How to keep your CISO happy with data and alerts

Clark opens the session with a recap of their session last year, “How to Keep Your CISO Happy with Automation.” As an update, they were able to upgrade their fleet from macOS Monterey to Ventura in less than 30 days: beating their < 45 day macOS Big Sur to Monterey upgrade shared in last year’s session.

This year’s session answers questions they got as feedback from last year's talk. To start, they discuss alerts.

Basic alerts

Get Well’s support team had a lot of computers being replaced in a short amount of time, and needed a solution to simplify their processes. Given their small team size and lack of transparency into when a user enrolled their device, they wanted some sort of automated alert telling IT when a computer had been properly enrolled.

After considering a Jamf Pro webhook or using the Jamf Pro API, Clark decided that the best method would be a custom cURL command. This command is the last thing in their DEP notify script. The command and the resulting alert are shown in the presentation.

Security and tracking

In this part of the session, Lynch answers a few questions Clark asks. First, Lynch explains their move to macOS as the most appropriate OS for their user base, given Get Well is a Linux-heavy company and is required to meet certain security baselines for their certifications and attestations.

To harden their systems, Get Well follows CIS benchmarks. They are able to run a script to see if any devices are out of compliance, and if so, fix it with Jamf.

As a way to implement least privilege access, Get Well gives most employees standard permissions on their devices, as most do not need admin access to complete their job tasks.

Lastly, a tool that has proven useful to Get Well’s IT team is Ploy, a SaaS management tool to assist in off-boarding and detect shadow IT apps.

Data and alerts

Clark and his team use a number of automations and alerts to make their jobs simpler.

Temporary timed admin and alert

As mentioned above, most employees at Get Well are standard users. While Self Service mostly takes care of software needs, sometimes you have to grant users temporary admin access. Based on Jamf’s Make Me an Admin script, their solution:

• Adds applicable user’s computer that gives them access to the “Elevate” policy, which grants them admin access for 10 minutes. Then, a second policy runs to revert the user to standard access
• Alerts the user when this occurs with Jamf Helper popups
• Includes a custom cURL command to notify IT the user is elevating to admin

Using and tracking Homebrew

Some users need an alternative solution to download packages. Homebrew allows employees to download software via command line. To obtain Homebrew, Clark’s solution:

• Offers Homebrew in Self Service, available based on a user’s AD group
• Deploys a sudoers file from Jamf Pro
• Tracks what is installed with Homebrew, using extension attributes in Jamf Pro
• Includes a “brew update” policy to ensure everything is still working as expected

Data-on-demand dashboard

Clark developed a dashboard that pulls data from extension attributes and other sources and creates data visualizations. This allows him to track versions of software deployed across the fleet, for example. In the presentation, he shows what this function looks like and provides examples of the data visualizations.

Daily+ update alerts using the Jamf API

Clark uses several alerts that run multiple times a day. For example, browser patch update and macOS version alerts run every four or six hours.

Watch the presentation to see examples of data collected from computers not checking in to Jamf Pro, and how they used this data to generate tickets that helped them find these missing Macs.