36 KiB
Overview
Fleet
Fleet is an Apple-oriented, modern, transparent device management solution with multi-platform support for Linux, macOS, iOS, iPadOS, Windows, Android and Chromebook devices. Fleet has an API-first design with built-in GitOps console management. Fleet is based on open-source technology providing near real-time reporting, comprehensive device control and automated remediation capabilities.
Jamf
Jamf has evolved over two decades as a management solution focused on Apple devices. Jamf Pro added Android and Chromebook management in the past, removed it, and recently announced support for Android again. Jamf sells a range of products that integrate with Jamf Pro for an additional cost to the Jamf Pro license. Jamf has a large customer base and long history in the Apple device management space.
Key differences
Fleet and Jamf serve different strategic purposes based on fleet composition and workflow needs.
Platform support
| Fleet | Jamf Pro | |
|---|---|---|
| macOS management | Yes — Full MDM lifecycle | Yes — 20+ year track record |
| iOS / iPadOS management | Yes | Yes |
| Windows management | Yes | No |
| Linux management | Yes — Native osquery agent | No |
| Android management | Yes | Yes — Partner developed solution |
| Chromebook management | Yes | No |
| tvOS / visionOS management | No | Yes |
| Device scoping & targeting | Yes — Dynamic labels, Manual labels, and Host vitals labels | Yes — Smart Groups + Static Groups |
Enrollment and provisioning
| Fleet | Jamf Pro | |
|---|---|---|
| Zero-touch deployment (ABM/ASM) | Yes — ABM/ASM + Autopilot | Yes — ABM/ASM; deep Apple integration |
| End-user IdP auth at Setup Assistant | Yes — SAML SSO during OOBE; local account pre-filled from IdP | Partial — Platform SSO available but less integrated |
| Bootstrap apps & scripts during Setup Assistant | Yes — Configure required apps and scripts before device release | Partial — PreStage enrollment triggers policies, less granular gating |
| BYOD enrollment | Yes — Incl. Android work profiles | Yes — User-initiated enrollment |
| MDM migration from another vendor | Yes — Built-in migration workflow | Partial — Possible but no built-in migration tool |
| Identity provider integration at enrollment | Yes — Okta, Entra, Azure AD, etc. | Yes — Platform SSO; Simplified Setup |
Identity and access
| Fleet | Jamf Pro | |
|---|---|---|
| SAML SSO for admin console | Yes — SP- and IdP-initiated flows | Yes — SSO for Jamf Pro console |
| SCIM user provisioning & attribute sync | Yes — Provision/deprovision via SCIM with attribute sync | Partial — Limited SCIM; primarily manual user management |
| IdP user-to-host mapping | Yes — Sync IdP user attributes to hosts via SCIM | Partial — Manual or LDAP-based; no automatic mapping |
| Role-based access control (RBAC) | Yes | Yes |
| SCEP certificate deployment (e.g., Okta Verify + FastPass) | Yes — Deploy SCEP cert profiles for device trust | Yes — SCEP via AD CS or third-party CA |
| Conditional access integration (IdP policy-based block) | Yes — Policy failures trigger IdP conditional access blocks | Partial — Requires Jamf Connect or third-party integration |
Configuration management
| Fleet | Jamf Pro | |
|---|---|---|
| Configuration profile delivery with full confirmation | Yes — Upload custom profiles | No |
| Declarative Device Management (DDM) | Yes | Partial — Blueprints framework (Jamf Cloud) |
| Enforce disk encryption (FileVault/BitLocker) | Yes — Mac + Windows | Yes — Mac only (FileVault) |
| Disk encryption key escrow and recovery | Yes — Keys escrowed in Fleet, retrievable via host details | Yes — FileVault key escrow in Jamf Pro, retrievable by admin |
| Enforce OS updates | Yes — Mac, iOS, Windows | Yes — Mac, iOS; managed software updates |
| OS update ring groups (canary/staged rollout) | Yes — Fleets for Ring 0 and Ring 1 with DDM enforcement | Partial — Smart Groups approximate rings, no built-in concept |
| Device scoping & targeting | Yes — Labels (dynamic via osquery) + fleets | Yes — Smart Groups + Static Groups |
| Local admin account creation and password escrow | Yes — Script-based, credentials retrievable | Partial — Requires Jamf Connect, not built into Pro |
Software management
| Fleet | Jamf Pro | |
|---|---|---|
| App deployment | Yes — Fleet-maintained apps + custom packages | Yes — App Catalog + custom packages |
| Self-service app installation | Yes | Yes — Self Service+ (recently enhanced) |
| Volume Purchase Program (VPP / Apps & Books) | Yes | Yes |
| Patch management | Yes — Vulnerability-driven; cross-platform | Yes — App Installers; macOS & iOS focused |
| Pre/post-install scripts for app deployment | Yes | Yes |
| App install/uninstall/reinstall from admin UI | Yes — Per-host from host details | Yes — Via device management actions |
| Script execution | Yes — Cross-platform (Mac, Win, Linux) | Yes — Mac scripts; Bash, Python, etc. |
Security and compliance
| Fleet | Jamf Pro | |
|---|---|---|
| Vulnerability detection (CVEs) | Yes — Built-in; CISA KEV; cross-platform | Partial — Basic in Pro; deep scanning requires Jamf Protect ($) |
| Compliance benchmarks (CIS / STIG) | Yes — CIS queries publicly available | Yes — Compliance Benchmarks (mSCP) in Pro |
| Compliance policy dashboard (per-host pass/fail) | Yes — Per-host pass/fail on Policies page | Partial — Smart Groups imply compliance, no unified dashboard |
| Endpoint detection / threat monitoring | Yes (built-in) | Partial — Requires Jamf Protect (separate purchase) |
| File integrity monitoring (FIM) | Yes - evented tables (built-in) | Partial — Requires Jamf Protect |
| SIEM integration | Yes — Custom log destinations; included | Yes — Pro event logs; richer with Protect ($) |
| Lock / wipe commands | Yes | Yes |
Visibility and reporting
| Fleet | Jamf Pro | |
|---|---|---|
| Real-time device queries | Yes - Live queries | Partial — Inventory on check-in schedule |
| Hardware & software inventory | Yes — Extensive | Yes — Comprehensive Apple inventory |
| Application inventory and patch status view | Yes — Per-host and fleet-wide; flags hosts below target version | Yes — App inventory; patch status via App Installers |
| Custom data collection | Yes — Custom SQL queries across 300+ tables (built-in) | Partial — Extension attributes (scripts) |
| Offline device alerting (webhooks) | Yes — Configurable offline threshold, alerts fire automatically | Partial — Webhook notifications available, less granular thresholds |
Remediation and automation
| Fleet | Jamf Pro | |
|---|---|---|
| Policy-triggered auto-remediation | Yes — Attach remediation script to policy, auto-executes on failure | Partial — Smart Groups trigger policies, no direct policy→script link |
| On-demand script execution from admin UI | Yes — Per-host from host details, real-time output | Yes — Remote commands available for macOS |
Offboarding and lifecycle
| Fleet | Jamf Pro | |
|---|---|---|
| User deprovisioning via IdP (SCIM) | Yes — SCIM removes host-user mapping and revokes access | Partial — Manual user deletion, limited IdP-driven deprovisioning |
| Device re-assignment between users/teams | Yes — Transfer device to new fleet, profiles auto-applied | Yes — Move between sites/groups, profiles re-applied |
| End-user transparency | Yes — Scope transparency; open source | Partial — Limited native transparency features |
Architecture and operations
| Fleet | Jamf Pro | |
|---|---|---|
| GitOps / infrastructure as code | Yes — First-class; YAML/Git-based | Partial — IBM Terraform-based, not all functionality available |
| API-first architecture | Yes — Unified REST API; all features | Partial — Multiple APIs; GUI-first design |
| Self-hosted deployment | Yes — On-prem, cloud, air-gapped | Partial — functionality not as complete as cloud |
| Managed cloud hosting (SaaS) | Yes | Yes — Jamf Cloud |
| Open-source / source-available code | Yes — 100% on GitHub | No — Proprietary |
| Audit logging | Yes | Yes |
Pricing and licensing
| Fleet | Jamf Pro | |
|---|---|---|
| Free tier available | Yes — Core features; unlimited hosts | No — 14-day free trial only |
| Pricing model | $7/host/month (Premium); all features included | ~$3.67–$7.89/device/month; varies by device type |
| All-inclusive security (vuln, EDR, FIM) | Yes — Single license covers everything | No — Protect, Connect, ETP sold separately |
Support and ecosystem
| Fleet | Jamf Pro | |
|---|---|---|
| Vendor support channels | Email, phone, video (Premium); community Slack | Chat, email, phone; premium services available |
| Community & ecosystem maturity | Growing — Active open-source communities & ecosystems | Mature — Large user base; Jamf Nation; 20+ years |
| Apple relationship & day-zero OS support | Yes — Apple-oriented; tracks releases | Yes — Close Apple partnership; historically day-zero |
Device management workflow comparisons
Enrollment and provisioning
Both Fleet and Jamf Pro support Apple Business / School Manager integration for zero-touch deployment (typically meaning that devices ship directly to end users and enroll via an automated process on first boot.)
Both solutions also provide options for deploying MDM enrollment profiles via supervision and settings that prevent end users from removing management and MDM configuration profiles without authorization, giving organizations strong enforcement controls to match requirements and comply with standards.
