Jamf Nation Community

I manage around 42K computers and 12K mobile devices across my district. We sidestepped the sites/site admin issue by having me run development, testing and deployment of all policies and smart groups. Maybe not a viable answer for your environment, but it cuts down on our bloat.

Depending on your situation, you could constrain creation and editing of policies to yourself or a few particularly mindful technicians and use your site admins to control the targeting and scoping of the policies you create. You could do something similar in regards to smart groups and just let your site admins have full control of searches. Then they could still get relevant information about their site, could flag potential issues for smart group creation by someone else and they wouldn't directly contribute to potentially database killing smart groups.

Smart group construction definitely requires forethought with that number of devices, I have found that running smart groups with criteria sourced from other smart groups is a recipe for disaster. In addition, frequent use of Spruce to cull useless policies and groups has helped ameliorate the worst database issues we were having.

@rcram I hadn't heard of Spruce - I assume you mean this: https://github.com/sheagcraig/Spruce - Thanks for bringing that up!

@m.donovan I don't think you'll find BEST practices so much as recommendations on GOOD practices; but these are going to vary somewhat from environment to environment. For example, one major urban district has practically zero accountability at the site level and practically zero resources centrally, so very little gets delegated and only the bare minimum is managed from the top down.

You'll find automation and leveraging integration capabilities are amongst your greatest value propositions, so learn that API, integrate with AD if you're managing Windows, consider the SCCM reporting plugin. I'd come up with a scheme to use the API from powershell to periodically query AD to determine who should be admin of a given site and delegate control to those users, but our environment had a technical challenge that prevented this from working correctly.

Obviously other essentials - at that size, you need to build out your infrastructure to scale; hopefully you've got load balancing going on for the servers and the DB being run off a separate cluster. Or if your district can tolerate the lack of control and FERPA risks, put it on JAMF's cloud and take away all that worry!

@jrwilcox @rcram @Sterritt quick question, I work in a district roughly the same size and our JSS server has been broken for weeks. We were told that everyone who has updated to the newest server software is having similar issues. Here is what we are experiencing:
- Server is slow to respond and becomes overloaded very quickly
- Unable to image computers
- Unable to enroll new clients in JSS
- Unable to push / create policies
Our server admin spends most of his days on the phone with JAMF trying to correct the issues. Are y'all having similar issues? Thanks for the response.

@kisdtech not sure if this thread may apply to you

We are, we have made changes to our smart groups and policies to help make it better, but we still have occasional failures.