Happy Mac

Mac admin and other techy shop-talk

Jamf Pro Departments, Has Its Time Passed?

2024-05-19 MDM

For as long as I’ve been admin of a Jamf Pro instance, and this is going back to the Casper Suite days, I’ve been all over making sure the Department config was spot on.

That is until I moved to my new shop in April, and the idea that which I had in my last role that it may be redundant really took hold.

The last several Jamf Pro instances I’ve managed have all been connected to Google for LDAP / Cloud ID. This means we can pull in not only user info from Google, but also the user’s group memberships.

With Google Workspaces' introduction of Security groups a while ago, I started making a habit of making dynamic groups based on OU membership, ie: sec.marketing.ou. These sec groups can then be used to help scope permissions in various Workspace apps.

It also means over in Jamf Pro, the criteria for Smart Groups can be based on membership of these OU-based groups - effectively making a smart group for each department and/or team (I’ve worked in places where departments had sub-teams with different permission requirements).

So what I’m now thinking - why bother ensuring that the department configuration in Jamf Pro is up to date and accurate when I’m already basically pulling that data from Google?

One thing I’ve used departments for in the past was to also mark out devices that were ‘Spare’, ‘Missing’, etc. I’m now doing this with an extension attribute, which can be updated using the API via a shell script… so that usage is out the window.

Honestly, it feels a bit odd to drop that department fields after maintaining it and relying on it for quite some time. I’m curious if anyone else is making use of it, or if anyone else is in the same boat as me and are finding it a bit of a relic now that is no longer needed for your workflow?

Editor’s Note: Other MDMs and IDPs are available - my experiece has been very much with Google & Jamf, as is the style in London tech companies!