Introduction: doing more with less
Dean Hager welcomed all to Jamf’s virtual spring event: Jamf’s follow-up to JNUC in which we share what we’re working on and what is coming next.
“We are all being asked to do more with less these days,” said Hager. “Fortunately, Jamf and Apple can help you do just that.”
During challenging economic times, productivity and protection are essential for us to stay competitive. Research shows that the total cost of ownership is lower and return-on-investment higher for Apple and Mac than for other devices. This results in substantial savings.
“Jamf’s comprehensive management and security platform helps organizations deploy Apple devices that team members love and organizations trust,” said Hager.
How’s Apple doing?
Things looked better for Apple than in other tech organizations during this difficult past year. Mac, iPad, and iPhone all experienced substantial gains in market share worldwide, thanks to in part an increase in BYOD programs that support Apple.
With work-from-anywhere models here to stay, Jamf offers the right balance of simplicity, privacy and security that Apple users need.
“As I’ve said many times,” said Hager, “we at Jamf bridge the gap between the great innovations at Apple and what businesses and schools require. We have always been Apple-first. But as you will see today, after establishing the foundation and support for new Apple workflows, Jamf is broadening the reach of several of our products for institutions that may not be Apple-exclusive.”
Jamf in schools
Sam Johnson, Chief Customer Officer/Chief of Staff, discussed Jamf in schools.
“Many strive to be Apple-first and Apple-best,” said Johnson, “but few if any truly succeed in creating experiences that take full advantage of everything Apple devices have to offer.
Jamf Safe Internet
While Jamf has made tremendous progress, we have yet to meet our goal of protection for all students.
Fortunately, Jamf Safe Internet, released in 2022, significantly closes this gap for educational institutions.
Jamf Safe Internet is best-in-class web content filtering. It’s also threat prevention tailor-made for education. It ensures that students can access the wonders of the internet without hesitation or fear that they stray outside of school-created boundaries.
“And better yet,” said Johnson, “admins find Jamf Safe Internet a dream to deploy to their devices.”
More than 500 schools are already adopting Jamf Safe Internet to ensure students stay safe and focused on school tasks.
iPads, Macbooks and . . . Chromebook!
Not every student, teacher or school gets to choose Apple devices exclusively. Some schools mix platforms. Jamf wants all learners to be equally protected. That’s why earlier this year, we brought Jamf Safe Internet to Chromebook.
Similar to how Jamf Safe Internet works on Apple devices, our Chromebook solution employs a ‘protection over inspection’ approach to protect students from harmful content without ever invading their privacy.
Our comprehensive and customizable content-filtering database is built on a lightweight DNS technology. It will never bog down devices, instead allowing students to keep up with their lessons.
How Jamf Safe Internet works
With Jamf Safe Internet, school administrators can deploy to Chromebooks in the same way they deploy any other profile type. From our simple portal, admins can configure web content filtering exactly how they see fit regardless of device.
Jamf Safe Internet also makes it easy to create reports to better understand administered policies. It can also enforce YouTube Restricted Mode and Google SafeSearch to hide mature content from ever appearing in search results.
And best of all? Jamf and Google for Education now work together. Jamf Safe Internet can be deployed directly from the Google Admin console many admins already use to manage Chromebooks.
Coming soon: Jamf Safe Internet for Windows PCs
We are thrilled to announce that this summer we are adding support for Windows PCs. Yes; you heard that right. Windows. And like iPads and Chromebooks, the service can be deployed with zero-touch using Microsoft Intune or any other package manager you may use.
Now, no matter what technology your school chooses in addition to Apple, Jamf ensures the student sitting in front of it is protected from accessing dangerous or distracting content, and learning stays at the forefront of the technology experience.
“Even as we are offering support for multiple platforms when it comes to securing users,” said Johnson, “I want to bring us back home and assure you that Apple will always be our first priority and we will continue to bring you the best experience for that platform.”
