Introducing privilege elevation in Jamf Connect

Apple’s macOS is one of the most advanced and secure operating systems on the market today. But nothing can stop the 10,000-ton freight train known as “user error.” Add administrative rights to a user, and your IT department can have a bad day pretty quickly.

Jamf Connect introduces a simple way to let a user do their day-to-day tasks as a standard user but still have the freedom to become an administrator on demand for the occasional task. Unlike other solutions on the market, Jamf Connect allows organizations to manage this right through their cloud Identity Provider (IdP), using the power of identity on macOS to manage privileges. Combined with other solutions like Jamf Protect, organizations can report unexpected malicious behavior and log elevation requests in their SIEM in case of a security event.

Why is privilege escalation important?

macOS paints pretty broad strokes of permissions for users of its UNIX-based system. A user is either:

• Standard: No permissions to install applications, modify system preferences or read/write/execute applications not owned by the user.
• Administrator: Able to make changes to pretty much any file, change any setting or run/install any application — the only exception being those files and apps protected by System Integrity Protection (SIP).

An administrator is not the root user on a traditional UNIX system; that right is restricted, with this user account disabled by default. The power of being an administrator is sometimes a necessity, however, for things as simple as installing a device driver for a new printer or as complex as developing new software and running builds in Xcode.

macOS complicates things further by making the first user created on a device an administrator by default unless otherwise told by an MDM profile to restrict the user rights to a standard account. An organization with an MDM solution, after all, can make changes and install applications on behalf of the user.

This “admin by default” goes against the best practices of CIS Benchmark Level 1 and the NIST 800-53 moderate guidelines. The guidelines instead recommend the more complex solution of a separate administrator account to modify system-wide preferences.

How have organizations dealt with this issue in the past?

For the security team, they’re left with a few options that all seem to be bad:

Give no one administrative rights

• Users call the help desk any time they need a printer or device driver installed. This is especially difficult in remote work environments where IT may not have a policy built for every driver for all printer models used in office or home environments.
• Block team productivity when they need a one-off meeting software to video conference with a client.
• Prevent developers from performing their duties and building applications for the organization.

Give everyone administrative rights

• The wild west of fleet administration — everything goes!
• Malware and phishing applications prompt for user credentials and install anything the unsuspecting user clicks on.

To balance these two extremes — empower users but prevent accidental misuse of admin rights — organizations have relied on third-party solutions to elevate user permissions on demand. Solutions in the market vary from simplistic, like running a script in Jamf Self Service to highly granular and very expensive, like Privileged Access Management (PAM) solutions for a fleet.

What does Jamf Connect introduce with privilege elevation?

Jamf Connect provides a simple way to make standard users manageable on your organization’s fleet of Apple computers. In addition to managing standard and admin rights at the macOS login screen, privilege elevation in the Jamf Connect menu bar application allows a user to request administrative rights. The standard user then receives the right for a period of time set by the administrator before reliably returning to a standard user after that time is up.

Jamf Connect allows administrators to

• Set the duration of elevation — as low as one minute.
• Restrict privilege elevation to a specific group of users, as determined in your IdP.
• Restrict the number of times a user can request privilege elevation in one calendar month.
• Require users to authenticate to your IdP before elevation will occur.
• Require users to provide a reason, recorded in the system logs, for the elevation request.
• Display a countdown timer in the menu bar for the expiration of the elevation.
• Elevate and demote user privileges with a command line interface (for scripting or running as part of an integrated Jamf Pro policy).

Combining identity with privilege elevation introduces enhanced security features, like restricting access to specific groups or requiring authentication before elevation is granted.

How does Jamf Connect strengthen security permissions?

Uphold role-based access controls (RBAC)

A user requests the right to install a device driver from the help desk. Adding them to a designated ‘elevated privileges’ security group for a day and then removing them from the group to revoke the right to elevate permissions in the future.

Grant different durations to different groups

Developers may require a longer period of elevated permissions to perform complex tasks like product builds while a standard user may just need five minutes to change a protected setting.

Prevent users with invalid credentials from elevating permissions

If a user’s local credentials are compromised, an admin could reset their password or disable their account temporarily to prevent the rogue user from further exploiting the compromise.

Jamf Connect + Jamf Protect

Jamf Connect privilege elevation has been designed to log elevation and demotion events in the macOS device Unified Logs. IT and Security teams can gain visibility into elevation events by viewing the logs of devices in Jamf Protect’s unified log filtering feature, sending these critical events into a SIEM of their choice. Paired alongside a Jamf Protect telemetry configuration, users who have shown the ability to handle administrative rights are provisioned with the just-in-time tools they need to work while still allowing for forensic analysis by IT and Security teams after the fact in case of…unfortunate events.

No user is perfect.

Best practices advise not giving users who cannot be held accountable for their actions access to the tools and services protected by privilege elevation.

When combined, reporting on malicious behavior that matches the MITRE ATT&CK framework is made simple with Jamf Protect. Even preventing known behaviors, in case a user clicks on that malware installer accidentally, allows administrators to mitigate risks across your entire Apple fleet.