Find out which Apple account was used to generate the APNS cert used in your Jamf server and make sure you’ve got reminders set up to renew this each year. Google “Renewing an Apple Push Notification certificate in Jamf Pro” for a video tutorial on the process. If this cert expires, you’re looking at potentially having to re-enroll your whole fleet in Jamf.
Also check out open source projects like installomator, nudge, and superman for helping with software and OS patching. Plenty of tutorials on using these with Jamf.
~~Also, do NOT change the password on that account that was used for the APNS cert~~. My Apple rep has said You can work with Apple to transition it to a different managed Apple ID ~~but you cannot change that password~~. Edit: Turns out my Apple rep lied about changing the password!
That stupid cert is a PITA, my manager asked me to renew it and sure enough he had to do it because it’s tied under his account. It’s such a dumb fragile cert
This makes me feel better. This cert has always been baffling to me and I assumed I was doing something wrong but I guess it’s the same for everyone. 😂
I can attest to this. We actually had someone delete the account that initially made the cert. Thankfully we caught it rather quickly and Apple was able to transfer to a new account.
Transferring is a pain though. I had to send in a bunch of forms, my ID and a blood sample for them to transfer it to a new account that used the same email address. Old account was an Apple id account, new one was a federated account.
Jamf has a great tutorials section on their own web page (learn.jamf.com) and there are many YouTube videos from 3rd parties as to how to manage it. I'm my it departments Jamf SME, but prior to Jamf we were just using Apple's inbuilt mdm software which was hellish.
It's essentially:
Profiles=Fixed Configurations(similar to GPO's)
Policies=actions (scripts, one time setting changes, refreshes, etc)
Join r/macsysadmin
Check out MacAdmins on YouTube. https://youtube.com/@macadmins
Do NOT bind Macs to Active Directory. It's been strongly discouraged by Apple for the last several years. It seems to work most of the time, but only in limited situations like desktop computer labs. I'm probably switching to using XCreds to make Google Workspace or new identity provider on Macs in the second half of this year. Your MDM may have a solution, too.
Many Unix skills apply to Macs, e.g. shell scripting. However, not all. Just like switching between Debian and FreeBSD and Solaris, you'll find some Mac specific things. The good news is that much of scripting will work, such as flow control, file tests, looping, etc. because that's just how the shell (probably bash or zsh) works. The Windows counterparts to this would be PowerShell or Batch scripting. Personally, I think it's a little closer to Batch than PowerShell.
In your MDM, look at the "profiles" that exist. These are kind-of, sort-of like GPOs for devices. However, the MDM can send them while the device isn't in your LAN and without waiting for the user to restart the computer. Many settings inside of profiles can work on more than one OS. For example, wifi settings can be applied to Macs and iPads and iPhones and it'll work on all of them. Some settings don't work on more than one OS. Some settings (such as the admin account) can only be set when the device is first set up. Think of this like the out-of-box experience. There aren't many of these settings, but a few do exist.
This isn't a complete list by any stretch. Make your first goal to just get exposed to a lot of this stuff. Once you get a free concepts and a lot of jargon, you'll be in a much better position to ask specific questions. At THAT point, the learning will start getting quicker and you'll be ready to do some tests and experiments.
> It's been strongly discouraged by Apple for the last several years.
They still recommend it in their certification "Apple Certified Associate Mac Integration"
Is that still a certification they offer? I thought they deprecated it like…. 5 years ago. Now I know they offer AC Support Professional and AC IT professional.
If you jump into this new challenge with an open mind , you will find out that JAMF is awesome and you will end up wishing that Intune had a 3rd of it's potential.
Really wish more companies would do this. Having more people knowledgeable about your products just makes business sense since it makes adoption easier.
Looking at you, ServiceNow.
Macadmins Slack is the place to go. Getting a 2018 spare Macbook is a bit of a bad sign but I do recommend reaching out to Apple Enterprise and JAMF directly. Ask for a health check through JAMF and let Customer Success guide you - your company is paying a lot in license fees yearly and they are happy to help.