New filtering capabilities for Apple users
To prove that, we are improving our Jamf Safe Internet privacy protections by adding on-device web content filtering specifically built for Apple. This on-device filtering capability further bolsters the existing solution as it delivers an Apple-best, native end-user experience for Apple users.
Jamf has built this advanced solution upon Apple’s privacy-first content filter framework to perform comprehensive on-device web content filtering.
Admins can filter by these and more:
- IP address
- Full URL
- iOS and iPadOS app
Jamf uses a sandbox architecture (meaning that neither Jamf nor Apple services can ever obtain or report upon private encrypted content) to evaluate and act on policies.
Removing the need to send large amounts of data to your cloud infrastructure improves performance while saving a lot of money and time in the process. On-device also means it’s lightning fast, which obviously provides a superior end-user experience.
On-device web content filtering will be available for iPadOS and iOS devices this summer, with macOS following later this year.
Combining security solutions
Some institutions —particularly in higher education– use Jamf Safe Internet alongside Jamf Protect for unparalleled on-device and network security. This is the complete package: a unified endpoint protection, threat defense and content filtering solution.
Using Jamf alone, you can be assured that your schools are completely managed and secured.
Jamf secures and blocks access, but we’re best known for empowering trusted users with simple and secure access to the resources they need to do their job.
Simple user access
Kayla Flanders, Learning Experience Designer, led viewers through how to simplify the end-user experience. “Identity and access management is a suite of technologies intended to provide secure logins and access to apps and resources,” said Flanders. “However, many organizations struggle to actually simplify the end-user experience to get their work done.”
There's a better way, and it's Jamf Connect.
Jamf Connect simplifies
That's why over seven thousand organizations have chosen Jamf Connect to simplify their provisioning, account management and authentication for Mac users.
“I’ve got great news for you, said Flanders. "Jamf Connect just got a whole lot better. We are excited to announce that the new Jamf Connect now includes zero trust network access capability formerly offered by Private Access.”
This delivers a complete user-first identity and access management solution for all Apple devices, including Mac, iPad, and iPhones and more.
Zero Trust Network Access (ZTNA)
Jamf Connect and its Zero Trust Network Access framework enables remote access from anywhere while eliminating all of the friction and frustration associated with traditional VPN.
With VPN, remote users are typically granted broad access to the organization’s internal network. Jamf Connect enables narrow access to only the specific apps and resources a user needs for their role —regardless of whether the app is on-premises or in the cloud. This dramatically improves data security.
New Jamf Connect and Jamf Trust integration
“And if that’s not enough,” said Flanders, “we have a really exciting feature that will be coming soon. We are integrating Jamf Connect’s out-of-the-box macOS account provisioning experience with our Jamf networking agent, Jamf Trust, to automatically activate ZTNA networking by the time the user finishes within the macOS setup assistant.”
This means that a single login, which can include multi-factor authentication, a user’s local macOS account with cloud identity credentials is created and their network access is ready-to-go for instant connectivity to the apps they need to be productive. This eliminates the manual process of a user having to find, login to, and activate their VPN app.
Regarding seamless logins, Jamf has been talking about the promise of single-sign on for Apple devices for years. Last year at WWDC, Apple took a major step to deliver on this promise for macOS, iOS, and iPadOS in the form of Platform SSO and Enrollment SSO.
But we can’t deliver these capabilities alone, so we teamed up with Okta to deliver the future of identity on Apple devices that users and IT admins alike are going to love.
Okta: identity on Apple devices
Okta’s CIO Alvina Antar and Jamf’s CIO Lihn Lam explained what our partnership means for you.
At last JNUC, Okta CEO Todd McKinnon talked about the unique opportunity for Jamf and Okta to work on first-to-market support for Apple's new platform Single Sign On and enrollment single sign-on technologies.
“These exciting new platform capabilities for Mac OS, iOS and iPad OS bring the legendary user experience of the Apple platform to the front doorstep of a secure enterprise employee experience,” said Antar.
