Part 1: Jamf Connect just became much easier to deploy in Jamf School

In this blog, learn about the new feature in Jamf School to help EDU-centric administrators develop seamless, streamlined onboarding workflows.

January 27 2025 by

Anthony Darlow

Students learning sooner because Jamf School manages their MacBooks, delivering ready-to-use devices quickly.

Admins who manage devices through Jamf School will be familiar with two things: simplicity and rich, powerful features. When it comes to macOS, most admins want a robust onboarding experience that is as simple for the student or teacher as it is hands-off for them. In the real world, zero-touch looks something like:

"I want to hand the student/teacher a new Mac, where that person will log in with their cloud-based account and everything just be ready. We need this all to happen in the simplest way possible."

However, when an admin was also deploying Jamf Connect, the simplicity that Jamf School is known for wasn't quite there. It involved the admin building overly complex and delicate flows in Jamf School in an attempt to deploy Jamf Connect as early as possible in the onboarding process...or just let it happen when it happens. As a result, the end-userexperience would either be:

A. Build an overly complex and delicate workflow

The end user would enroll the device and arrive at the default Mac login window. This login window would show an admin account and a password box. Upon entering their credentials, the user would quickly realize that it doesn't work. After some time (up to a sixty-second delay), the default login window would be replaced with the Jamf Connect login window. Once this happens, the user will be prompted to log in with their IdP account, where the home folder would be created after successful authentication, allowing them to use their Mac.

Example of Jamf Connect login Window when configured with Entra

Example of Jamf Connect login Window when configured with Entra

B. Let the install happen when it happens

The end user would enroll the device and, like above, arrive at the default login window. As before, this login window would prompt the user to log in, but because Jamf Connect has not been installed yet, authentication will not be successful. Unlike before, the wait for the Jamf Connect-enabled login window to load may be considerably longer.

"How long?" Well, that depends on which apps the admin is deploying and how many there are in total. Without the 'complex' workflow, Jamf Connect gets added to the list of apps to be installed, and its position in that list isn't prioritized. For example, if the admin deploys ten apps, Jamf Connect might be sixth in line. This means the device will install at least the first three apps before it kicks off Jamf Connect. Now, let's suppose the first three apps are part of Office 365 or Logic — in other words, apps that are relatively large. Even with fast download speeds, this could take 5-10 minutes. That's 5-10 minutes where the user can only stare at the login screen — they can't log in, which means no studying, working on classwork or teaching a lesson.

As you can see, both workflows install Jamf Connect, which is ultimately the admin's goal. And if the admin is tasked with configuring a lab, one could argue that wait times are irrelevant. However, when deploying teacher or student-facing devices, this inability to log in will likely result in a ticket to the support desk. After all, if the end user can't use their Mac to teach or learn, well, then it must be an IT problem, right?

Enter Automated Device Enrollment Packages and Profiles

With Automated Device Enrollment (ADE) Packages and Profiles, admins can choose apps and profiles to install on the device before its released from the Remote Management screen.

Remote Management screen during ADE

Remote Management screen during ADE

This results in a user experience whereby the user no longer sees the default login window at all, since Jamf Connect is already there. They can immediately log in with their cloud-based identity accounts to start using their device right away. 

How do ADE Packages and Profiles work?

When enrolling a device through ADE, a device is automatically added to the Jamf School. Many will have experienced the typical enrollment workflow:

  1. Choose your language.
  2. Connect to Wi-Fi.
  3. Enroll the device at the Remote Management screen.

Remote Management Enrolment Commands

You may have noticed that during the time spent on the Remote Management window, several lines of text process very quickly. As part of the MDM framework, during this enrollment process, MDM vendors can send management commands to the device prior to releasing the user from this window. Typically, these commands collect information about the device to display in the console or to deliver configurations that allow preferences for certain apps to run, including installing or trust certificates for running MDM processes.

Once these essential items are configured, the device is released from the Remote Management screen using the DeviceConfigured command. After this, the device continues communicating with Jamf School to install any configuration profiles, apps and/or management settings that are scoped to it.

When an admin adds a package or profile to be installed as part of an Automated Device Enrollment, the commands are added to the initial commands executed during the Remote Management phase of the Setup Assistant before the DeviceConfigured command is sent.

