Flex use cases
So how do we use this app and how to know the setup?
Designed for the company or organisation that wants to use Flex and force users to enter their data.
Imagine your site needs to deploy mail settings and custom lock screen message. We need their username, email address and possibly which department and building they are in.
The end result of this demo is to
have an automated solution to ensure end users enter their data. If they do not, then the iPad or iPhone remains locked to Flex, waiting for the data to be entered… forever! Who said the days of evil IT admins were over?
If you want the Flex app to ‘first’ launch directly to the edit interface on the initial launch then this option is for you.
Step 1 Smart Group – group our target audience
Lets start with a smart group to identify the devices. And lets say our company name in the example below is D8Flex, obviously you will change this on your site.
Smart Group Name
Flex-Device information Missing
Criteria
If we enter “blank” below then do not enter anything for the value, when in doubt have a look at our screen shot below. Think of a smart group as an automated search by Jamf.
Modifier
or
or
or
Criteria
Username
Email Address
Department
Building
Operator
is
is
is
is
Value
blank
blank
blank
blank
Step 2 Lock the device to Flex
Configuration Profile (before data entered)
So once we have the smart group created and we have confirmed its correct operation (please always check your smart groups are correct), i.e. edit the user details to see if the smartgroup responds correctly once you enter some information.
Navigate to:
Jamf Dashboard > Mobile Devices > Configuration Profiles
Next we want to lock the device to the Flex app. So for devices with missing information we deploy a configuration profile to only allow Flex.
Name
auto – Device info missing
Payload
Single App Mode App Name: FlexMDM
Scope
Flex-Device information Missing
bundle identifier is com.d8services.flex
So far we have created one smart group and one configuration profile. The result on the device is that at any time the user information is removed the profile to apply “Single App Mode” is re-applied.
If the device is to remain on a shelf until it is assigned it can be powered down. The next user who received the device then submits their details and once complete single app mode will be disabled.
Step 3 Data Entered – what now?
I’m glad you asked, well now we have our devices with all the information we want or need, so now we will simply deploy our configurations. Targeting All devices while excluding the smart group we created earlier. In the scope pane of a configuration profile you will see three tabs across the top of the screen. The first is the target, i.e. the main body of devices you want to deploy to, the second is the limitation of the target group, and lastly there is the exclusion group. As we created a smart group for information missing, we can simply add that group here.
Name
auto – Exchange Configuration
Payload
Exchange ActiveSync
Scope
Target: All devices
Limitation: none
Exclusion: Flex-Device information Missing
Payload Value
Account Name: D8Flex
Exchange ActiveSync Host: outlook.office365.com
Domain: blank
User: $EMAIL
Email Address: $EMAIL
Password: blank
Step 4 Lock Screen details
Lock Screen Message and gocha’s
Now you might ask why we need a discussion on this, but the lock screen is only deployed when either we manually modify the Configuration Profile and re-push this to “All Devices”, or when you fall in and out of the scope, maybe via smart group (I’m glad we created one earlier, arn’t you?).
So if you deploy a lockscreen screen payload to the device before all user data is available, then the Jamf server sends out a configuration profile without any user information included. It will not resend if the user data is updated, either manually or via Jamf, it must be resent to the device one information is present.
Now this said you could choose to simply contain Building or Department information and nothing about the end user. If this is the case simply assign it to the Building or Department. If you assign a configuration profile to the scope of a Building and Department then the profile might be installed when only one is set, meaning the result in the “LockScreen” will simply display the variable name i.e. $DEPARTMENTNAME instead of the actual department name. To correct this you will have to redeploy the profile. A way around this is to make a smart group for the Building and Department, then scope to this, ensuring both are set prior to assignment.
Name
auto – Notification Screen
Payload
Lock Screen Message
Scope
Target: All Devices
Limitations: none
Exclusions: Flex-Device information Missing
Payload Value
Asset Tag Information: | $EMAIL | D8Flex | $DEPARTMENTNAME | $BUILDINGNAME |
I realise that the Asset Tag Information payload above might appear a bit odd looking, but the end result we want is as follows:
| [email protected] | D8Flex | Development | Bangkok Soi 105 |
A quick screen shot from the device after deployment is below. When a configuration profile contains variables it means we do not need multiple profiles for each device. One will surfice, but Jamf populates this variable with the device information at the time of deployment. So each device receives its very own profile.
For more variables you can use with Jamf configuration profiles please have a look at Jamf’s Administrator Guide
serverURL
this “should be set to $JPS_URL, this is the URL to connect to your Jamf PRO Server, by using the Jamf variable the URL is submitted by Jamf during deployment
string
apiCredentials
Credentials for the Jamf Pro service account you will be using with Flex, we have created both an App and demonstrated the raw code for you to choose. see under credentials on this page https://flex.d8services.com/flex-app-config-examples/
string
deviceID
device ID with in your Jamf PRO Server, this value must be set to the Jamf variable $JSSID. If you enter a value manually here flex will show you another devices inventory record. DO NOT CHANGE THIS
string
frontPageGraphic
Currently not in use, but if we receive feedback we can start work on this. It is the URL for the graphic you may want to have as the loading screen
string
submitText
Text used by Flex to display the submission button after editing, allows for folk from other countries to use their language. Flex will default to “Submit” if this value does not exist, but you could have “enter”, or whatever you like.
string
forceDataEntry
optional to force Flex to the edit screen on initial launch.
Boolean true/false
isEditable
Does Flex allow the end user to edit the user data? If you disable this then you could simply use Flex for showing your users their “collected” data on your server. And also allow end users to update inventory etc.
Boolean true/false
enableAssetTag
Will the Asset Tag field visible in both the edit and display only pane.
Boolean true/false
enableUsername
Will the username field visible in both the edit and display only pane.
Boolean true/false
enableFullname
Will the Full Name field visible in both the edit and display only pane.
Boolean true/false
enableEmail
Will the Email field visible in both the edit and display only pane.
Boolean true/false
enableDepartment
Will the Department field visible in both the edit and display only pane.
Boolean true/false
enableBuilding
Will the Building field visible in both the edit and display only pane.
Boolean true/false
enableSites
Will the Sites field visible in both the edit and display only pane.
Boolean true/false
labelUsername
Text used to describe the Username field, also can be another language, based on your preference
string
labelSites
Text used to describe the sites from Jamf PRO, also can be another language, based on your preference
string
labelBuilding
Text used to describe the Building field, also can be another language, based on your preference
string
labelDepartment
Text used to describe the Department field, also can be another language, based on your preference
string
allowErase
Will Flex allow end users to wipe their device? The erase option will be greyed out if false
Boolean true/false
enabledEAs
Extension Attribute names allowed for viewing (enter these in your language in Jamf, and then enter the same string of characters in this field) upto 4 individual EA’s are allowed
Array of strings
editableEAs
Extension Attribute names used in the edit screen (enter these in your language in Jamf, and then enter the same string of characters in this field) upto 4 individual EA’s are allowed
Array of strings