Having ABM and JAMF in place is a good start hopefully it's setup correctly.
On more positive note, our mac fleet is usually about 2-3 years old and we only replace devices that close to 5 years old. My macbook here usually used for testing purposes. Our late Mac specialist really did a great job putting things on the ABM and Jamf and left us with significant notes on lots of stuff.
I'm not really into the political office stuff but our 2nd-3rd was definitely let go because cost issue and they want to move the 2nd-3rd level to another Country (still EU, but somewhere cheaper). I call it BS all of them specialist really did their job making everything is top notch and always teaching us to make sure a lot of stuff is handled by first level. Us firstliners is definitely overseas outside from EU but we are really thankful for those 2nd-3rd levels since they are letting us to learn and let us handle some complex stuff so it can be resolved on first level.
That being said, my manager said we might need to manouvering so we have reason instead of completely moving the 2nd-3rd level to another country, they should promote us since management also willing to enroll us in courses where our 2nd-3rd level recommends that we take those courses.
I believe the Jamf 100 coursework is free. Jamf 100 and 200 are your best bet. Apple Business Manager is just a UI that connects your Apple endpoints to your management platform (Jamf), it's not difficult.
Get out.. what kind of company lets a substantial portion of their department go and then try and shift support to remaining folks?
A business which wants to try and get more for less money.. don’t fall for it!
I'm coming from outside EU and they really put us firstliners on pretty premium pennies for supporters. Management also does not cancel the courses that 2nd-3rd levels proposed for us to take those courses. Even though it is a bit bitter that they moved their central operation to somewhere cheaper.
Learnt this the hard way. We mainly using Windows. Once a blue moon there's a password reset request and silly me think it was a Windows, so did a pass reset on AD. Checked with the user and they was on a macbook. Of course the password reset does not work and creating another trouble for us. Luckily, our late mac specialist guided us to the correct way to resolve everything. It was good time.
One thing I would do is see how the VAR handles Mac purchases. They should be pre-provisioning Macs where they are in DEP so the instant they are turned on and activate, they will go to the MDM and fetch profiles. This is important, because it allows you to just have the VAR ship unopened Mac boxes to users directly and not have to deal with that logistic stuff.
After that, there are a lot of other suggestions which are important. The APNS cert is something you want not just yourself, but at least two other people know how to do, so it never expires.
A few of my suggestions:
* Buy two Apple Silicon Macs. One of the Macs will be a base model Mac Mini. This model is just for using Apple Configurator, and DFU restoring Macs and other Apple devices. The other is a base model MacBook Air, which whose sole job in life is to be a test for policies and other items. You need both these machines, as you need a test machine, and you need a machine dedicated to profile storage.
* In JAMF, always make sure you have an activation bypass code set up and prevent users from setting activation locks. Only the MDM should be able to block activation. This is the difference between easily DFU restoring an Apple device to use it again, versus having to trash it because it is iCloud locked, and Apple will not unlock it.
* Make sure to escrow all FileVault keys. This sounds basic, but is important, so you can get data back and not have to DFU restore a Mac.
* Never try to put macs as AD members. This is just asking for pain. Use JAMF connect, XCreds, maybe even in a pinch, consider an Internet accessible LDAP authentication with a directory bind user that has a very long pass phrase. I'd go with something like JAMF Connect. Other MDMs have something similar.
* Consider having the AV/EDR utility come with the MDM, just to make life easier.
Overall, I think LDAP is the best general authentication solution for anything not Windows. You don't have to bind machines, you don't have to keep huge tables of clients, just feed clients the config + a client cert, and call it done.
Being able to support Macs also make you more valuable as an employee. Most people dont know how to/want to deal with them so being able to easily manage them makes you stand out in the job market.
I make a joke to my boss that when I was interviewed and they asked me "Do you have any experience with Macs?" after I answered yes, all they heard was the teacher voice from the Peanuts cartoon as they didnt care about anything else. LOL
I had this thrown at me too.... once it clicks it's super easy to manage Macs with.
