Description
The months of August and September are often very busy. This article provides ideas for tasks that can be taken care of earlier in the summer to free up time when school is starting again.
Check on Your Certificates and Tokens
Here are some key ones to check that expire every year:
Apple Push Notification Services Certificates
Jamf School Location: Organization > Settings > Apple Push Notification Service.
How To Renew: Renewing an Apple Push Certificate
Apple VPP Token (Service Token)
Jamf School Location: Organization > Settings > Content (Volume Purchasing).
How to Renew: Service Token (.vpptoken) Renewal
Automated Device Enrollment Token (Server Token)
Jamf School Location: Organization > Settings > Automated Device Enrollment.
How to Renew: Server Token (.p7m) Renewal
Audit Device Inventory
Summer is a great time to clean up your device inventory and investigate/remediate some different device scenarios.
Device cleanup
In Jamf School we can filter for devices that haven't checked in for a duration of time using the "Last Connected" filter.
Determine if devices that have not communicated with Jamf School within your specified timeframe can be moved to the trash to keep your instance free of clutter or if they need to be located and checked on.
If a device is using a recurring license moving it to the trash will also make that license available to another device. This can help you more accurately assess your needs a renewal time.
Create Smart Groups for to identify devices that may need interventions
You can use a smart group to check for devices that may need action taken to meet current standards for your organization. For example:
Devices that need OS updates:
Example Smart Group Criteria: Operating System Equals > macOS > Equals > [Minimum Version = blank] [Maximum Version = 13.0]
Gets all macOS devices running macOS versions 13.0 or lower.
Devices where the bootstrap token is not escrowed:
Example Smart Group Criteria: Bootstrap Token Stored > Equals > No.
Gets all device that haven't escrowed their Bootstrap token.
Devices that weren't enrolled via ADE:
Example Smart Group Criteria: Enrollment Method > Not Equals > Automated Device Enrollment / Apple School Manager.
Gets all devices that were not enrolled via ADE(Automated Device Enrollment).
Security Elements (Wi-Fi, Certificates, Vendor/Application Configurations)
Security functionality can be tricky to adjust and needs to be thoroughly tested before sent to production devices. Here are some of things you can take care of and test to be prepare for the start of the school year:
Wi-Fi
Update any wireless configuration profiles where the pre-shared key has changed.
Recommendation: Clone your existing configuration and deploy to a test device (or subset) then test changing the pre-shared key on the subset before changing it for the production configuration profile to understand how the devices behave.
Check that 802.1x workflows are still valid and make the appropriate adjustments if needed.
Certificates
Many environments will make use of software that requires certificates as part of their deployment (commonly seen with web content filters) you may need to obtain updated certificates from the software provider to redeploy for the coming year.
Vendor & Application Configurations
Some software may include a vendor provided configuration as part of its deployment.
These configs may need to be updated to take advantage of new features or meet certain requirements for the applications itself. Check software documentation to see if any of your configurations need to be updated regularly.
Summer is a great time to test adjustments to application configurations.
Apple School Manager Synchronization
New school years typically come with influx of new students, staff and updates to classes, take some time to look at your ASM synchronization results.
Remove users and classes that are no longer needed from Jamf School
Check both Jamf School and ASM for users and classes that need to be cleaned up.
If a user is removed in Jamf School but not in ASM it will be recreated at the next sync with ASM.
If configured to do so Jamf School will automatically remove users that are no longer in ASM when it synchronizes with ASM.
New Users & Classes
Verify that new users and classes are correctly appearing in Jamf School once added to ASM.
The users and classes must be created in ASM first.
This is most commonly done by linking ASM to your SIS via Apples Integration or and SFTP upload.
Workflow Verification
New device deployments are commonly handled at the beginning of the school year, take some time to test your device enrollment workflow to ensure this goes smoothly. Here are somethings to confirm when testing your enrollment process:
User authentication works during enrollment.
Not all workflows may include authenticated enrollment.
Enrollment succeeds for the device.
The device is assigned to the correct owner during enrollment.
Owners can be assigned automatically with enrollment authentication or devices placeholder data.
Owners are not required for all deployments.
The device has joined the desired wireless network.
The device's group membership is correct.
The device has joined all the correct smart groups.
The device was added to any static groups from its placeholder data.
The device has installed (or is installing) all the required configuration profiles.
The device has installed (or is installing) all required applications.
Any apps with custom configurations are behaving as dictated by the configuration.
Note: This is not an exhaustive list of things to check before the start of the year but it is a good place to start.
More Resources
If you need a refresher on how ASM synchronization works in Jamf School take a look at these articles: