Using Mac Endpoint Telemetry for Compliance with Regulatory Frameworks

Released earlier this year, Jamf's updated Mac Endpoint Telemetry capability provides organizations meaningful and actionable insights to help with compliance audits, incident investigations, threat hunting and IT operations. This blog will focus on governance and compliance, showing how Jamf's telemetry helps organizations easily configure and collect telemetry that is part of the data needed to satisfy vital compliance frameworks.

What is IT governance and compliance?

Governance is a system, like frameworks, that lays out the criteria for configurations, functions and/or processes necessary to achieve a minimum level of data security based on industry-accepted standards.

Compliance is the act of meeting governance (both internal and external standards) by implementing the controls, configuring hardware/software and implementing processes within the boundaries of guidance to safeguard data, protect privacy and ensure audit readiness.

Together, they rely on actionable insights from Mac endpoint telemetry to detect anomalies, enforce policies and demonstrate adherence to internal and external requirements.

Why are IT governance and compliance important?

Governance and compliance are critical for organizations to protect sensitive data, understand any gaps in organizational security posture, and reduce the risk of financial or reputational damage. Strong governance ensures that policies are enforced to minimize risks, while compliance demonstrates adherence to external regulations and internal standards, avoiding penalties or breaches.

For example:

• Preventing insider threats: Logging user activity and privilege escalation helps organizations detect and respond to unauthorized actions, meeting frameworks like NIST 800-53 and ISO 27001.
• Enabling audit readiness: Capturing system activity and configuration changes ensures organizations can demonstrate compliance with PCI DSS and HIPAA audits.
• Reducing breach impact: By tracking anomalies and enforcing policies through telemetry, organizations can detect advanced threats early and minimize disruption.

Governance and compliance aren’t just obligations — they are key to maintaining secure and efficient operations.

Understanding compliance frameworks

There are several common cybersecurity frameworks that organizations – across industries and geographies – are required or strive to achieve compliance with. Importantly, Jamf's Endpoint Telemetry capability provides organizations with insight into current device health statuses. This crucial data is useful when aligning security configurations to requirements found in these compliance frameworks. The following is not an exhaustive list of every framework but provides information on the most common ones.

Regulatory compliance frameworks

These frameworks are mandated by legal or industry regulations and typically require organizations to meet specific requirements to ensure data protection, privacy or operational integrity. Achieving compliance with these frameworks is required.

• Executive Order 14028 (M-21-31) in the United States for the federal government sector
• HIPAA / HITRUST CSF in the United States for the healthcare and service provider sector
• PCI DSS, a global framework for payment processing
• SOC, a global framework for service providers

Security baselines and benchmarks

These frameworks or requirements provide prescriptive technical controls or best practices for securing IT systems, often used as a reference to meet broader compliance goals. Depending on the organization and sector, these frameworks are either required or optional.

• ISO 27001/2, a global baseline, for all sectors
• NIST 800-53 in the United States (but influencing other countries) for both the government and private sector
• NIST 800-171 in the United States (but influencing other countries) for government, defense contractors, and related government or defense agencies or businesses
• CNSSI 1253 for the United States Federal Government national security systems
• DISA STIG in the United States for military and defense contractors
• CIS Level 1 and 2, a global benchmark, for all sectors

Security maturity models

These frameworks emphasize improving an organization's cybersecurity posture through stepwise recommendations, focusing on resilience and adaptability.

• CMMC Levels 1 and 2 in the United States for defense contractors
• Essential 8 in Australia for all sectors
• Australian ISM in Australia for government and private sectors
• Cyber Essentials in the United Kingdom for government and private sectors
• ENISA Framework in the European Union for critical infrastructure (like energy, telecommunications and transportation)

How does Jamf's Mac endpoint telemetry help?

Now that we know what type of governance and compliance frameworks exist, the next question is: How does Jamf's Mac endpoint telemetry capability help? Jamf's Mac endpoint telemetry includes categories of telemetry that security teams can easily configure and log. We'll now look at common requirements, why it's important, frameworks related to each requirement and the telemetry category that helps achieve compliance for the requirements.

For an in-depth review of categories of information to collect when creating a telemetry configuration, check out our technical documentation.

Process execution and traceability

Process execution and traceability involve capturing details about executed processes, their origins, parent-child relationships and code integrity. Process execution logs are essential for detecting unauthorized processes, identifying malware and reconstructing attacker behavior. Organizations that must achieve compliance with NIST SP 800-53, EO14028 (M-21-31), PCI DSS and Essential 8 need to log this telemetry as part of complying with the logging requirements of each framework.

Authentication and access

Authentication and access involve recording user authentication events, including logins, logouts, failed attempts and remote access (for example, SSH and screen sharing). Organizations need logs of successful and unsuccessful authentication events to enforce access control policies, track unauthorized attempts and support compliance audits. Organizations who must achieve compliance with NIST SP 800-53, EO 14028 (M-21-31), HIPAA, PCI DSS and Cyber Essentials need to log this type of telemetry.

Privilege elevation and administrative actions

Privilege elevation and administrative actions involve monitoring events where users elevate privileges (e.g., sudo) or perform administrative actions (e.g., user substitution, critical system changes). Privilege management and tracking are critical for detecting abuse of elevated permissions and providing forensic insights into actions. Organizations who must achieve compliance with NIST SP 800-53, EO14028 (M-21-31), PCI DSS and DISA STIG need to log this telemetry as part of complying with the logging requirements of each framework.

User and Group Management

User and group management involve logging changes to user and group configurations, including account creation, deletion, modification and attribute changes (e.g., password). Organizations often need visibility into account lifecycle events to maintain least privilege principles and prevent unauthorized access. Organizations who must achieve compliance with NIST SP 800-53, EO 14028 (M-21-31), ISO/IEC 27001 and CMMC need to log this telemetry as part of complying with the logging requirements of each framework.

Persistence mechanisms

Persistence mechanisms involve monitoring creation or removal of technologies used by threat actors to achieve persistence, such as LaunchAgents, LaunchDaemons or other system-level tasks. It helps detect stealthy, long-term attacker footholds in macOS systems. Organizations that must achieve compliance with NIST SP 800-53, EO 14028 (M-21-31) and DISA STIG need to log this telemetry as part of complying with the logging requirements of each framework.

Volume mounts and device connection

Volume mounts and device connections involve logging events where volumes are mounted/unmounted or external devices (e.g., USB drives, network devices) are connected. It helps organizations collect device connection logs to track unauthorized hardware use and prevent data exfiltration or malware introduction. The frameworks NIST SP 800-53, EO 14028 (M-21-31) and PCI DSS need to log this telemetry as part of complying with the logging requirements of each framework.

Built-in security events

Built-in security events capture events from macOS security tools (e.g., XProtect) and reports on malware detection and enforcement actions. It helps organizations by providing evidence of active defenses and remediation of threats, satisfying malware protection requirements. Organizations who must achieve compliance with NIST SP 800-53, EO 14028 (M-21-31) and Cyber Essentials must log this telemetry as part of complying with the logging requirements of each framework.

System configuration changes

System configuration changes monitor changes to system settings, such as profile installations, VPN configurations and kernel extensions. It helps enforce system hardening policies and identify unauthorized deviations. Organizations who must achieve compliance with NIST SP 800-53, EO 14028 (M-21-31) and DISA STIG must log this telemetry as part of complying with the logging requirements of each framework.

Diagnostic crash reports

Diagnostic and crash reports collect diagnostic and crash logs from built-in and third-party applications. These logs help identify stability issues, failed exploitation attempts or application misconfigurations. Organizations who must achieve compliance with NIST SP 800-55, EO 14028 (M-21-31) and ISO/IEC 27001 must log this telemetry as part of complying with the logging requirements of each framework.

Application performance and resource utilization

Application performance and resource utilization logs performance metrics, such as CPU usage, energy efficiency and resource consumption by processes and/or apps. Application performance monitoring helps detect anomalies like resource hijacking (e.g., cryptojacking) and optimize systems for operational efficiency. Organizations who must achieve compliance with NIST SP 800-53, ISO/IEC 27001 and Essential 8 must log this telemetry as part of complying with the logging requirements of each framework.

Custom log file collection

Custom log file collection monitors and reports system and third-party log files for specific use cases. Custom log file collection enables organizations to monitor specific workflows or compliance-critical processes beyond default telemetry. Organizations who must achieve compliance with NIST SP 800-53, ISO/IEC 27001 and Essential 8 must log this telemetry as part of complying with the logging requirements of each framework.

Key takeaways of Mac endpoint telemetry categories

Jamf provides the ability for IT and Security teams to easily configure specific categories of telemetry. For each category, admins can collect the specific telemetry they want. What are those categories?

• Application and processes logs process execution with heritage (parent-child relationships) and tracks code-signing detail for validation
• Access and authentication capture detailed logs of privilege escalation attempts and administrative actions tied to user identities and related processes for traceability.
• Users and groups log all changes to user and group configurations (e.g., creation, group changes), correlating with other telemetry (e.g., privilege escalation).
• Persistence detects new or modified persistence mechanisms, providing visibility into macOS-specific vectors.
• Hardware and volumes track external volume mounts, unmounts and device connections to detect unauthorized hardware use.
• Apple security captures events from the built-in security tools on Mac devices.
• System captures sensitive configuration changes (e.g., config profile install or kernel extension load), ensuring organizations can validate secure settings and identify deviations.
• Diagnostic and crash reports capture diagnostic reports and crash events, linking them to processes or users for forensic analysis
• Performance metrics track application efficiency, helping organizations maintain operational performance and resilience

Get started with Jamf's Mac endpoint telemetry

Mac endpoint telemetry covers a wide range of use cases for organizations that need more visibility into their Mac environment. Jamf's Mac endpoint telemetry provides unparalleled visibility, delivering more accurate, reliable and actionable insights to meet your compliance, security and IT needs.