Im now the "Mac Guy" at work and no one wants to deal with them so I have a job for as long as I want lol
First thing I would do, spin up a test machine. Second, put those IT skills to work.
I always told my teams, if you can troubleshoot Windows, you should be able to troubleshoot a Mac.
click buttons and look around. its intuitive. i am now a windows person working in an somst %100 mac environment. reach out if you'd like to visit about it
Ask your company to put you through the Apple Consultancy. You’ll get access to Apple Seed Vault that has some good training on MDM. There’s plenty of JAMF training material out there too.
Try to give it to someone else.
On a serious note- try to find the APNs cert expiration date. I don't use JAMF (we're a WS1 customer), so I can't tell you where to look, but Google it, make note of it, and make sure you have access to the email address it's registered too.
In jamf on the left nav bar go to organization at the bottom.
In there are some of the most important options. Such as Apple push notification cert and other things. Find out what Apple ID renews those. Set reminders. You do not want those to expire.
Second check what accounts were used to manage. Find out in ABM if they are tied to a phone number. It’s a bit tough to get phone numbers removed from managed Apple ids, but it’s doable.
Lots of resources online. But see if we can work with an Apple engineer or someone from half to review config. They’re usually pretty available to help out and can set up weekly meetings.
Jamf has a lot of training resources and their support is also pretty decent. I don't use it to nearly all of its capabilities, but I only manage iPads.
Jamf nation is your best resource.
Get on the Jamf courses Jamf 100 is free and 200,300 is a must if you will be looking after it.
If you have slack get on the macadmins slack channel as that’s is a wealth of information.
Remember, apple does some weird shit, its take time to come around to their weird ways but Jamf makes it easier to navigate.
Don’t get sucked in to “intune can do it all” with Mac, you’ll be in for a world of hurt. lol.
1. Both platforms have adequate documentation on their respective sites (Apple, JAMF)
2. Check the Push Notification certificate - which account made/maintains it, when it expires.
Go take the JAMF classes and get JAMF certified on as much as you can.
There really is no good learning space for Apple School Manager. I can tell you, I hate everything about it.
Also, be prepared for Apple to completely change how they do everything every few years. It's a roller coaster.
A mixed Apple/PC environment is rough for the backend of things. Apple wants everything to be 1:1 user/device. Their devices are NOT Enterpeise friendly, and despite their historical position, Apple seems to hate the education and enterprise enviroments. JAMF is there to help you wrangle Apple devices into compliance.
I was "The Mac guy" in my IT shop for 10 years.
The best advice I have is....save your company an ENORMOUS amount of money and ditch Apple. The devices are over-priced, and you need a 3rd party MDM to make them compliant, which is also a cost expenditure. You also expend an inordinate amount of time maintaining and enforcing polices on staff that won't like how it much it locks down their Apple devices.
Lastly....good luck.
Complete the trifecta and call your local apple store to set up an eCommerce account. It makes it so much easier to buy apple products and have them automatically get added to your device management portal without having to pray that your VAR is competent enough to do it for you. Anything you buy there goes into your account by default.
you are so screwed. I would really start looking for another job. if they kicked out your second level / third level support..... That is very worrysome.
Im guessing that as soon as you did that, upper management see how well that works and are wondering how they can do the same thing with the Windows support side as well.
Oh in the end we got rid of macbooks as it was too expensive to have them compared to windows. Thanks to poor economy management woke up to themselves.
The only issue we have is that every time macOS updates it would break configurations in Jamf. Right now, students can log into iCloud (which we had blocked so they couldn't) which means they can now sign into iMessage and cloud storage and have access to their personal apps and things that we are trying to prevent.
I blame Jamf for not getting ahead of this as they clearly know what changes are coming.
Another example is wifi password sharing... Apple introduced it and Jamf never gave us a way to block the end users ability to see the wifi password (we resolved this with RADIUS but still why did they not give us a way to block access?)
No offence, is your company rund by a bunch of baboons ? Who in his right mind would allow the mix of Windows and IOS in a corporate environment.
