Imagine you receive an email from your manager asking you to get 10 Apple devices enrolled in Jamf within the next 48 hours. Would you know where to begin? This guide is designed to help you create a foundation for the work you may encounter within Jamf.

What is MDM?

MDM stands for Mobile Device Management. This is an excellent tool used to manage devices such as computers, tablets, and phones within a company. Some popular MDM tools are Intune, Jamf, and Kandji.

MDM is very powerful because it sets guidelines and policies for device use within a company. Examples include:

  • Requiring passcodes on mobile devices before company resources can be deployed
  • Ensuring devices' operating systems are updated to prevent malware presence
  • Restricting app installations and camera usage
  • Remote wipe capabilities for lost or stolen devices

What is Jamf?

Jamf is a major MDM for Apple devices in the professional world. Devices can be enrolled through:

  • Automated Device Enrollment (ADE) - Automatic enrollment via ASM/ABM
  • Manual Enrollment - Direct enrollment for existing devices

Key Jamf Features

Device Enrollment

Device enrollment in Jamf is the addition of an asset (iOS, iPadOS, macOS device) to the Jamf inventory. Once enrolled, devices receive management instructions via Apple Push Notification (APN).

Automated Device Enrollment (ADE) Benefits:

  • Zero-touch setup - No IT staff involvement required
  • Cannot remove MDM profile - Critical for asset protection
  • Streamlined configuration - Users click through pre-configured screens
  • Supervision capabilities - Full management features enabled

Configuration Management

Jamf uses three main components for configuration:

1. Profiles

Individual settings that control specific device behaviors:

  • WiFi Profiles - Automatic connection to company networks
  • Restriction Profiles - Disable features (camera, app installation, etc.)
  • Passcode Policies - Enforce password complexity requirements
  • Certificate Profiles - Deploy certificates for VPN/network access

2. Blueprints

Groups of profiles applied during enrollment. Blueprints are templates designed for initial device setup. For example:

  • Teacher iPads Blueprint - Teacher WiFi + Teacher Restrictions
  • Student iPads Blueprint - Student WiFi + Student Restrictions

3. Device Groups

Flexible groupings for managing devices post-enrollment:

  • Static Device Groups - Manually add/remove devices (great for testing)
  • Smart Device Groups - Rule-based automatic enrollment (e.g., "All iPads running iOS 15 or earlier")

Application Deployment

Remotely deploy applications to user devices with granular control:

Important: License Management

For managed apps (with full MDM control), always purchase licenses through Apple School Manager (ASM) or Apple Business Manager (ABM) first, then deploy via Jamf. This enables:

  • Silent installation without user intervention
  • App management restrictions
  • Prevention of app removal

Security Features

Restriction Capabilities

Restriction Function
Disable App Store Prevents app installations from App Store
Prevent App Removal Blocks deletion of apps
Disable Camera Removes camera functionality
Disable Screen Recording Prevents screen recording
Web Content Filter Block adult sites and custom URLs

Advanced Security Features

  • Passcode Policies - Complexity requirements, failed attempt limits
  • Remote Lock & Wipe - Protect lost or stolen devices
  • Certificate Distribution - Certificate-based WiFi/VPN authentication
  • App Blacklist/Whitelist - Control which apps can be used

Common Jamf Tasks

Device Enrollment Workflow

1. Device purchased from Apple/authorized reseller
2. Automatically added to ASM/ABM account
3. Synced to Jamf via integration
4. Device appears in "Automated Device Enrollment" tab
5. Assign Blueprint/Profile/Device Group
6. User powers on device and connects to internet
7. Enrollment completes automatically

Application Deployment Best Practice

1. Purchase license in ASM/ABM (even for free apps)
2. Sync licenses to Jamf
3. Search for app in Jamf
4. Assign to Device Group or Blueprint
5. App installs silently on target devices

Alternative Enrollment: Apple Configurator 2

For devices not purchased through authorized channels, use Apple Configurator 2 to add them to ASM/ABM:

  1. Connect device to MacBook via USB
  2. Open Apple Configurator 2
  3. Select device → Prepare
  4. Choose: Add to ASM/ABM, Supervise devices
  5. Enter MDM URL from Jamf
  6. Device added to ASM/ABM inventory
  7. Wipe and enroll device to trigger ADE

Real-World Learning Story

"I remember when I was asked by a client to enroll 8 iPads and 4 Mac Minis. I found that none of the serial numbers were on the ASM/ABM server. Through the Jamf Docs and team support, I learned to use Apple Configurator 2.

My takeaway: Familiarize yourself with your resources so when requests come in, you can navigate and gain clarity faster."

Key Takeaways

  • Always prefer ADE over manual enrollment for security and management capabilities
  • Purchase app licenses in ASM/ABM before deploying for full management
  • Use Blueprints for enrollment configuration, Device Groups for ongoing management
  • Apply principle of least privilege when configuring restrictions
  • Document your configurations for consistency and troubleshooting

How to Equip Yourself

  • Create a free Jamf Now account (manage up to 3 devices)
  • Explore the Jamf portal menus and create test configurations
  • Read Jamf Documentation to understand features deeply
  • Practice in your work environment (safely, without disrupting users)
  • Join Jamf community forums for peer support

Career Relevance

Understanding MDM platforms like Jamf is valuable for:

  • IT Support and Helpdesk roles
  • System Administrator positions
  • Security Analyst roles focused on endpoint management
  • Any enterprise role managing Apple device fleets

Being able to discuss MDM experience in interviews demonstrates practical IT and security knowledge that employers value.