Jamf Security Series: How to harden your Jamf Pro environment

As the standard in Apple Enterprise Management, Jamf solutions are ideal for connecting users to the resources they need, fully managing all Apple devices, and protecting users, devices and networks against threats. With such power, comes great responsibility…

Jamf Pro offers a variety of security settings for servers hosted on-premises or with Jamf Cloud. With an array of security possibilities, we want to ensure your Jamf Pro server and all supporting technology (including server operating system, Java, Apache Tomcat and MySQL) are compliant with your own internal security standards.

As such, here are seven basic recommendations to best secure your Jamf Pro server and underlying infrastructure.

1. Configure the Password Policy for Jamf Pro user accounts

The Password Policy in Jamf Pro allows you to configure the password settings. The Password Policy applies to all standard Jamf Pro user accounts. You can configure the following password settings:

• Number of login attempts allowed before a Jamf Pro user is locked out of the account
• Password length and age
• Password reuse limitations
• Password complexity
• Settings to allow a user to unlock their own account

By configuring proper password settings, you put mechanisms in place to prevent unauthorized access. For steps to set up, visit the Configuring the Password Policy section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.

2. Enable the minimum required privileges

Enable the minimum privileges required by your organization for all user accounts and groups.

For steps to set up, visit the Creating a Jamf Pro User Account section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.

3. Configure the Change Management settings to log changes

On-premises customers can log changes to a log file (JAMFChangeManagement.log) on the Jamf Pro host server and log the changes to a syslog server.

The Change Management logs can also be viewed in Jamf Pro. The information displayed includes:

• Date/time the change took place
• Username of the administrator who made the change
• Object type (such as a Jamf Pro user account)
• Object name (such as the username of a Jamf Pro user account)
• Action (such as “Created”)
• Details about the change

To know what changes took place and when, begin your set up by visiting the Viewing Change Management Logs in Jamf Pro section of the Change Management page in the Jamf Pro Administrator's Guide.

4. Schedule log flushing at appropriate intervals

Flushing logs reduces the size of the database and can speed up searches. You can flush the following types of logs:

• Application Usage logs
• Computer Usage logs
• Policy logs
• Jamf Remote logs
• Screen sharing logs
• Jamf Imaging logs
• Computer and mobile device management history
• Computer inventory reports (computer inventory information from past inventory submissions)
• Mobile device inventory reports (mobile device inventory information from past inventory submissions)
• Jamf Pro access logs
• Change Management logs
• Event logs

You can schedule log flushing to take place daily, or you can manually flush logs as needed. You can also choose to flush logs that are older than a certain number of days, weeks or months.

For steps to set up your ideal flushing scenario, visit the Scheduling Log Flushing section of the Flushing Logs page in the Jamf Pro Administrator's Guide.

5. Enable certificate-based authentication and configure SSL certificate verification

Configuring the SSL Certificate Verification setting in Jamf Pro ensures that computers only communicate with a host server that has a valid SSL certificate. This prevents computers from communicating with an imposter server and protects against man-in-the-middle attacks.

Consider the following when configuring SSL certificate verification:

• If you are using the self-signed certificate from Apache Tomcat that is built into Jamf Pro, you must select "Always except during enrollment".
• If you are using an SSL certificate from an internal CA or a trusted third-party vendor, select either "Always" or "Always except during enrollment". It is recommended that you use "Always" if computers in your environment are configured to trust the certificate before they are enrolled.

For steps to ensuring proper certificate verification, visit the Security Settings page in the Jamf Pro Administrator's Guide and the Safely Configuring SSL Certificate Verification Knowledge Base article on Jamf Nation.

6. Require user authentication to Self Service

The Self Service User Login settings allow you to configure the method for logging in to Jamf Self Service for macOS.

Self Service User Login is disabled by default. After enabling Self Service User Login, you must select a login method and authentication type.

There are two login methods you can choose from:

• Allow users to log in to view items available to them
• Require login

After selecting a login method, you must select an authentication type:

• LDAP account or Jamf Pro user account
• Single Sign-On

For steps to set up this security feature, visit the Self Service for macOS User Login Settings page in the Jamf Pro Administrator's Guide.

7. Require users to authenticate when enrolling via automated MDM enrollment

A PreStage enrollment allows you to create enrollment configurations and sync them to Apple. This enables you to enroll new computers with Jamf Pro, reducing the amount of time and interaction it takes to prepare computers for use.

Before you can use a PreStage enrollment, you must do the following:

• Integrate Jamf Pro with Automated Device Enrollment (formerly DEP). This creates an Automated Device Enrollment instance in Jamf Pro. For more information, see Integrating with Automated Device Enrollment.
• Enable user-initiated enrollment for macOS in Jamf Pro. For more information, see User-Initiated Enrollment Settings. Note: We recommend selecting the option to randomly generate passwords for management accounts within the User-Initiated Enrollment Settings.

After creating an Automated Device Enrollment instance, you need to create a PreStage enrollment in Jamf Pro for the computers you want to enroll. Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the computers that should be enrolled using the PreStage enrollment and automatically add computers newly associated with the Device Enrollment instance to the PreStage Enrollment. Only computers with macOS 10.10 or later that are associated with the Automated Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

Jamf Pro automatically refreshes information about the computers in the PreStage enrollment. If there is updated information about the computers in Automated Device Enrollment, this information is displayed in Jamf Pro. This information is automatically refreshed every two minutes.

See the steps to require users to authenticate during computer or mobile device setup by visiting the Computer PreStage Enrollments and Mobile Device PreStage Enrollments pages in the Jamf Pro Administrator’s Guide.

With these simple steps, you can better secure your Jamf Pro environment. To learn more, request a trial.