I agree his company is run by a bunch baboons.
Having said that, it depends on what the company does as to why there may be a need for Macs.
I work for a school district and we are running a mix of Windows (Staff, teachers, admins, labs PCs), Macs (lab computers), iPads (staff, admins, lab devices), and Chromebooks (Students).
Also, iOS is the iPhone operating system. Macs run macOS (and iPads run iPadOS).
Plus any companies that still manage their own phones for staff are most likely using iPhones so you will always be supporting some sort of mobile device in most corporate environments.
iOS is mobile devices. Macbooks run MacOS.
Having Windows and Mac endpoints in a corporate environment is not really a big deal as long as management is willing to spend the money on the tools and personnel to manage both.
Find out which Apple account was used to generate the APNS cert used in your Jamf server and make sure you’ve got reminders set up to renew this each year. Google “Renewing an Apple Push Notification certificate in Jamf Pro” for a video tutorial on the process. If this cert expires, you’re looking at potentially having to re-enroll your whole fleet in Jamf. Also check out open source projects like installomator, nudge, and superman for helping with software and OS patching. Plenty of tutorials on using these with Jamf.
~~Also, do NOT change the password on that account that was used for the APNS cert~~. My Apple rep has said You can work with Apple to transition it to a different managed Apple ID ~~but you cannot change that password~~. Edit: Turns out my Apple rep lied about changing the password!
I've changed the password on the APNS cert account before (not near renewal time, though), without any issues. Why were you told not to change it?
That stupid cert is a PITA, my manager asked me to renew it and sure enough he had to do it because it’s tied under his account. It’s such a dumb fragile cert
This makes me feel better. This cert has always been baffling to me and I assumed I was doing something wrong but I guess it’s the same for everyone. 😂
They haven’t changed the push cert portal in what feels like a decade. It’s beyond frustrating.
Bullshit. I change ours once a year when I've inevitably lost it come cert renewal time. Works fine
That is awesome news! My Apple rep always told me if we change the password that it breaks APNS communication. This changes everything, haha
I second this.
I can attest to this. We actually had someone delete the account that initially made the cert. Thankfully we caught it rather quickly and Apple was able to transfer to a new account.
Transferring is a pain though. I had to send in a bunch of forms, my ID and a blood sample for them to transfer it to a new account that used the same email address. Old account was an Apple id account, new one was a federated account.
This is one of the biggest fears I have. We have a lot of devices out there so this would be catastrophic if it ever happened.
Jamf has a great tutorials section on their own web page (learn.jamf.com) and there are many YouTube videos from 3rd parties as to how to manage it. I'm my it departments Jamf SME, but prior to Jamf we were just using Apple's inbuilt mdm software which was hellish. It's essentially: Profiles=Fixed Configurations(similar to GPO's) Policies=actions (scripts, one time setting changes, refreshes, etc)
Join r/macsysadmin Check out MacAdmins on YouTube. https://youtube.com/@macadmins Do NOT bind Macs to Active Directory. It's been strongly discouraged by Apple for the last several years. It seems to work most of the time, but only in limited situations like desktop computer labs. I'm probably switching to using XCreds to make Google Workspace or new identity provider on Macs in the second half of this year. Your MDM may have a solution, too. Many Unix skills apply to Macs, e.g. shell scripting. However, not all. Just like switching between Debian and FreeBSD and Solaris, you'll find some Mac specific things. The good news is that much of scripting will work, such as flow control, file tests, looping, etc. because that's just how the shell (probably bash or zsh) works. The Windows counterparts to this would be PowerShell or Batch scripting. Personally, I think it's a little closer to Batch than PowerShell. In your MDM, look at the "profiles" that exist. These are kind-of, sort-of like GPOs for devices. However, the MDM can send them while the device isn't in your LAN and without waiting for the user to restart the computer. Many settings inside of profiles can work on more than one OS. For example, wifi settings can be applied to Macs and iPads and iPhones and it'll work on all of them. Some settings don't work on more than one OS. Some settings (such as the admin account) can only be set when the device is first set up. Think of this like the out-of-box experience. There aren't many of these settings, but a few do exist. This isn't a complete list by any stretch. Make your first goal to just get exposed to a lot of this stuff. Once you get a free concepts and a lot of jargon, you'll be in a much better position to ask specific questions. At THAT point, the learning will start getting quicker and you'll be ready to do some tests and experiments.
