What do you do if you’re a Director of Technology and have to lay off your primary Jamf Pro Administrator? How to you protect your organization from possible retaliation? Even better, how do you cover your ass and ensure an easy and painless transition as this employee exits? What is the best order in which to do these tasks? I crowdsourced this on the MacAdmins Slack #jamfnation channel and here’s what we came up with. For the sake of argument, let’s call this about-to-laid-off employee, Kevin.
- Jamf Pro Access: Ensure that you have full administrator access to your Jamf Pro instance. If you don’t have an account, figure out how to get one, preferably a local Jamf account that can be used in the case of SSO issues. Evaluate all other local accounts on the Jamf Pro instance — removing access to Kevin’s domain account may not be enough if there are local Jamf admin accounts set up with full access. Change the password(s) to these local account(s).
- ASM/ABM. Figure out the Agent email address is being used for access to Apple Business Manager or Apple School Manager. If this was set up with Kevin’s account, you’re going to have some pain. At my org we set this account up with an email address that is tied to the org, not an individual. Example: email@example.com or firstname.lastname@example.org. Once you’re into ASM, disable any access Kevin has with his own account. Remove his phone number from MFA on the Agent account. Do this on the termination day, not before.
- APNS certs. Similar to ABM/ASM, determine which email address is being used for your APNS cert. You can log into the APNS Certs Portal here. Ideally, this is an organization email and not Kevin’s domain email or worse, his personal email. Ensure you can get into this portal before termination begins. You do not want to lose access to the APNS certs used by Jamf Pro to communicate with Apple’s DEP/VPP servers.
- PreStage Enrollments: If you’re using a pre-stage enrollment package, check to see if it’s been signed with a Developer ID. If so, whose? If it’s Kevin’s own developer ID, you need to recompile this package with a Developer ID that you have access to. Ideally, you’ve set up an Apple Developer Account for your organization not tied to an individual, and Kevin has been using this to sign and notarize packages. If not — if Kevin has used his own personal Developer account — he could revoke the certificate and then your pre-stage enrollment package would fail. There are quite a few ways to see which Developer ID was used to sign and notarize an App or package. My favorite is Apparency.
- Jamf Local Managed Account: When Macs are managed and enrolled, most Jamf Admins set them up with a managed local jamf account; this is the account that is used by some functions in the Jamf management space, like Jamf Remote. Ideally, this was set up so that the password for this account is randomized, but there is the option to set it the same for managed machines. If Kevin has set up your management framework this way, you need to change the password on that jamf managed account that’s on every managed machine.
- Jamf Account: Contact Jamf support to find out if Kevin is the only contact they have for your organization. If so, ask them to add yourself another admin or technical contact. Once this has been completed, you can ask Jamf to remove Kevin’s access to the assets and licensing tied to your organization. You can do this on the day of termination or you can contact them ahead of time and try to have this scheduled (or just call them again on the day of termination)
- Package & Policy Inspection: If you have reason to suspect foul play or malicious actions, examine the packages and scripts built/written by Kevin for nefarious actions. This is quite unlikely, but it does have to be considered. This is where you may want to reach out to an experienced consultant for assistance.
- Ask For Help: There are thousands of experienced Jamf Pro administrators out there. Consider posting a request for help in the #jamfnation or #jobs-board channels on MacAdmins Slack. For a reasonable consulting fee, there are many who would be willing to help.
In a perfect world, most of this will have already been documented by Kevin. If there is some time before the termination happens, direct Kevin to start supplying documentation for how these things are set up and configured. There are many documentation platforms. We use IT Glue at my current workplace.
Terminating an employee is never an easy task. With some forethought and planning, and by following some or all of the steps above, you can at least avoid massive disruption with how Jamf Pro is managing your equipment.