“Bridging the gap between security and user experience is something that Jamf has always been passionate about,” said Lam. “Now with Okta, we've had the unique opportunity to work in tandem on that effort to make it a truly best-of-breed solution from endpoint to identity on the Apple platform.”
Throughout the past six months, teams at both companies have been working hard to build this solution, and Lam and Antar were pleased to announce that we are near completion of that work.
New platform SSO and enrollment SSO workflows from Jamf and Okta
Matt Vlasach, VP of Product Management at Jamf and Jamie Fitz-Gerald, Director of Product Management at Okta discussed and demonstrated some of the products our teams have been working on: specifically platform SSO and enrollment SSO.
“When Apple announced platform SSO in MacOS Ventura last year we knew it was going to be a big deal and our customers would expect us to support it," said Vlasach.
But MDM is only half of the equation, and we needed a nimble IDP partner to deliver that other half. Given their commitment to Apple and SSO, Okta was the obvious choice.
Together, we worked to enable our customers with a native Mac OS login and password sync experience using platform SSO while leaning on Jamf Connect to provide shared customers with advanced local account provisioning workflows.
Vlasach and Fitz-Gerald then walked viewers through a step-by-step demonstration of enrollment with setup assistant and registration for Single Sign-On and a day-in-the-life experience end users have when using these workflows.
Digital employee badges available today for iOS
“We can’t wait for you to experience this new, more seamless way of working,” said Kayla Flanders, “and we’re excited for continued innovation with Okta and other identity providers in the future.”
Our new integration will be available to Jamf and Okta customers this summer.
At JNUC, we demoed and unveiled a partnership with SwiftConnect to create mobile ID cards. This replaces poorly-secured, easily misplaced physical access cards.
Jamf support for digital employee badges will be available via SwiftConnect, powered by Jamf Trust, starts today for iOS and is coming soon for Android.
“At Jamf,” said Flanders, “our purpose is to simplify work. And we believe simplifying work starts with simplifying access for users. But that’s only half of the story.”
Jen Kaplan, Senior Director, Product Marketing, discussed Trusted Access introduced at JNUC.
”At its core,” said Kaplan, “the concept is simple: Trusted Access combines and connects the best elements of device management, identity and access workflows, and endpoint security. With Trusted Access, your employees can be productive on the devices they love while your organization can trust that every user, every device and every connection is secured.”
Kaplan discussed the critical part enrollment plays in creating the best user experience and in achieving the highest level of security in your workplace.
Not only does Jamf offer robust cloud identity provider integrations, but the upcoming platform SSO work will further streamline everything from enrollment to remote access, all powered by a user’s single cloud identity.
Jamf identity integrations with Microsoft, Google and Amazon
Our identity integrations with powerful conditional access controls add to security across three of the industry’s largest providers.
Microsoft Device Compliance integration
Our Microsoft Device Compliance integration allows organizations to extend access controls across the entire Azure Active Directory workflow.
Administrators use this integration to:
- Define specific Azure-AD-enabled apps and services that affected by a device’s compliance state
- Automatically deploy and patch Office 365 apps by Jamf
- Combine Jamf Pro’s Device Compliance engine with Microsoft Sentinel to ensure device compliance
Building on the momentum of our Microsoft partnership, Jamf Protect integrates with Microsoft Sentinel.
This integration enables organizations to:
- Seamlessly monitor and protect their Mac fleet through Microsoft Sentinel
- Get a unified view of security events across all endpoints
- Facilitate a more effective response to threats
Jamf joins the Microsoft Intelligent Security Association (MISA)
MISA is an ecosystem of independent software vendors and managed security service providers that have integrated their solutions with Microsoft security technology to help customers better defend themselves against increasingly sophisticated cyber threats. We’re thrilled to have recently joined.
Jamf’s Google BeyondCorp integration
Jamf also integrates with Google BeyondCorp — Google’s Zero Trust implementation, which uses Chrome to protect data in transit.