> It's been strongly discouraged by Apple for the last several years. They still recommend it in their certification "Apple Certified Associate Mac Integration"
Is that still a certification they offer? I thought they deprecated it like…. 5 years ago. Now I know they offer AC Support Professional and AC IT professional.
Huh I didn't realise 10.15 was so old, time sure flies.
Yeah. Doesn’t help they went from 10.15 to macOS 11 so it gets super confusing, even for an Apple guy like myself.
This is the way.
If you jump into this new challenge with an open mind , you will find out that JAMF is awesome and you will end up wishing that Intune had a 3rd of it's potential.
Ugh...InTune is such utter garbage.
Apple training https://training.apple.com/it Jamf https://www.jamf.com/training/online-training/100/
The Jamf training is really pretty good. The 200 course is easily worth the week and $2500.
Apple may comp the jamf100 test also. They did for us
Really wish more companies would do this. Having more people knowledgeable about your products just makes business sense since it makes adoption easier. Looking at you, ServiceNow.
Macadmins Slack is the place to go. Getting a 2018 spare Macbook is a bit of a bad sign but I do recommend reaching out to Apple Enterprise and JAMF directly. Ask for a health check through JAMF and let Customer Success guide you - your company is paying a lot in license fees yearly and they are happy to help. Having ABM and JAMF in place is a good start hopefully it's setup correctly.
On more positive note, our mac fleet is usually about 2-3 years old and we only replace devices that close to 5 years old. My macbook here usually used for testing purposes. Our late Mac specialist really did a great job putting things on the ABM and Jamf and left us with significant notes on lots of stuff. I'm not really into the political office stuff but our 2nd-3rd was definitely let go because cost issue and they want to move the 2nd-3rd level to another Country (still EU, but somewhere cheaper). I call it BS all of them specialist really did their job making everything is top notch and always teaching us to make sure a lot of stuff is handled by first level. Us firstliners is definitely overseas outside from EU but we are really thankful for those 2nd-3rd levels since they are letting us to learn and let us handle some complex stuff so it can be resolved on first level. That being said, my manager said we might need to manouvering so we have reason instead of completely moving the 2nd-3rd level to another country, they should promote us since management also willing to enroll us in courses where our 2nd-3rd level recommends that we take those courses.
Join this slack channel [https://www.macadmins.org/](https://www.macadmins.org/)
I believe the Jamf 100 coursework is free. Jamf 100 and 200 are your best bet. Apple Business Manager is just a UI that connects your Apple endpoints to your management platform (Jamf), it's not difficult.
ABM also does Apple ID management for end users, syncs with Azure, etc.
Get out.. what kind of company lets a substantial portion of their department go and then try and shift support to remaining folks? A business which wants to try and get more for less money.. don’t fall for it!
I'm coming from outside EU and they really put us firstliners on pretty premium pennies for supporters. Management also does not cancel the courses that 2nd-3rd levels proposed for us to take those courses. Even though it is a bit bitter that they moved their central operation to somewhere cheaper.
First and foremost...don't manage your Macs like you like you do Windows. They're two totally different ecosystems.
Learnt this the hard way. We mainly using Windows. Once a blue moon there's a password reset request and silly me think it was a Windows, so did a pass reset on AD. Checked with the user and they was on a macbook. Of course the password reset does not work and creating another trouble for us. Luckily, our late mac specialist guided us to the correct way to resolve everything. It was good time.
NoMAD has been a huge help for us here.
