Digging into Security, Compliance and Reporting

Watch this JNUC session in its entirety.

Jamf product expert, Erin McDonald, opened the session by covering what’s possible using the default tools already present within the Jamf framework. Following the idea that the software suite is our management toolbox - this would be “what’s inside the box.” First on the list is reporting and initializing software updates on managed devices. This can be accomplished by setting criteria in smart groups and initiating them with different Software Update Server (or SUS) configurations.

McDonald’s list of built-in security tools includes Automatic App updates. And as of version 9.93, patch reporting supports 34 common software titles. Once patch reporting titles are added to the Jamf server, they can be monitored on the dashboard and used as criteria in smart groups.

Jamf has several options for FileVault2 (or FV2) management that can be used in conjunction to safely encrypt user data. Once the framework is used to encrypt a Mac, it’s possible to escrow each original key and enable or disable FV2 for other users of the Mac OS. If the management account is a FV2 user, the JSS can silently re-issue individual and institutional keys.

Next, McDonald covered iOS data protection. She explained that with Jamf it’s possible to proactively report on devices that are encrypted and/or jailbroken using smart group criteria. You can enable different levels of protection by pushing configuration profiles to the devices, such as requiring a passcode.

Katie English then took the stage to cover “What’s Outside the Box” by starting with complying with the Center of Internet Security benchmarks (or CIS compliance). This is now a very common requirement being pushed down on admins from above, which is causing occasional feature requests like: “Hey Jamf… Do CIS!”

The important detail is that there is not one solution for everyone. Every organization’s box is a different shape and size and therefore needs different tools; Just like a blue police box, the Jamf server is in fact bigger on the inside. So, we have to adapt to comply with the different third party organization requirements like NIST, ISO and CIS. The admin is ultimately in charge of deciding what is required for their own organization’s compliance.

There are already tools out there for helping with security. English even suggests to simply Google “CIS GitHub” and also offered her own solution to the problem at http://github.com/jamfprofessionalservices.

English went on to ask the audience to make informed decisions and not fear the security audit. “It is important to learn what is right for your own organization and take the time to apply what you’ve learned to only manage what you need to manage,” she said. It is a simple three-step process:

1. Choose organizational priorities.
2. Gather recon on the current state.
3. Build a remediation plan.

The Pro Services team approach to compliance can replace dozens of extension attributes, smart groups and remediation scripts. The more streamlined solution is three policies, two extension attributes and one smart group. It is simple and can still tick all the boxes for CIS compliance.

The solution offered can run with the defaults if we are looking to hit the easy button. But English encouraged that admins keep their own score and decide what is their organizational priority. An example - automatic software updates. Running all available software updates automatically for your users may or may not be appropriate. Her script is checking about 60 individual criteria and is human readable, so editing it is easy enough. Her tool doesn’t include password policies or built-in Jamf features as they are being set elsewhere. It can; however, run a compliance check and remediate machines out of compliance by running the recommended fixes before generating the report.

CIS compliance is not a ‘One and Done’ thing. Over time, benchmarks age and compliance wanders, so continue to check in on your users and determine if your security needs have not changed. Katie’s approach is fairly straightforward and harmless, but she begged the room to please test and verify in small quantities before rolling this out.