Configuration management
Jamf allows admins to create Smart or Static groups as the mechanism for controlling the scope of management automations and configuration profile delivery. Jamf includes configuration profile templates for building profiles to deliver common settings.
Fleet directs Apple device admins to iMazing Profile Creator for building configuration profiles. Fleet uses fleets and labels to assign and deliver configuration profiles to devices. Labels can be manual (e.g., arbitrary assignment by serial number), dynamic (based on device state assessed) or set via "Host vitals" (i.e., using server-side attributes of a device like IdP group membership.) Validation of configuration profile delivery is obtained separately from MDM for complete assurance of device state.
Software management
Jamf provides an App Catalog and integrated Apps and Books distribution for volume purchasing with scoping based on Smart or Static Groups.
Fleet provides software management through Fleet-maintained apps and also includes Apps and Books distribution for volume purchasing from App Stores.
Both solutions provide the ability to upload custom software packages for installation and scripting capabilities for automation. This ensures that complex software (e.g., security applications like CrowdStrike) can be customized during installation.
Security and compliance
Jamf Pro is Jamf's flagship device management solution but it is not an out-of-the-box security solution. Jamf Pro enables management of FileVault disk encryption, Gatekeeper, and other Apple features which help to keep devices secure, however, Jamf's advanced security offerings like Jamf Protect and Jamf Executive Threat Protection are separate products from Jamf Pro that must be purchased separately at additional cost.
Jamf's security products make use of Apple's native Endpoint Security Framework for EDR and telemetry collection enabling security monitoring and SIEM integration capabilities, but, this potentially means detection and compliance are more expensive when using Jamf's full product line.
Fleet approaches security and compliance through built-in software vulnerability detection and the power of built-in osquery reporting combined with automation capabilities for enforcing and remediating controls on top of complete support for Apple's MDM specification (which includes control over basic security features like FileVault and Gatekeeper.)
These combined Fleet capabilities make it straight-forward to enforce compliance baselines using frameworks like CIS or STIG. Threat detection in Fleet works through the creation of queries to find attributes, device processes, file systems, network configurations, malware detection via YARA-based signature matching, and vulnerability intelligence. Security monitoring, data collection, SIEM integration, and all other Fleet capabilities are included under a single license at no additional cost. Fleet provides visibility into software inventories, file system events, connected hardware, firewall status, and virtually any imaginable attribute of any device via the Fleet osquery data table schema.
Single-platform vs. multi-platform support
Whether or not your device management solution has multi-platform support capability determines if consolidation of your device management tooling is possible. Maintaining multiple single-platform solutions can be complex and expensive. Multiple solutions may mean multiple, separate IT teams and it definitely means managing multiple contract renewals.
Jamf provides purpose-built management capabilities across Apple's device range but really only specializes in Apple, with recently announced Android support.
Fleet offers comprehensive multi-platform coverage for Linux, macOS, iOS, iPadOS, Windows, Android and Chromebook devices from a single console.
FAQ
What is the main difference between a single-platform device management solution and a multi-platform device management solution?
Specialized MDM solutions focus on one device ecosystem. multi-platform MDM solutions provide unified management across different operating systems from a single console. Try Fleet to see how multi-platform management can work in your environment.
Can multi-platform device management solutions manage Apple devices as effectively as Apple-specialized platforms?
Fleet is an Apple-oriented device management solution. Though it is multi-platform, Fleet provides management capabilities at parity with solutions like Jamf for most use cases including zero-touch, automated enrollment through Apple Business or School Manager, delivery of MDM configuration profiles, MDM commands, Declarative Device Management support, software management, script execution and strict control over scoping management objects to the right devices.
What should I consider when comparing MDM costs?
Both Fleet and Jamf Pro offer per-device subscription pricing with costs varying based on fleet size and requirements. Organizations should consider implementation effort, training needs, and ROI savings through tool consolidation when choosing to move to a new device management solution. More specialized training and support may be required when maintaining multiple device management solutions. multi-platform device management solutions enable tool consolidation that can offset per-device costs.
In addition to device management feature parity with Jamf, Fleet includes capabilities that Jamf does not like GitOps console management, software vulnerability reporting, osquery data collection, and SIEM integration under a single license per device at no additional cost. These inclusions may allow an organization to trim costs even further when consolidating tools by moving to Fleet.
How long does it take to implement device management across different platforms?
Implementation and migration timelines vary based on fleet size and organizational requirements. Fleet offers world-class customer support and professional services to assist organizations with migration. End user migration / enrollment workflows are available for all computer platforms Fleet supports (mobile device MDM migrations are limited by product vendor capabilities and can therefore be more challenging to do.) Schedule a demo to discuss specific implementation timelines for your environment.