# Using JAMF

JAMF simplifies mass-installation of the dope.endpoint on Mac. This removes all manual steps: trusting the Certificate and accepting system extension permissions.<br>

There are two primary components:

1. **MDM Profile**: this is the config profile that contains the certificate, extension, VPN, and privacy permission to ensure the user will never see a pop-up. Otherwise, there will be manual interaction for accepting/authorizing the installation (due to Apple security policies)<br>
2. [Managed Installation](https://learn.jamf.com/bundle/jamf-pro-documentation-current/page/Package_Deployment.html): this is where you upload the full zip to JAMF to deploy to your devices - same steps as any managed deployment (upload the install zip as-is). Once distributed, JAMF will run the installer

{% hint style="warning" %}
Known JAMF Issues outside of dope.security control:

1. JAMF documentation mentions that .zip is not supported, but it works perfectly fine
2. JAMF can be intermittently slow and will display an **Availability Pending** message. It can take up to an hour to process<br>

   <figure><img src="/files/msnoz0hxpCSioRRWTHcy" alt="" width="294"><figcaption></figcaption></figure>
3. JAMF intermittently imports only 4 of 5 required items, and misses the root certificate. Ensure that your MDM profile contains all 5 permissions & upload the root certificate if required.
   {% endhint %}

## 1. Upload the `MobileConfig` File

You can retrieve the MDM profile's XML [here](/dope.endpoint/installing-using-mdm-on-mac.md) and directly upload it to JAMF. This will contain all requisite permissions at once, including:

1. Root Certificate - for trusting the on-device SSL inspection
2. Network Extension Permission - for re-routing traffic to the on-device proxy
3. VPN Permission - for re-routing traffic to the on-device proxy
4. Privacy Preferences Permission - for anti-tampering
5. Service Management Permission - for anti-tampering to login & background items

<figure><img src="/files/B6aEpVcI1C0QhLN4c69k" alt=""><figcaption><p>You can validate that the 5 payloads are configured</p></figcaption></figure>

After uploading it to JAMF, you will have the full profile available to target and deploy to devices.

## 2. Deploy profile to devices

Take your new profile scope, click Scope, and target it to your endpoints:

<figure><img src="/files/uD3uy3BnM0hf4DmFWzKF" alt=""><figcaption><p>An screenshot sample of deploying to targets</p></figcaption></figure>

Add the target machines you want to distribute to.

The profile should have 4 items (certificate, system extension, vpn, and privacy preferences):

<figure><img src="/files/JmnPfm7hZOzvqzC0JXab" alt="" width="563"><figcaption><p>All 4 permissions are now on the device. This screen looks slightly different on Mac12</p></figcaption></figure>

<figure><img src="/files/HPrBrDmli7b0U4u415zN" alt=""><figcaption><p>You can also validate the certificate is marked as Always Trust on Keychain Access</p></figcaption></figure>

## 3. Install the application pkg

Create a [JAMF package deployment](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Package_Deployment.html) and upload the installation `.zip`. Recall, it includes:

* Installer `.pkg` (Universal binary supports both Intel & Arm)
* `agent_parameters.json`
* Certificate

{% hint style="success" %}
JAMF documentation does not explicitly say that .zip is supported, however you can directly upload the .zip to JAMF without issues
{% endhint %}

Scope the target machines you want to install to and send. Target machines will pick up, install the dope.security package, and require no manual intervention.

<figure><img src="/files/D6gCmmzgtSIu94QgAd9M" alt=""><figcaption><p>You'll need to write a policy with the package &#x26; scope it. Use cloud distribution and install once per device.</p></figcaption></figure>

The next step on the target machines will be to authenticate using Google or O365.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://inflight.dope.security/dope.endpoint/installing-using-mdm-on-mac/using-jamf.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.