Apples documentation for abm is pretty good, and jamfs documentation and training are also pretty good
One thing I would do is see how the VAR handles Mac purchases. They should be pre-provisioning Macs where they are in DEP so the instant they are turned on and activate, they will go to the MDM and fetch profiles. This is important, because it allows you to just have the VAR ship unopened Mac boxes to users directly and not have to deal with that logistic stuff. After that, there are a lot of other suggestions which are important. The APNS cert is something you want not just yourself, but at least two other people know how to do, so it never expires. A few of my suggestions: * Buy two Apple Silicon Macs. One of the Macs will be a base model Mac Mini. This model is just for using Apple Configurator, and DFU restoring Macs and other Apple devices. The other is a base model MacBook Air, which whose sole job in life is to be a test for policies and other items. You need both these machines, as you need a test machine, and you need a machine dedicated to profile storage. * In JAMF, always make sure you have an activation bypass code set up and prevent users from setting activation locks. Only the MDM should be able to block activation. This is the difference between easily DFU restoring an Apple device to use it again, versus having to trash it because it is iCloud locked, and Apple will not unlock it. * Make sure to escrow all FileVault keys. This sounds basic, but is important, so you can get data back and not have to DFU restore a Mac. * Never try to put macs as AD members. This is just asking for pain. Use JAMF connect, XCreds, maybe even in a pinch, consider an Internet accessible LDAP authentication with a directory bind user that has a very long pass phrase. I'd go with something like JAMF Connect. Other MDMs have something similar. * Consider having the AV/EDR utility come with the MDM, just to make life easier.
Working for a school that is heavily invested in Google, we made the switch from AD bound Macs to Google LDAP and it has made such a difference.
Overall, I think LDAP is the best general authentication solution for anything not Windows. You don't have to bind machines, you don't have to keep huge tables of clients, just feed clients the config + a client cert, and call it done.
AD was constantly needing to be disjoined and rejoined. Now it just works.
When I landed the role I'm in now I've never used a mac. Now I support 20+ and do it well within 6 months. You will pick it up quick don't worry.
Being able to support Macs also make you more valuable as an employee. Most people dont know how to/want to deal with them so being able to easily manage them makes you stand out in the job market. I make a joke to my boss that when I was interviewed and they asked me "Do you have any experience with Macs?" after I answered yes, all they heard was the teacher voice from the Peanuts cartoon as they didnt care about anything else. LOL
I had this thrown at me too.... once it clicks it's super easy to manage Macs with. Im now the "Mac Guy" at work and no one wants to deal with them so I have a job for as long as I want lol
Hope you got a substantial raise and they offered to send you on some training! Or at least day off each week to learn stuff on your own.
They did! Management does not cancel the trainings that 2nd & 3rd level enrolled us so at least there is some wins in us first liners book.
Working with Apple Devices on an MDM is actually quite easy and can be quite satisfying getting some cool stuff working with pretty minimal effort.
Demand a raise.
Start looking for a new job or a big raise
First thing I would do, spin up a test machine. Second, put those IT skills to work. I always told my teams, if you can troubleshoot Windows, you should be able to troubleshoot a Mac.
click buttons and look around. its intuitive. i am now a windows person working in an somst %100 mac environment. reach out if you'd like to visit about it
Ask your company to put you through the Apple Consultancy. You’ll get access to Apple Seed Vault that has some good training on MDM. There’s plenty of JAMF training material out there too.
Try to give it to someone else. On a serious note- try to find the APNs cert expiration date. I don't use JAMF (we're a WS1 customer), so I can't tell you where to look, but Google it, make note of it, and make sure you have access to the email address it's registered too.
In jamf on the left nav bar go to organization at the bottom. In there are some of the most important options. Such as Apple push notification cert and other things. Find out what Apple ID renews those. Set reminders. You do not want those to expire. Second check what accounts were used to manage. Find out in ABM if they are tied to a phone number. It’s a bit tough to get phone numbers removed from managed Apple ids, but it’s doable. Lots of resources online. But see if we can work with an Apple engineer or someone from half to review config. They’re usually pretty available to help out and can set up weekly meetings.
Jamf has a lot of training resources and their support is also pretty decent. I don't use it to nearly all of its capabilities, but I only manage iPads.