- Automatically blocks non-compliant devices from BeyondCorp until the problem is remedied
- Extends to protect iOS and iPadOS devices
- Offers immediate access to tools like Google Drive, Google Docs and Gmail to those who register through Self Service
Jamf is the only management or security platform that supports BeyondCorp across the entire Apple ecosystem.
Jamf and Amazon: AWS Verified Access integration for macOS
With AWS Verified Access, organizations using AWS and Jamf can:
- Verify that devices are managed and meet an acceptable risk threshold before providing AWS access
- Define granular policies that apply per app, using rich user and device context
- Access cloud-native zero trust access seamlessly
“This is an exciting integration, hot off the heels of our EC2 Mac capabilities we demonstrated at JNUC last year,” said Kaplan. “And with Jamf in the AWS marketplace, customers can now leverage AWS credits towards Jamf solutions.”
One thing that each of these conditional access workflows has in common is an evaluation of the device’s security posture. Jamf Protect is best known as a premier endpoint security solution for the Mac and it plays an important role in these conditional access workflows.
New developments for Jamf Protect
Last fall, we brought a major advancement to macOS endpoint visibility with the addition of telemetry to Jamf Protect: IT can view telemetry data in near real-time within their SIEM.
Earlier this year, we also expanded Jamf Protect to include mobile threat defense capabilities.
Now Jamf Protect offers everything from stopping the latest malware on your Macs to defending your entire Mac and mobile fleet from web threats such as phishing attacks or ransomware.
Conditional access, meet Zero Trust Network Access.
What is Conditional Access?
Each of Jamf's three powerful conditional access integrations allow organizations to take a zero-trust approach to security. This is a great step towards securing your company data and something we would recommend to every Jamf customer.
However, there is one security challenge where conditional access workflows traditionally fall short. Conditional Access solutions typically evaluate the user, device and risk when a user logs in.
Unfortunately, the nature of the modern threat landscape is relentless and a device that is deemed secure one minute may be compromised the next.
What is ZTNA?
Adding Jamf Connect’s zero trust network access is powerful. Jamf’s access policies dynamically react the minute that Jamf Protect detects a risk, allowing real-time response and remediation.
Secure access enforcement developments
Our new secure access enforcement workflow can immediately suspend access if a user disables their secure connection. Then, we guide the user directly into Jamf Trust to re-enable the secure connection.
Our goal with Trusted Access is to make the entire work experience seamless for users without sacrificing security while building remediation directly into the workflow to minimize dependency on IT.
Declarative Device Management and Jamf Pro
Amy O’Connor, Internal Communication Manager, announced that Jamf is extending support to Passcode Compliance and Supplemental Build Version for Rapid Security Response.
At JNUC 2022, we let you know that Jamf Pro added support for Declarative Device Management for operating system changes. Apple continues to expand the use cases for Declarative Device Management and Jamf remains committed to supporting this next-gen protocol.
Jamf extends Declarative Device Management support
Organizations that use iOS and iPadOS devices deploy a number of configuration profiles required for their security posture. Once those profiles are installed, organizations can use Jamf Pro’s Smart Group logic to safely target additional, security-sensitive profiles to install certificates or networking profiles that allow users to get their work done.
Previously, organizations needed to perform additional inventory updates via the API before a device entered their Smart Group.
Now, with declarative device management:
- The device autonomously reports its passcode compliance status
- The user will receive the rest of their needed profiles immediately afterward
- Admins gain real-time visibility into their fleets
Supplemental Build Version
Apple’s new Rapid Security Response updates, are meant to apply between minor OS releases. "If you are concerned about a zero-day exploit, and let’s be real -we all are," said O'Connor, "deploying these updates, when available, to your managed devices can easily be accomplished. What’s more? The Declarative Device Management status channel can now report the completed update status to Jamf Pro immediately after it’s been applied, giving you peace of mind."