Example of a command to install an ADE package in the Remote Management window 

This means that packages and profiles are delivered and processed by the device before any other scoped apps or configuration profiles, resulting in them being ready to go as soon as the device is enrolled (there are a few caveats to this statement that we will discuss later).

Adding Packages and Profiles to ADE

Packages and profiles can be added to new or existing ADE profiles. Packages and profiles that you want to add to your ADE profile need to be added to the MDM before creating the ADE profile.

How to create a new ADE profile in Jamf School

  • Navigate to Profiles > Automated Device Enrolment Profiles
  • Click + macOS to create a new macOS enrollment
  • Configure all enrollment options as required. We recommend to:
    • Ensure Wait for the configuration to be applied before continuing the Setup Assistant is checked (this is checked by default)
    • Uncheck Prompt user to create an account of type
    • Check Create a managed macOS Administrator account and configure accordingly
  • Scroll to the bottom of the window to find the Profiles and packages section
    • click Add+ and choose the correct packages via the drop-down menu
    • click Add+ and choose the correct profiles via the drop-down menu
  • Click Save to continue

Once the ADE profile is saved, you can check the configuration and add/remove any profiles or packages by navigating to the Profiles and packages tab. You can add profiles and packages to existing ADE profiles in this way.

Profiles and packages tab in an ADE profile

Profiles and packages tab in an ADE profile

More details on configuring packages and profiles for use with Jamf Connect can be found in the Jamf School Documentation.

Additional things admins need to know

The sections below include information that is useful for admins getting started with ADE.

Package and Profile Limits

Both profiles and packages are limited to five slots. This should be enough to add all the Jamf Connect items to the ADE profile including:

  • Jamf Connect PKG, Launch Agent PKG and a branding PKG, including images for a customized look
  • Jamf Connect Login Profile, Jamf Connect Menu Profile and a Jamf Connect License file

Below is an example. Your configuration may include more (or have less) items depending on your Jamf Connect configuration needs.

Jamf School will warn admins when they've reached the five item limit

Jamf School will warn admins when they've reached the five item limit

ADE Profiles must be scoped to a device group

The profiles that an Admin installs during the ADE profile must be scoped to another group that the device belongs to in order to remain on the device after enrollment. With Jamf Connect, this is very important as the configuration needs to persist on the device throughout its lifetime in order for Jamf Connect to continue to work.

What happens if admins do not also scope the profiles to a device group?

They will appear to install via ADE during the Remote Management phase, then quickly be removed as they are not in scope for the device. This process is performed quickly, well before the user arrives at the Jamf Connect login window, which results in a message to the user that they must reach out their admin for support.

Note: This only applies to profiles due to the nature of package installations with macOS and MDM not having a mechanism to uninstall applications installed via a package.

Packages containing apps not labeled as a managed

Due to the mechanism used to install packages during ADE, any resulting app installations are not shown as a managed app within a device record. They will be found in the User Installed Apps section, which means they will be listed along with other system apps. To find a chosen app, admins will need to search the list since they are not shown as a managed app. Of additional importance, admins will not be able to use the Reinstall option in the console on affected apps.

App installed via ADE package listed under user installed apps in the device record

Pro Tip: If an admin needs an app installed via ADE package to show in the managed app section of the device record, they should scope the app to the device via a regular device group as well as adding it as an ADE package.

Keeping things up-to-date

A package that an admin deploys via ADE may include many payloads, not just applications. For example, the package may instead include images displayed on the Jamf Connect window to customize the branding and experience for the user. If these images need updating, the admin will need to re-package these assets and upload the package to Jamf School. This updated version would then be deployed the next time a device goes through the onboarding experience.

For times when these assets need updating without being onboarded once again, the admin will need to also scope the updated package to the required device(s). Updating the package used in the ADE profile means that new devices will always get the latest version.

If the ADE package results in an app installation, it's important we follow a similar process, remembering to update the ADE package to the latest version, as well as deploying the update to existing managed devices.

With Jamf Connect in mind, it's considered a best practice to add the latest version of the app from the admin's Jamf Account to use in the ADE package. Keeping this up-to-date with each version release ensures that any new devices always start with the latest version. Keeping Jamf Connect up-to-date throughout the life of the device is also a security best practice. Although admins can take the same approach as with an asset package above, there is a simpler "set and forget" option available.

