2024 Jamf Event for commercial markets: elevating Apple Security and compliance

Welcome

Sam Johnson, Jamf’s Chief Customer Officer, kicked off the commercial portion of the Jamf Event this April 9.

“This event marks the halfway point to JNUC, the industry’s largest gathering of Apple IT and Security admins,” said Johnson. “We’re excited to show you how Jamf can help you be more successful with Apple at work.”

“At JNUC last fall,” he continued, “we talked about Trusted Access, which is Jamf’s vision of a zero-trust experience that users love and organizations trust. Today, we are going to explore an important step on the journey to making your access more trusted: compliance.”

Compliance, explained Johnson, can represent different things. It can be:

• Using the best management workflows to standardize deployments
• Enforcing your organization’s acceptable use policies to keep users and devices safe
• Deploying secure baselines to ensure all devices adhere to industry or government regulations and standards

Apple admins, often the resident Apple experts within organizations, are being asked to get involved in compliance objectives across Mac, iPhone and iPad in addition to their device management functions.

“We’re here today to assure you that you are not alone in this journey,” said Johnson. “Together, we are going to explore some different aspects of compliance and the ways that Jamf helps.”

Compliance Dashboard

Milind Patel, Jamf’s Director of Product Management, took on the task of discussing Jamf’s Compliance Dashboard.

”Whether your organization is in a regulated industry or not,” said Patel, “nearly every company will have some type of compliance objective. We know that it can be challenging, and time-consuming, to define, monitor and maintain compliance.” That’s why, he explained, Jamf teams have worked hard to create solutions that make achieving compliance possible, regardless of the size of your team.

The good news is Jamf provides everything you need to keep your fleet healthy and compliant.

Compliance baselines

“Let’s take a look at how to easily define and deploy the relevant compliance settings for your fleet,” said Patel.

“One workflow that’s proven to be really valuable to Apple admins,” he continued, “is Jamf Compliance Editor. Compliance Editor pulls the latest macOS benchmarks directly from the macOS Security Compliance Project for each respective macOS version. You simply need to select your target macOS version, and the desired security benchmark to accelerate the generation of compliant configurations, settings, and auditing. “

Support for iOS and iPadOS

Jamf’s recent addition of iOS and iPadOS Compliance Editor now means you can ensure your entire fleet of Mac, iPhone, and iPad all adhere to your organization's exact requirements.

“Compliance Editor is very easy to use,” continued Patel. “It generates all of the configurations and corresponding documentation automatically. Of course, you can adjust or omit any settings you’d like before moving on to deployment. Compliance Editor integrates directly with Jamf Pro, which means it only takes a few clicks to generate the hundreds of detailed configurations required to make your endpoints compliant.”

You are now ready to deploy these to any existing devices, and also ensure every new device has the proper secure baselines configured from the moment it is unboxed.

Jamf Routines

“While compliance is a 24/7 requirement,” said Patel, “we want to make sure admins don’t have to live in an admin console every minute of the day.” Thanks to Jamf Routines, Jamf Pro customers can now select from an ever-expanding set of no-code automations and integrations to aid in their pursuit of compliant endpoints.

A few routines:

• One Routine allows admins to set up integration between Jamf Pro and Slack or Microsoft Teams with automated alerts sent based upon a variety of different criteria.
• Another allows for admins to specify when a re-deploy of the Jamf Management Framework may be required, making more powerful self-healing workflows a reality.

Conditional Access

One of Jamf Pro’s most popular and powerful workflows used by customers today is Device Compliance with Microsoft, also commonly referred to as “conditional access.”

This integration combines the full deployment power of Jamf Pro with the robust access controls provided by Microsoft’s identity platform. Last year, Jamf introduced a major enhancement that gave Jamf Pro admins full control over defining compliance with Jamf Pro Smart Groups, going beyond the handful of default parameters that were evaluated before.

"In other words," said Patel, "anything that can be defined in a Smart Group can now serve as your device compliance criteria."

Combining Compliance Editor and Jamf Protect

"When we combine this existing integration with Jamf Compliance Editor and Jamf Protect," continued Patel, "we can create something incredibly powerful. With very little effort, customers can use Compliance Editor to quickly spin up everything needed to make Mac, iPhone and iPad compliant against the CIS benchmark. Not only can you audit those complex compliance benchmarks easily within Jamf Protect, but that same criteria can also be utilized for access decisions for Device Compliance with Microsoft. In short, CIS benchmarks become the authoritative definition for Microsoft Entra access decisions."

Katie English, Director, Product Strategy, took over from Patel to explain how maintaining minimum required privileges for end users can help organizations prevent endpoints from being compromised.

End-user privilege elevation

Implementing tighter controls around admin privileges on the Mac is a critical aspect of compliance. "Traditionally," said English, "this has been a challenge because it typically only allows for the choice of creating a local macOS account with full administrator or standard privileges."Certain common tasks require admin privileges to complete, but granting users those always-on local admin privileges exposes the organization to potential risks and may violate compliance standards.