As always, we’re committed to same-day support with Apple and as they continue to expand this new protocol, so will Jamf. Trusted Access means faster, automated access management to sensitive data resources without having to wait for a sync.
"I think we can all agree that being able to base trusted access off of action needed from Apple’s rapid security responses sounds pretty next level," added O'Connor.
Report assist using Managed Device Attestation.
Managed Device Attestation is a powerful new security feature introduced by Apple in iOS, iPadOS and tvOS 16 last fall. This certification tool helps ensure that all MDM-managed devices contain genuine Apple hardware and haven’t been spoofed or otherwise compromised.
Here’s how it will integrate with Jamf Pro:
- Jamf Pro provides an additional queried parameter to a managed device via the MDM protocol.
- The device performs a check-in with Apple’s attestation servers and returns an Apple-signed certificate that attests that the device is genuine.
- Jamf Pro validates the certificate and stores it with other inventory data.
- The result will be shared with Jamf’s security tools, and available for consumption in other third-party systems and tools, via the Jamf Pro API.
At JNUC last year, we talked about a new way we want to help admins support teams and users who are working remotely.
"One of the largest JNUC ovations I’ve ever heard was when we previewed a new Jamf Pro feature that will allow admins to initiate a remote desktop session directly from within the browser, regardless of where your users are working," said O'Connor.
For those who missed JNUC, O'Connor offered a quick demonstration of how this works.
"I am very pleased to announce," added O'Connor, "that this new Remote Assist capability will be coming this summer."
But we’re not done yet!
We are also introducing an automated solution to create and manage unique local administrator passwords per each managed Mac with Jamf Pro. With the increasing risk of unauthorized access to sensitive data or systems, such protections are crucial to each device and to improve overall security.
- Randomizes the password of a managed administrator account at the time of enrollment
- Restricts access to these passwords to specific users or groups, with audit logging in place to show who accessed the password and when.
- Automatically rotates the password to a new randomized value once viewed by an authorized user.
This automated approach allows organizations to maintain operational security, comply with regulations and improve efficiency when working with an IT-managed administrator account.
App Installers updates
App Installers, released in Jamf Pro last spring, gives you the ability to automate distribution and updates to third-party macOS software titles.
We’ve listened to your feedback and are addressing some of your most requested feature updates with new App Installer capabilities.
For instance, we launched end-user notifications recently in Jamf Pro 10.44, allowing you to notify users when an update is available.
And coming this summer, Jamf Pro will offer the option to distribute App Installer titles via Self Service. Once a user installs the application, App Installers will continue to keep that app title automatically up-to-date with the latest version.
"We’re so excited to bring these new features your way," said O'Connor. "And as always, Jamf is and will continue to be compatible with Apple’s latest operating systems so you and those you support can immediately take advantage of the latest and greatest for Mac, iPad and iPhone."
A Jamf sendoff
Dean Hager thanked all of the presenters, and then spoke to Jamf Nation directly:
"To all of you in Jamf Nation, whether you’re looking to empower students with technology while protecting them from the dangers of it or to deliver a simple, yet Trusted Access experience to each and every employee you serve, Jamf is here to partner with you."
Many of the Jamf platform capabilities we discussed today are available right now, and many more are on the horizon.
Jamf has designed these solutions to help you simplify work and ramp up productivity for your end users and for IT while helping Information Security teams keep your organization safe. "I encourage you all to give these new capabilities a try," said Hager. "We are so excited to hear what you think."
For all of you, if you enjoyed today, you’re going to love JNUC 2023, which is both virtual and in-person in Austin, Texas September 19th through the 21st.
"We hope to see you there," added Hager. "In the meantime, we are here to help you leverage Jamf’s enterprise-secure, consumer-simple technology to empower your teams and simplify work."
Take care, Jamf Nation.
Watch the 2023 Jamf Spring Event
Register now to view the full Spring Event.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.