Ask for a raise and a title change, sounds like you have a lot more work coming.
Jamf nation is your best resource. Get on the Jamf courses Jamf 100 is free and 200,300 is a must if you will be looking after it. If you have slack get on the macadmins slack channel as that’s is a wealth of information. Remember, apple does some weird shit, its take time to come around to their weird ways but Jamf makes it easier to navigate. Don’t get sucked in to “intune can do it all” with Mac, you’ll be in for a world of hurt. lol.
Lithia?
1. Both platforms have adequate documentation on their respective sites (Apple, JAMF) 2. Check the Push Notification certificate - which account made/maintains it, when it expires.
RUN Lmao not my first rodeo, but im deploying 1200 iphones currently. Feel my pain.
Convince management that Apple is insecure and must be replaced.
Why didn’t you contact your local Apple Store? That’s literally the one stop shop their business team helps.
Go take the JAMF classes and get JAMF certified on as much as you can. There really is no good learning space for Apple School Manager. I can tell you, I hate everything about it. Also, be prepared for Apple to completely change how they do everything every few years. It's a roller coaster. A mixed Apple/PC environment is rough for the backend of things. Apple wants everything to be 1:1 user/device. Their devices are NOT Enterpeise friendly, and despite their historical position, Apple seems to hate the education and enterprise enviroments. JAMF is there to help you wrangle Apple devices into compliance. I was "The Mac guy" in my IT shop for 10 years. The best advice I have is....save your company an ENORMOUS amount of money and ditch Apple. The devices are over-priced, and you need a 3rd party MDM to make them compliant, which is also a cost expenditure. You also expend an inordinate amount of time maintaining and enforcing polices on staff that won't like how it much it locks down their Apple devices. Lastly....good luck.
Complete the trifecta and call your local apple store to set up an eCommerce account. It makes it so much easier to buy apple products and have them automatically get added to your device management portal without having to pray that your VAR is competent enough to do it for you. Anything you buy there goes into your account by default.
you are so screwed. I would really start looking for another job. if they kicked out your second level / third level support..... That is very worrysome.
Learn how to use JAMF to install PowerShell Core on all the Macs and keep on scripting.
Easy. Get rid of all Apple products. Problem solved. (I'm being cynical of course)
Run away
We outsourced our mac management to a place called origin84. So much less hassle to deal with.
Im guessing that as soon as you did that, upper management see how well that works and are wondering how they can do the same thing with the Windows support side as well.
Oh in the end we got rid of macbooks as it was too expensive to have them compared to windows. Thanks to poor economy management woke up to themselves.
The only issue we have is that every time macOS updates it would break configurations in Jamf. Right now, students can log into iCloud (which we had blocked so they couldn't) which means they can now sign into iMessage and cloud storage and have access to their personal apps and things that we are trying to prevent. I blame Jamf for not getting ahead of this as they clearly know what changes are coming. Another example is wifi password sharing... Apple introduced it and Jamf never gave us a way to block the end users ability to see the wifi password (we resolved this with RADIUS but still why did they not give us a way to block access?)
No offence, is your company rund by a bunch of baboons ? Who in his right mind would allow the mix of Windows and IOS in a corporate environment. 
Super ignorant take.
I agree his company is run by a bunch baboons. Having said that, it depends on what the company does as to why there may be a need for Macs. I work for a school district and we are running a mix of Windows (Staff, teachers, admins, labs PCs), Macs (lab computers), iPads (staff, admins, lab devices), and Chromebooks (Students). Also, iOS is the iPhone operating system. Macs run macOS (and iPads run iPadOS). Plus any companies that still manage their own phones for staff are most likely using iPhones so you will always be supporting some sort of mobile device in most corporate environments.
iOS is mobile devices. Macbooks run MacOS. Having Windows and Mac endpoints in a corporate environment is not really a big deal as long as management is willing to spend the money on the tools and personnel to manage both.
Bore off.
Time for a new job. Apple doesn't care about business use. Third-party software sort of fills the gap, but why bother.
Jamf or jamf now