JAMF Software is announcing version 9.4 of its Casper Suite management software, and it has some important new features: There’s an improved way to use MDM for BYOD; new self service apps; and for the first time, support for Android.
Why is JAMF supporting Android such a big deal?
For years JAMF has been known as the best of breed solution for doing full Mac OS management, and when MDM for iOS came along they supported that as well. It’s always been their stated intention to keep concentrating on Apple, but now the latest release includes mobile device management for Android.
They didn’t give too much background about the decision to support Android, but the reasons are pretty self-evident: On the Mac OS X side, staying specialized makes a lot of sense. JAMF is an established leader, solving established use cases. The proliferation of MacBooks in the enterprise is certainly adding to their bottom line, but the scenarios and companies that need full Mac management—education, design, or graphics, for example—have been around for years and will be around for a long time. However on the mobile device side, BYOD means that it just makes sense to be able to deal with Android no matter what. This is also a good way for JAMF to keep customers in the fold.
JAMF is providing Android MDM based on a device administrator agent app, just like any other Android MDM, supporting Android 4.0 and higher. They’re not supporting any third-party manufacturers’ management APIs yet, but as I’ve covered extensively, a lot will be changing when the next version of Android comes out. For now JAMF is just getting their foot in the door.
Self service and BYOD
The other major part of the new release is around self service and BYOD.
JAMF has already had self-service features for several years, but now they’re being rolling into brand new native apps for iOS and Android. They’ll function as enterprise app stores and also allow users to download device configurations and content. Previously, JAMF’s iOS MDM didn’t use an agent app, so there will be some other new features like jailbreak detection.
Now for the interesting part, which has to do with how JAMF will be using MDM for BYOD:
We’ve long established that many people don’t want to put MDM on their personal devices because they don’t want their company to wipe them, see what apps they have installed, or do anything else that could violate their privacy.
If you look closely at Apple’s MDM protocol, you can see that it’s possible to configure what specific access rights a remote MDM server has over a device. So if you want to, you can actually set up MDM with very few rights on the device, ensuring user privacy. (One of the few places where Apple exposes these settings is in the iPhone Configuration Utility, which is slightly out of date but still available for Mac and Windows. Otherwise, it’s hard to find any references to this in their public documentation.)
Here’s the thing: with many MDM solutions, the management connection is configured so that all of the remote access rights enabled by default. If something is supposed to be hidden from an administrator, then usually it’s just done in the MDM server software, instead of by limiting access rights.
With the new release of Casper Suite, JAMF is actually using the Apple MDM remote access rights settings (instead of just changing a setting on the server) to specify what rights administrators have, thus giving users a higher level of privacy assurance. You could argue that this is better way to use MDM for BYOD.
In Android the process is less well-defined, but JAMF is making an effort to ensure that their app requests as few permissions as possible.