Jamf provides a simple approach to solving this challenge that also adheres to compliance frameworks and requirements. Using a cloud identity provider (IdP) and Jamf Connect, organizations can temporarily allow admin privileges for local macOS accounts to be granted conditionally based on valid user authentication and authorization.

Privilege elevation facilitates the operation of macOS in a least-privilege manner on endpoints in an Apple-native and user-friendly way without putting any burden on Help Desk or IT teams.

It also significantly reduces the macOS attack surface by preventing attacks from being carried out in the background or without end-user knowledge. To tell us more, we welcomed back Milind Patel.

Jamf Threat Labs

One of the ways that Jamf stands out when it comes to helping organizations secure their Apple endpoints is through our security research group; Jamf Threat Labs.

"The team has discovered, blocked and published research on a variety of threats," Patel said, "including advanced Mac malware and cryptojacking campaigns."

Reflecting on their work over the past year shows how Apple devices continue to be targeted by some of the most sophisticated threat actors in the world.

"We will continue to pursue this research and make our products more effective, and make our customer’s environments more secure," said Patel.

Vulnerability management

Another way we help customers maintain a secure environment is with Vulnerability Management. While this can be challenging and time-consuming for organizations without the right tools, Jamf makes it easy to visualize vulnerabilities across all of your Macs, iPhones and iPads in one place.

The Vulnerability Management dashboard allows you to quickly understand the presence of vulnerabilities across your environment. Jamf already collects all of the required application and operating system inventory for all of your devices under management and compares them against known vulnerabilities. This dashboard shows IT admins the breakdown of vulnerabilities by severity.

"This report helps you identify the most impactful vulnerabilities," said Patel, and "drill down by device, or by specific application version, in order to prioritize your patching efforts."

App Installers

Katie English led viewers through App Installers.

"Apps continue to be the fabric of the end-user experience and intersect every step of the user’s journey," said English. "Apple Business Manager allows an admin to manage app updates in a simple and automated way. But for apps distributed outside the Mac App Store, we believed we could give admins that same automated experience for updating third-party Mac apps."

In 2022, as part of the Jamf App Catalog, Jamf delivered App Installers: a curated collection of Jamf-managed and provided installer packages that automate and streamline the process of updating and deploying third-party apps.

"Since the initial launch," continued English, "we’ve continued to listen to our community and to innovate and deliver on some highly requested improvements."

App version control, released earlier this year, is the latest iteration.

This update gives admins more authority over App Installer deployments, allowing them to test a version on a small group of computers and then manually choose the version to deploy to computers in scope when they are ready.

"The ability to choose either automatic or manual updates to specify the version gives the admin control and flexibility over the App Installers titles in their environment," said English.

This keeps users productive while remaining secure and up-to-date.

Coming to Jamf Now

"We hope you’re excited to see the progress of the Jamf App Catalog and App Installers," said English. "If you’re a Jamf Now user, we’re also pleased to share that App Installers elements are being integrated into Jamf Now throughout 2024. As we go forward, you can expect Jamf to continue our commitment to making App Installers an invaluable tool for keeping apps up-to-date, secure and compliant."

OS Updates: DDM support

"In addition to apps, it’s also imperative to keep operating systems up-to-date— not only to give your users the latest features but also to ensure you’re keeping vulnerabilities at bay," said English.

At last year’s JNUC, Jamf unveiled support for managed software updates powered by Declarative Device Management (DDM).

"Apple has positioned Declarative Device Management as the future of device management and a critical enhancement to aid in streamlined security workflows," said English. "Jamf remains Apple-first, Apple-best and will continue to keep pace with what Apple delivers in the future, including improvements to software updates and security workflows."

English also announced that Jamf will soon enable new device type management powered by DDM on watchOS.

Apple Vision Pro

"Speaking of new device types," said English, "we’ve all heard about Apple Vision Pro and the opportunities it presents for the enterprise -- whether it be virtual training, enhancing a physical retail experience, or facilitating a new way of designing and developing products."

"Because of Jamf’s laser focus on Apple," she continued, "I’m proud to tell you that we’ve been able to support customers’ early adoption of Apple Vision Pro since day one!"

With Jamf Pro, Jamf Connect and Jamf Protect, Jamf provides organizations with the ability to both manage and secure Apple Vision Pro devices. This is key for testing, adoption and eventually scaling your organization's growing Apple install base.

Until we meet again

After thanking Katie English and Milind Patel, Sam Johnson announced that Jamf has a lot more in store regarding compliance. "We can’t wait to give you another update at JNUC," said Johnson.

This year's JNUC will convene in Nashville, Tennessee, October 1-3. Early registration is now open. "There will be no better price than right now," said Johnson, "so be sure to secure your spot today."

"We cannot wait to show you all of the latest advancements that will make your access more trusted and help you be successful with Apple at work," finished Johnson. "Thanks to all of you for tuning in to our update. See you in Nashville!"