In my previous blog in this series I talked about the need to Think Different (see what I did there, Apple aficionados?) in relation to mixed estates of Windows and macOS. I, however, only discussed a small amount of the analytical data we can pull from macOS clients in businesses to help IT admin and InfoSec teams. In this blog I want to talk about some other features of Jamf Protect, and call out two of the amazing ones in particular.
Within Jamf Protect you'll find a layer of signature-based malware detection. Jamf has its own security operations team which curates malware signature lists in order to regularly update all clients. This signature-based approach works in harmony with Apple’s XProtect and MRT signature lists and protects endpoints against malware which may otherwise be missed. Good security should be like an onion and Jamf Protect's added layers can quarantine any detected malware on execution.
In addition to this, Jamf Protect also provides behaviour-based analysis. To put it another way, we are able to detect malware generically based on what it does on macOS systems, without the need for a malware signature. This solution is based on information provided by the MITRE ATT&CK Framework for macOS.
For those of you not familiar with it, the MITRE ATT&CK framework describes, in some detail, the tactics and techniques utilised by malware authors to do their nefarious work. There’s a framework for a number of client operating systems, with macOS being one of them. The frameworks are very thorough and comprehensive — describing every malware behaviour possible for each Operating System. You can take a look here to get an idea of what I mean: https://attack.mitre.org/matrices/enterprise/macos/.
Jamf Protect can be configured out of the box to look for evidence of these behaviours occurring in your enterprise Mac estate. Detecting one behaviour alone might not be sufficient to give you cause for concern, but by chaining these detections together we are able to give a very effective insight into suspicious activity occurring on your Mac devices — and in this way we provide signature-less malware detection. No longer are you tied to the cat-and-mouse game of signature updates and you can worry significantly less about whether you’ll be protected when new malware is unleashed. It’s really heralding the next generation of security solutions and illustrates how a 100% focus on Mac allows Jamf’s development team to think differently about how security can be delivered. We’re all IT admins at the end of the day; and the sense of assurance that this solution brings is priceless.
The second important feature I wanted to quickly detail was the integration with Jamf’s flagship product, Jamf Pro, and the potential for hugely customisable remediation workflows as a result. Unless you’ve been living under a stone, you’ll no doubt already be aware of Jamf Pro and that it provides enterprise mobile device management (MDM) for Apple devices. Through intelligently blending the MDM framework and the capabilities of Jamf Pro's binary, our customers are able to manage their Apple estate and provide the enablement, onboarding and security environment that their organisations demand.
Traditional security solutions tend to be a little predictable in their security responses, focussing on blocking, quarantining and notifying. Now sure, I’m not going to sit here and tell you that these actions aren’t important. The first objective of a security solution is to provide security, right? However, they still leave a lot of repetitive work that IT admins then have to do to clean up and set things right. From remotely recovering devices and shipping loan devices out, to confirming users have completed their security awareness training, to even let’s entirely rebuilding a macOS installation.
This is where the Jamf family of products works together. Jamf Pro and Protect agents start by talking directly to each other; there’s no waiting for data to be sent back and forth to a cloud-based decision engine. The Protect agent already knows what to do because the remediation has already been pre-configured in the Jamf Pro console in the same way that configuration profiles and policies for anything else are created. By virtue of some clever workflow with Jamf Pro smart groups, you can have custom remediations for particular detections or for different severities of detections. You can literally use any combination of configuration profiles and policies that you like, to achieve almost limitless remediation. It’s all fully customisable by you and most importantly — it just works. Configure the detections and remediations and push the plan to your Protect clients. There is no step 3.
On top of all this and all the other features I have raved about in this blog series, Jamf Protect offers some really neat features to help organisations gain assurance around their CIS benchmark compliance. And it achieves all of these benefits without impacting on the great Apple experience that your users love. Want to learn more? Don't miss the other blogs in this series: "macOS quietly keeps you secure" and "Securely welcoming macOS into your business". We’d be delighted to show you more, and even provide you with an open opportunity to try it out in comparison with other tools you might be using. Get in touch with us to start getting familar with what Jamf Protect can do for you.