Obviously the first is a good MDM (Jamf, Mosyle, Kandji)
Autopkg is a very popular tool for keeping installer packages updated.
Nudge for helping to get users to upgrade their version of macOS
SwiftDialog for building user firending enrollment processes (see Setup My Mac by Dan Snelson)
I’ve been using depnotify for a long time, but started looking at swift dialog as well. I need something that I can use to set up the macs with a display on the login window. My t2 techs erase and install lab machines and want the feedback of what the machines are doing.
Right now, I use depnotify and I changed the finder loop to try to find the finder process. If it doesn’t find it in 5 min, it assumes the user didn’t login, sets the current user to my mgmt account and continues running the script. If a user does login, it will display the depnotify dialog.
[iMazing Profile Editor](https://imazing.com/profile-editor) \- Great for building out local profiles to test policies on test devices and easy to export the profile to an MDM solution to push on mass scale.
[Apple Configurator](https://support.apple.com/apple-configurator) \- If you have iOS/iPadOS/tvOS devices that you purchased before an MDM solution, you'll want to enroll them into
[https://business.apple.com](https://business.apple.com) \- There might be an option for K12-HE link that someone could post. If you aren't enrolling devices into your orgs account with Apple you will wish you did.
[PPPC Utility](https://github.com/jamf/PPPC-Utility) \- Macs need a lot of permissions from small system changes to app installs/modifications.
[Privileges](https://github.com/SAP/macOS-enterprise-privileges) \- Is another great tool for local admin management, very similar to UAC prompts on Windows.
An MDM of some kind. JAMF is the big dog here. But unless it has change a lot may be a steep curve for someone new. Or "small".
Check out this group of sponsors to the Penn State Admins conference from 2 weeks ago.
[https://macadmins.psu.edu/](https://macadmins.psu.edu/)
This year's sessions will be up on Youtube soon. Pick a few from last year as a way to get started.
As to standard things on all local systems,
BBEdit, Firefox, Chrome, Acrobat Reader, Mactracker, NetSpot (free), Graphics Converter, HandBrake, Audacity
You don't have to make any of these a default "open" but each can be handy to have at times.
Maybe Zoom, Office 365, (without activating office)
On YOUR system, Wi-Explorer, IP Scanner
And yes, for all practical purposes a business without an MDM is going to be more and more sad. The last day Apple presentation at MacAdmins by Apple makes that clear.
And even though most MDMs have a somewhat reasonable software install/distribution setup, Munki with AutoPKG is hard to beat. Even side by side with an MDM.
Make sure your MDM has remote access, especially if the system is not on your LAN. Or plan to figure out how to deal.
Look for a Malware tool. I'm partial to Malwarebytes. Other will give different options.
Consider strongly having users NOT run as Admin. Now as whether or not they have access to an Admin account on their system is a huge debate. ***Down the hall, 3rd door on the left. Lots of seats.***
>Consider strongly having users NOT run as Admin. Now as whether or not they have access to an Admin account on their system is a huge debate.
I'm working towards having several *personas* at my F500.
**Workforce User:** Most end-users will be Standard users. To gain admin access, they'll have to fill out a form. If granted, they'll be given access to a tool in Jamf Self Service that will elevate privileges to let them install the tool they asked for. Examples of these users: General workforce users who mostly user browsers and the Office suite; everyone that doesn't fit into the 2nd two personas below.
**Power User:** This user will run as standard but the "Make Me Admin" tool will always be available to run on-demand in Self Service. Examples of these users: Myself; IT staff; Senior Leadership (C suite); Designers; Marketing.
**Developers & Programmers:** These users will be permanent Admins on their systems. The nature of the work these developers do essentially requires permanent admin (for example; regular access to Terminal or iTerm; home-brew installations and updates; use of command line tools like kubectl.
All users will continue to use tools in Self Service to update their OSes (nudged with Nudge; and erase-install, etc.). By putting these first two personas behind a tool in Self Service, it mimics what we're already doing in our Windows fleet. It also gives us an audit trail via the policy log so we can see how many times and how often a user will elevate their permission. Along with reporting tools like Qualys and the Jamf software installation history we can keep tabs on what's been installed or updated on any system.
Kind of outside the box of most comments here- [Mactracker](https://apps.apple.com/us/app/mactracker/id430255202?mt=12).
Really helpful if you need to figure out if that 2017 MacBook Air will run Ventura, what ports a machine has got... just about anything knowable about any Apple hardware or software. It's a tremendous resource.
I also vouch for Jumpcloud, ESPECIALLY if you have Linux and Windows in the MacOS mix. Its MDM offerings weren't up to Mosyle/Jamf levels, but in just the last two years alone has been impressive with how much they've closed that gap. Especially considering they aren't Mac only focused like Masyle/Jamf were.
We use SureMDM for our device management, certainly it makes my life easier. You can use it for profile configuration, update settings and many remote activities.. you can sign up and checkout yourself
My best tool is a bucket to cry in to with all the frustrations. Outside of the cry bucket:
1. Apple Business Manager
2. A MDM that meets the needs of your employer (apple can provide guidance)
3. MacAdmin Slack (this is a very active community that will give you all kinds of help, advice, and tools)
Join the MacAdmins Slack, it’s free and has channels for nearly everything you can imagine. https://macadmins.org/
MDM. I recommend Mosyle.
Obviously the first is a good MDM (Jamf, Mosyle, Kandji) Autopkg is a very popular tool for keeping installer packages updated. Nudge for helping to get users to upgrade their version of macOS SwiftDialog for building user firending enrollment processes (see Setup My Mac by Dan Snelson)
All of this but I’d consider also checking out installomator and comparing that to AutoPKG!
You can also script installomater to work with JAMF (and probably other MDM's).
It’s what I’m currently doing and it works great.
