microsoft told me if they made a change to a profile, their standard procedure was to have them check the computer the next day. In my experience, the wait time for a change to happen was often longer than I was willing to wait, so I would plug the computer in and wait a day for the change to apply, or restart the computer which would sometimes work (but not all the time).

Very informative 👍

Really hope that macOS SU will be adressed. Running Macs without being to enforce software updates is a real pain and shame.

Love the excel tip, but the real pro tip is the comma separated searching... I'd tried doing space separated searches (ala Apple Business Manager) to no avail and assumed this wasn't possible. Never tried commas! Great tip!