Implementing Center for Internet Security (CIS) controls from the Jamf Marketplace

With fully remote and hybrid workforces, the need to secure endpoints has become more important than ever. Most security tools focus on protection by inspecting processes, network traffic and file system events for malicious activity. Finding a solution that is designed with best practices for securing your systems and integrating those into your existing infrastructure is far more difficult.

CIS Benchmarks are consensus-developed, secure configuration guidelines for hardening operating systems, servers, cloud environments and more. They are industry recognized as secure configuration best practices that can help organizations meet requirements for PCI DSS, HIPAA, FedRAMP and many other global regulations.

Leveraging the power of the Jamf Pro API and custom-built templates, Mann Consulting has created a library of individual CIS-control audits and remediations. These combine Extension Attributes and Smart Groups to report pass/fail status along with Configuration Profiles and Policies to check devices regularly for compliance, while automatically remediating endpoints, not in compliance.

How it works

• Identifying Controls: An initial meeting is held to identify the controls you need and discuss their impacts on your employees, in order to cement a list of controls to implement.
• Uploading Controls: Leveraging the Jamf API, these controls will be uploaded to your Jamf instance either fully disabled or scoped to a test group.
• Testing Controls: A global exclusion group allows you to test the impact of the selected controls before rolling them out to all your employees.
• Exempting Groups: Using per-control exclusion groups allows you to specifically target which computers or employees are subject to each individual control. (i.e., Why audit Zoom Rooms for FileVault when Zoom Room Macs need to be able to automatically log in at startup?)
• Validating Compliance: Smart Groups will quickly show the pass or fail status of each control. Export from your Jamf Server to a custom Google Sheet will provide a convenient compliance report for management to review.
• Remediating Edge Cases: Are you failing a control due to a conflicting configuration profile? Is the device not receiving Push Notifications? The final phase identifies why computers aren’t in compliance, and then executes workflows to remediate.

Going Beyond CIS

Many CIS controls allow for some flexibility based on your organization’s needs. Maybe you’d prefer to allow iCloud, but disable Mail and Calendar sync? Instead of having to choose to disable everything in a specific control, you have the flexibility to choose to audit and/or remediate parts of controls. This allows you to specifically tailor each control to your unique security policy.

In addition to standard controls, a number of best practice controls are available to enhance your security posture. Are you auditing which System Extensions computers are running? What about requiring that any on-disk unencrypted private SSH keys are encrypted? Do you know which applications your computers have granted microphone access to? These additional security controls help you secure devices beyond the foundational CIS recommendations.

About

Mann Consulting is a Jamf MSP that provides Jamf customers with a monthly subscription-based service featuring workflows ranging from automatic application patching to software update enforcement and more. Leveraging templates and the Jamf Pro API, all workflows live directly within the customer’s Jamf Pro instance and operate independently of any external applications or servers.