Skip to main content

Using Jamf Onboarder to set up Jamf Pro, Jamf macOS Security Portal and Jamf Security Cloud Portal

This article provides links and instructions to help get your Jamf environments ready to run Jamf Onboarder and steps for after.

Updated over a week ago

Description

Jamf Onboarder streamlines setting up brand-new Jamf environments by automatically integrating Jamf consoles and configuring key management and security outcomes.

There are a few items you need to have created already in order for Jamf Onboarder to run. This article will explain and provide resources to meet the prerequisites so you are ready to use Jamf Onboarder.

Steps to take before running Jamf Onboarder

  1. Create a Jamf ID with the email that is associated with the purchase of your Jamf subscription if you haven't already created one. If you already have a Jamf ID, go to step 2.

  2. Log in to Jamf Account with your Jamf ID and confirm that:

    1. Your organization shows either in the upper-left corner, on Home next to your avatar on the left side of the page, or under Profile > Organization.

    2. You have access to the Solutions page in Jamf Account. If it does not show in the left side bar for you or anyone at your organization, reach out to your Account team.

  3. From Jamf Account, you can now create your Jamf Pro and macOS Security Portal instances. The Jamf Security Cloud tenant should be created automatically once you create the macOS Security Portal.

  4. Actions needed within Jamf Pro:

    1. Either navigate to your Jamf Pro URL in a browser, or from Home in Jamf Account click Open for Jamf Pro and select your instance.

    2. Go through the Setup menu:

      1. Agree to the Terms and Conditions.

      2. Enter your Organization name as it appears in Jamf Account.

      3. Create your first user account - note this should NOT have the same email as your Jamf ID email used to log in to Jamf Account.

  5. Actions needed within macOS Security Portal:

    1. Go to your macOS Security Portal URL, or from Home in Jamf Account click Open for Jamf Protect and select the instance.

    2. You can log in to the macOS Security Portal with the Jamf ID email and password you used for Jamf Account.

    3. Create an API client in macOS Security Portal.

  6. Actions needed within Jamf Security Cloud Portal:

    1. To navigate to the Jamf Security Portal log in page, either go to https://radar.wandera.com/login or from Home in Jamf Account click View details for Jamf Protect and select Log in to your Jamf Security Cloud portal.

    2. Enter the Jamf ID credentials used to log in to Jamf Account.

    3. Create a super admin in Jamf Security Cloud

      1. Creating a user

      2. Understanding Account types

      For the super admin, the email cannot be same as Jamf ID email. You can use an alias such as first.last+onboarder@company.com.

Running Jamf Onboarder

  1. Select if you want to do the standard or custom setup.

    • Standard: Applies all Jamf recommended configurations. You will skip all customization screens and go directly to instance preparation.

    • Custom: Allows granular control over configurations Jamf Onboarder will create so you choose the specific management and security settings Onboarder will configure.

    You can always remove settings/make changes within Jamf Pro, macOS Security Portal and Jamf Security Cloud portal after Jamf Onboarder runs.

  2. Custom Setup Options:

    1. You choose if you want to enable management foundations for Jamf for Mac or Jamf for Mobile or both.

    2. Security Configurations:

      1. Endpoint, Network & Web Security: integrate web & network security with management, integrate macOS endpoint security, configure web and network security, enforce and escrow FileVault 2, enable SSOe (Okta Template)

      2. Compliance Benchmarks: Select macOS benchmark (CIS Level 1, DISA STIG, NIST 800-171, US CMMC 2.0) and/or iOS benchmark (CIS Level 1, DISA STIG)

    3. App Catalog: Browsers, Productivity apps, Utilities

  3. Preparing Consoles

    • In this step you add in the users and API client configured in the prerequisites which allows Jamf Onboarder to apply the configurations and integrations.

    • The credentials are just used for setup and are not stored. Once Jamf Onboarder has completed you can remove these users.

  4. Ready to configure?

    • Click Configure and confirm by clicking Start for Jamf Onboarder to add the configurations and integrations to your Jamf environments.

    ⚠️ Once you click Start, the process cannot be stopped or reversed.

After Jamf Onboarder Completes

If you look in your Jamf Pro, macOS Security Portal and Jamf Security Cloud Portal you will be able to see the configurations that Jamf Onboarder added. More setup is still needed though for you to manage and secure devices with Jamf.

Jamf macOS Security Portal

The features following require manual configuration if you wish to deploy additional endpoint security capabilities.

Settings you configured with Jamf Onboarder or manually after are synced to the plan in Jamf Pro under Settings > Jamf Apps > Jamf Protect.