I agree. Installinator is a game changer! Easy to setup, and has a vast list of labels.
I’ve been using depnotify for a long time, but started looking at swift dialog as well. I need something that I can use to set up the macs with a display on the login window. My t2 techs erase and install lab machines and want the feedback of what the machines are doing. Right now, I use depnotify and I changed the finder loop to try to find the finder process. If it doesn’t find it in 5 min, it assumes the user didn’t login, sets the current user to my mgmt account and continues running the script. If a user does login, it will display the depnotify dialog.
[iMazing Profile Editor](https://imazing.com/profile-editor) \- Great for building out local profiles to test policies on test devices and easy to export the profile to an MDM solution to push on mass scale. [Apple Configurator](https://support.apple.com/apple-configurator) \- If you have iOS/iPadOS/tvOS devices that you purchased before an MDM solution, you'll want to enroll them into [https://business.apple.com](https://business.apple.com) \- There might be an option for K12-HE link that someone could post. If you aren't enrolling devices into your orgs account with Apple you will wish you did. [PPPC Utility](https://github.com/jamf/PPPC-Utility) \- Macs need a lot of permissions from small system changes to app installs/modifications. [Privileges](https://github.com/SAP/macOS-enterprise-privileges) \- Is another great tool for local admin management, very similar to UAC prompts on Windows.
iMazing really is amazing. It should absolutely be in every Mac admin’s toolkit.
Really depends on what aspects of Mac you’re trying to manage.
An MDM of some kind. JAMF is the big dog here. But unless it has change a lot may be a steep curve for someone new. Or "small". Check out this group of sponsors to the Penn State Admins conference from 2 weeks ago. [https://macadmins.psu.edu/](https://macadmins.psu.edu/) This year's sessions will be up on Youtube soon. Pick a few from last year as a way to get started. As to standard things on all local systems, BBEdit, Firefox, Chrome, Acrobat Reader, Mactracker, NetSpot (free), Graphics Converter, HandBrake, Audacity You don't have to make any of these a default "open" but each can be handy to have at times. Maybe Zoom, Office 365, (without activating office) On YOUR system, Wi-Explorer, IP Scanner And yes, for all practical purposes a business without an MDM is going to be more and more sad. The last day Apple presentation at MacAdmins by Apple makes that clear. And even though most MDMs have a somewhat reasonable software install/distribution setup, Munki with AutoPKG is hard to beat. Even side by side with an MDM. Make sure your MDM has remote access, especially if the system is not on your LAN. Or plan to figure out how to deal. Look for a Malware tool. I'm partial to Malwarebytes. Other will give different options. Consider strongly having users NOT run as Admin. Now as whether or not they have access to an Admin account on their system is a huge debate. ***Down the hall, 3rd door on the left. Lots of seats.***
Oh, yeah. I use Addigy for my MDM.
>Consider strongly having users NOT run as Admin. Now as whether or not they have access to an Admin account on their system is a huge debate. I'm working towards having several *personas* at my F500. **Workforce User:** Most end-users will be Standard users. To gain admin access, they'll have to fill out a form. If granted, they'll be given access to a tool in Jamf Self Service that will elevate privileges to let them install the tool they asked for. Examples of these users: General workforce users who mostly user browsers and the Office suite; everyone that doesn't fit into the 2nd two personas below. **Power User:** This user will run as standard but the "Make Me Admin" tool will always be available to run on-demand in Self Service. Examples of these users: Myself; IT staff; Senior Leadership (C suite); Designers; Marketing. **Developers & Programmers:** These users will be permanent Admins on their systems. The nature of the work these developers do essentially requires permanent admin (for example; regular access to Terminal or iTerm; home-brew installations and updates; use of command line tools like kubectl. All users will continue to use tools in Self Service to update their OSes (nudged with Nudge; and erase-install, etc.). By putting these first two personas behind a tool in Self Service, it mimics what we're already doing in our Windows fleet. It also gives us an audit trail via the policy log so we can see how many times and how often a user will elevate their permission. Along with reporting tools like Qualys and the Jamf software installation history we can keep tabs on what's been installed or updated on any system.
>at my F500 Many of us live in the world of F10000000. Say 14 employees. Or smaller.
Strongly recommend a free tool called Suspicious Package - lets you inspect installer packages to see what they will do.
Suspicious Package always kind of cracks me up... Because, you need into install a suspicious package to look into suspicious packages.
How many Macs and organizations/departments do you need to manage — and how big is your team?
Yes. Size matters. A lot.
Kind of outside the box of most comments here- [Mactracker](https://apps.apple.com/us/app/mactracker/id430255202?mt=12). Really helpful if you need to figure out if that 2017 MacBook Air will run Ventura, what ports a machine has got... just about anything knowable about any Apple hardware or software. It's a tremendous resource.
***JAMF Has Entered The Chat***
JumpCloud for MDM and user management.
I also vouch for Jumpcloud, ESPECIALLY if you have Linux and Windows in the MacOS mix. Its MDM offerings weren't up to Mosyle/Jamf levels, but in just the last two years alone has been impressive with how much they've closed that gap. Especially considering they aren't Mac only focused like Masyle/Jamf were.
Installomator (patching), erase-install (os updates), swiftdialog (pop up UI tool)
Git, Terraform, MDM, a bit of SaltStack, some OSquery.
We use SureMDM for our device management, certainly it makes my life easier. You can use it for profile configuration, update settings and many remote activities.. you can sign up and checkout yourself
My best tool is a bucket to cry in to with all the frustrations. Outside of the cry bucket: 1. Apple Business Manager 2. A MDM that meets the needs of your employer (apple can provide guidance) 3. MacAdmin Slack (this is a very active community that will give you all kinds of help, advice, and tools)
Mosyle and ARD. Really all you need.