Automating CIS Benchmark Reporting and Remediation

“Business is changing. It has changed a lot and very quickly, especially because of the pandemic.”, a keen, grounded observation by Mischa van der Bent, Supervisor, Consulting Engineer EMEIA, Jamf, setting the tone for the presentation, which focuses on:

• macOS Security
• Security Benchmarks
• Scripts
• Implementation

Why they’re important to the modern-day management landscape and how together with Jamf Pro help organizations like yours achieve their unique Apple device management and security needs.

Never has this been more necessary than in today’s modern computing environments, which require the very real need to maintain parity between getting work done in the office (as has been done traditionally) and permitting employees to work separately from anywhere and on many different device types without compromising security nor impacting productivity.

Employee mobility = work from anywhere

Security gaps

Mischa continues to discuss the wide-ranging impact of cybersecurity on organizations in relation to remote and hybrid work environments. Specifically calling out companies that have made significant strides in upgrading their infrastructure, and protecting corporate and customer data from modern endpoint security threats.

He also doubles down that — for those that have typically emphasized connectivity over security — now is the time to invest in modernizing your infrastructure to better strengthen the posture of iOS and macOS security.

This includes constantly monitoring endpoints and enforcing compliance to keep your device fleet, users and sensitive data safeguarded, with remediation efforts identifying devices that are out of compliance to quickly mitigate risk through automated workflows that remediate issues and bring devices back into compliance.

How do I benchmark devices?

Before getting into the “how”, let’s take a moment to go over “why you should benchmark your device fleet”.

Consider a framework, such as the CIS Benchmark from the Center for Internet Security. They provide a series of standards for security, based on industry best practices and agreed upon by a consortium of experts in cybersecurity to provide guidance for organizations to follow when hardening their devices. The standards are released by the operating system, with each report tailored to strengthen that particular version of the OS. As new versions are released, reports are updated to reflect any changes to the guidelines, keeping them up to date against the modern threat landscape.

During the presentation, Mischa provides a live demo sample of how the CIS Benchmark auditing works, even displaying the results of a sample report run against a Mac while he reviews some of the findings, what they mean and of course, how to utilize Jamf Pro so IT can mitigate risk by further hardening macOS devices.

Scripting the future

Before solutions like Jamf Pro existed, IT professionals relied on scripting to process commands against potentially hundreds of devices throughout their organization. Not only did scripts contain the exact commands needed to run on each device, but by leveraging scripts, IT could effectively reach each macOS-based device in record time while resting in the knowledge that the commands would execute the same way each time — eliminating user error at multiple levels.

While scripting is still in use today, pairing it with Jamf Pro allows greater flexibility in managing macOS devices by not only including many scripts commonly used in device management but also supporting IT to create and upload their own customized scripts. Furthermore, Jamf Pro’s management hooks, policies and key features, like smart groups, give IT a world of options when it comes to executing scripts on devices based on conditional and contextual logic while providing feedback through reporting that gives IT visibility into statuses relating to the deployment of, well, whatever you want your script to do.

Further still, the easy-to-use design and ability to output results to a customized dashboard permit IT teams greater insight when tracking scripted changes. And speaking of visually tracking changes, Mischa provides an in-depth demo of that goes beyond the CIS benchmarking process but goes on to include assessing results, creating scripts based on benchmark findings and uploading them to Jamf Pro for deployment and enforcement of macOS security hardening standards.