Introducing Bring Your Own Key (BYOK) for enhanced cloud security

For organizations with stringent security and compliance requirements, maintaining control over their sensitive data is non-negotiable. Today, we're excited to announce the availability of Bring Your Own Key (BYOK), giving customers the ability to provide their own encryption key to encrypt and decrypt sensitive data in select Jamf products and services.

At launch, this service is available to protect data in Jamf Pro and services related to storage and management of Declarative Device Management (DDM) data with a planned expansion to additional Jamf-hosted services in the future. This allows the customer complete control and auditing of their sensitive data that is stored within the Jamf Cloud, reinforcing our commitment to delivering robust security solutions.

What BYOK is and how it works

Bring Your Own Key, also known as CMK (Customer Managed Keys), is an encryption model that allows customers to provide and manage their own encryption keys for data stored in third-party solutions. While Jamf has always encrypted data, both at the disk level and application level, BYOK takes this protection further by giving customers direct control over the application-level encryption keys.

Customers generate their encryption keys using their preferred key management system. Jamf’s BYOK solution supports the use of the following encryption keys:

• Thales Ciphertrust Manager

• Google Cloud Key Management Service

• AWS Key Management Service

• Microsoft Azure Key Vault

Access to these keys is provided in a secure portal to allow Jamf’s cloud-hosted services to encrypt and decrypt customer data. This ensures that data is protected and only accessible to those with the correct keys.

Introducing Jamf's BYOK solution

BYOK is designed for organizations operating in highly regulated industries or those with strict internal security policies. If your organization must comply with GDPR, HIPAA, PCI DSS, or additional regulatory frameworks, BYOK provides the control and audit capabilities these standards often require.

Jamf's BYOK implementation delivers enterprise-grade security without sacrificing performance or availability. Let’s break that down.

Comprehensive data protection across the Jamf ecosystem: A single customer-managed key protects sensitive data across the Jamf Pro database and the declaration storage service. This includes passwords and configuration payloads. These are configured once and applied consistently across services.

Support for existing key management infrastructure: Jamf's BYOK works with major key management systems including AWS, Azure, GCP and others. You don't need to adopt new tooling. Instead, we integrate with what you already use.

Real-time visibility and control: Beyond reviewing logs in your own key management system, Jamf provides real-time security events that can be pushed to your SIEM. These events include rich metadata about each data access request, giving your security team the detailed audit trail needed for compliance and threat detection.

Reliable performance: Through key leasing technology, we've minimized the performance impact typically associated with customer-managed encryption. Keys are cached in protected memory for short periods, ensuring that encryption and decryption happen quickly without compromising security or requiring constant calls to external key management systems.

Transparent key rotation: Key rotation is handled automatically and transparently. You can rotate keys according to your organization's policies without disrupting operations or requiring application changes.

Taking the next step in cloud security

For organizations that haven’t yet unlocked the power of Jamf Cloud due to concerns or compliance concerns around data protection controls, BYOK removes a significant barrier. You gain the scalability and ease of management that come with cloud hosting while maintaining the encryption key control that your security and compliance teams require.

BYOK is available now for most new and existing customers in North America, soon expanding to Europe and Asia. To learn more about BYOK, contact your Jamf account representative.