Automating Jamf Connect updates with App Installers

Jamf School makes use of App Installers which is designed to keep apps from the curated app catalogue updated automatically. An admin can simply deploy Jamf Connect through an ADE package as mentioned above to ensure its initially installed at enrollment then scope the App Installer version to those same devices to automatically keep the app up-to-date during its lifecycle.

Using App Installers to keep Jamf Connect up to date throughout its lifecycle

This also acts as an added "safety rail" if admins forget to update the ADE package one version, App Installers will automatically update Jamf Connect to the latest version after the initial enrollment installation. However, as mentioned prior, it is highly recommended to keep the ADE package up-to-date with the latest version as a proactive best practice instead of reactively relying on just App Installers to perform the heavy lifting after the fact. Think of it as two solutions being better than one.

Installation: command vs action

Throughout this article, we've explained that packages and profiles are installed at enrollment and prior to being released from the Remote Management screen. Although this might be true, that's not 100% accurate. The Installation command is delivered to the device during the Remote Management phase, which is way before any other commands are sent to the device. However, there are no checks in place that the package, and/or any resulting items, are actually installed successfully. .

Packages in Jamf School are delivered by the MDM framework. The command simply tells the device it needs to download a package from a certain location, in our case the Jamf School repository. Once the device receives the command, it replies to Jamf School with an acknowledgement that it will indeed go to that location and download the package. Through the MDM framework, there is no way to query the device to find out if the download is successful or if the package installation was successful. I talk about this process and some troubleshooting steps in this App Installers blog.

It is worth noting that even if there was a way to check the success of the package installation, this may negatively impact the user experience. Keeping users at the Remote Management screen for an extended period, particularly if it doesn't appear that anything is progressing, will likely result in users rebooting machines or creating tickets that aren't necessary. Consider for a moment, what if we were to find an error in the download or installation at this point? What are our options? Do we try again? Chances are, whatever the reason it didn't install the first time is going to be the reason it doesn't work a second time. It may be much better for all parties involved to "fail gracefully" than to try to reinvent the wheel, as it were.

Use ADE packages and profiles correctly

Specifically with the last point in mind, when building a workflow with ADE packages, the admin must use this tool in the correct way. As the saying by Sherrilyn Kenyon goes, "Just because you can, doesn't mean that you should." ADE packages should be reserved for critical items needed for the next step in the onboarding workflow and they should be light weight enough so that they install fast and before the device is released from the Remote Management screen.

Put plainly, ADE packages are not designed to install the entire app requirement for that device and should be used as such to optimize the onboarding experience for all stakeholders. Take for example, Microsoft Word. What benefit does that bring to the onboarding workflow at the device enrollment stage? Remembering that there are no checks for the installation of apps during Remote Management, the user isn't held there until the app is installed, just while the device receives the command to install it.

The packages used here, regardless of their payload, should be small and install fast. They should be essential to the workflow at this stage. Jamf Connect is a great example of an essential item because it's a small application. Also, it's required to be installed before arriving at the login window, so prioritizing it before anything else makes sense.

Note: There will be admins out there itching to add packages in all five slots, some of them even with multiple apps...in doing so, your future self will not be thanking your current self. Take heed in the words of Winston Churchill, "Where there is great power, there is great responsibility."

Automated device packages and profiles

This new Jamf School release is a win for any admin that is managing macOS. The ability to deploy Jamf Connect in such a robust way really does simplify the onboarding experience for users by not having to wait around for things to happen. Now that user can take the device out of the box, connect to Wi-Fi and log onto their device with their IdP credentials that they sign on to pretty much anything else with. The device is ready to go...or is it?

Once the user logs in, are all of the apps they need ready? Did the admin push a dock profile that is full of question marks since apps are missing or still downloading? How does the user know that this is the case?

So far we've looked at the power of ADE packages, how to configure them and useful things admins need to know. All with the view of installing Jamf Connect. But as ADE packages suggest, this is not only a Jamf Connect installation method, there are other tools that are just as valuable to install at this stage. These tools take the onboarding experience we have looked into today and dial it up to eleven.

In the second part, we will look at the tool Jamf Setup Manager and how to deploy this through the ADE packages to create a seamless onboarding experience for the end user.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.