There is no scoping defined for Jamf Protect plans in Jamf Pro, you will need to configure that in Jamf Pro for it to install on computers once they enroll.

Jamf Security Cloud Portal

Jamf Onboarder creates an initial activation profile in Jamf Security Cloud. This activation profile is in Jamf Pro and is scoped to 'All Computers.'

Note - Jamf Trust must be installed on enrolled mobile devices and computers using ZTNA. These steps are included in the Jamf Pro section below.

Jamf Pro

There are some setup steps that Jamf Onboarder is not able to do for you. Be sure to complete the steps below after Jamf Onboarder runs in order to manage and enroll devices into Jamf Pro.

Note about logging in to Jamf Pro: During the Jamf Onboarder process, if you configured 'Jamf Account SSO' (screen shown below) you will now use the Jamf ID credentials that you used to log in to Jamf Account to log in to Jamf Pro rather than the user you created in the Setup Assistant.

To add additional users to Jamf Pro, they will need to have a valid Jamf ID and be added in Jamf Pro under Settings > Server > User accounts and groups. The users email must match the Jamf ID email.

If you have an identity provider and wish to use those credentials to log in to Jamf Account, Jamf Pro, macOS Security Portal and/or Jamf Security Cloud you can alternatively add an OIDC SSO integration in Jamf Account.

  1. Add your MDM Push Notification Certificate to Jamf Pro. This allows your devices to communicate through MDM protocol with Jamf Pro.

  2. Configure enrollment settings in Jamf Pro. The enrollment method you choose depends on the types of devices you want to manage and the current state of the devices.

    • User-initiated enrollment: is a good fit if you do not have devices in Apple Business Manager or Apple School Manager (or if you cannot reset mobile devices for Automated Device Enrollment)

      Devices will have a removable MDM profile so end users can "opt out" of management and mobile devices will not be supervised which limits management actions available.

    • Automated Device Enrollment:

      1. Integrating Jamf Pro with Apple Business Manager or Apple School Manager for Automated Device Enrollment

        1. This step includes: creating an MDM server in Apple Business Manager or Apple School Manager for Jamf Pro and uploading the token for that MDM server to Jamf Pro.

      2. Creating PreStage Enrollments in Jamf Pro and assigning devices:

        1. Computers

        2. Mobile Devices

      3. Enrolling devices in the Setup Assistant

        1. Note - for already setup computers that cannot be reset to the Setup Assistant, it is possible to enroll by running the command sudo profiles renew -type enrollment and following the prompts to install the MDM profile. If this method is used not all settings from the PreStage enrollment will apply.

  3. Set up other content distribution settings:

    1. For deploying licensed apps from Apple Business Manager or Apple School Manager see Deploying Volume Purchasing Apps in Jamf Pro.

      • Note - for Jamf Security Cloud:

        • If using ZTNA: you need to get macOS licenses for Jamf Trust and deploy Jamf Trust to managed computers.

        • If using Jamf Security Cloud features for mobile devices: you need to get iOS licenses for Jamf Trust, add the managed app configuration, and deploy the app to managed devices.

    2. For computers, add additional App Installers or if you want to deploy packages from Jamf Pro configure a distribution point and upload packages to Jamf.

  4. Create additional management configurations (for example Jamf Pro Blueprints with Software update settings, restrictions, etc.) and update the scoping for configurations created by Jamf Onboarder.

    For more information on creating/managing configurations see:

    1. App Installers

    2. Configuration Profiles

      1. Computers

      2. Mobile Devices

    3. Smart Groups

    4. Policies

    5. Jamf Protect Plan (Settings > Jamf Apps > Jamf Protect)

    Some configurations are scoped to smart groups that have a placeholder criteria in them (Serial Number like “111222333444”) and will need to be deleted/updated for the smart group to function properly.

Jamf Resources

  • Jamf Online Training Catalog: Training resources and walkthroughs

  • Jamf Learning Hub: Technical articles and administrator guides

  • Jamf 100: The Jamf 100 course introduces macOS, iOS, and Jamf Pro, covering device setup, Jamf Pro, Apple services, enrollment, and basic inventory searches.

  • Jamf 170: The Jamf 170 Course is a security-focused introduction to Jamf Protect and mobile device management.

Related Articles
Enrolling Devices Using Account-Driven User Enrollment in Jamf Pro
Enrolling Mobile Devices via Jamf Pro User-Initiated Enrollment URL
Troubleshooting Jamf Pro User-Initiated Enrollment 101
Unmanaging and Removing devices from Jamf Pro
Managing iPhone Mirroring with Jamf Pro
Did this answer your question?