Jamf Blog
September 28, 2022 by Jesus Vigo

Zero Trust with zero-touch deployment

As an IT professional, you have several justifiable concerns. You can’t trust the computer or the operating system installed on it. You shouldn’t trust the network either, and sometimes the user. These sessions focus on zero-touch deployments, where we show you how to stop worrying and learn to love the Mac while building-in levels of management and security into one big, happy safe way for users to access organizational resources safely with the full Jamf stack.

Zero Trust starts with zero-touch

In our first session, our hosts Kat Garbis, Business Development Executive, Jamf and Sean Rabbit, Sr. Consulting Engineer, Identity, Jamf discuss Zero Trust and the role it plays in the security of managed devices. Also, how integrating endpoint security alongside your management solution can help administrators and end-users alike by weaving secure practices into the deployment process, so users can be productive and secure — from the first time their Mac is powered on.

Zero Trust is defined as a security model that continuously authenticates each request made by devices and users while analyzing contextual information, such as device health monitoring before access to organizational resources is granted.

Unlike traditional models that operate under implicit trust, meaning that any devices on the corporate network are trusted automatically, Zero Trust operates within the context of “never trust — always verify”.

But Zero Trust goes beyond simply safeguarding data. Though that’s the ultimate goal, there are additional security-focused benefits tied to Zero Trust Network Access (ZTNA) technology, such as:

  • Prevents piggybacking on approved users
  • Prevents attackers from moving laterally
  • Ability to manage resources in and out of the perimeter network
  • Security controls are integrated and support all devices over any connection

But how does it go about achieving this, you ask? Garbis boils it down to four target areas:

  1. Device: Regularly performs health checks on endpoints to ensure they’re not compromised before granting access. If so, IT is alerted in real-time while remediation workflows automatically resolve detected issues.
  2. User: Leverages cloud-based identities to authenticate users while implementing Multi-factor Authentication(MFA) technology to verify users really are who they claim to be.
  3. Software: Determines if devices are missing updates or require quarantine if malware infections or other indicators of compromise are detected.
  4. Network: Maintains secure remote connections to hosted services across your infrastructure (on-premises, multiple clouds and SaaS). Also, establishes unique microtunnels for each request to mitigate lateral movement while keeping restricting access to only the affected resource in the event of compromise, keeping users productive.

Almost zero-touch

In the second session, Richard Purves, Sr. macOS Engineer at The RealReal, Inc. joins Garbis and Rabbit in sharing hosting duties related to zero-touch deployments and the real-world issues that often affect the success of your deployment project.

Purves shares his personal experience of receiving and using a Mac laptop upon being onboarded and how frustrating the process of getting his Mac up and running was, as there were important components missing. In contrast, others were not fully configured and worse yet, this all occurred right when the pandemic hit, making finding resolutions to his concerns that much more difficult amidst the initial chaos of switching to a remote work environment.

Despite the frustrations he experienced, Purves decided to use it as a learning tool to effectively “fix all the things” he deemed wrong or non-user friendly related to the deployment process…on his own and without the support of a large team or unlimited resources.

Some of the design goals he shares with the audience serve to not only facilitate access and permissions to organizational resources but also streamline procedures in a concerted effort to make the experience a powerful, yet simple tool that leverages everything the end-user needs right from the first startup — no loss of productivity waiting around to overburdened IT staff to get around to address their issue.

  • Implement cloud identity provider and MFA
  • Allow end-user to unbox and setup their Mac
  • Make deployment changes easy to incorporate
  • Achieve parity with existing enrollment processes
  • Retrofit existing devices to adhere to new onboarding procedures
  • Provision access to required company resources, such as Wi-Fi

Oh, and everything on the list must be possible with only:

  • Jamf Pro
  • Jamf Connect
  • DEP Notify
  • “Some ZSH goodness”

How did all shake out? Was Purves able to achieve his goals? Without giving away too much, YES (and he demos a full onboarding video that guides employees throughout the entire process successfully).

What we can share with you here are the solutions he used to develop his “almost zero-touch” workflow with Jamf as his co-pilot:

1. Jamf Pro:

a. Prestage: Provides automated catchall for initializing devices as they enroll in Jamf Pro and aids in creating the local administrator account while automating the Setup process on your Mac. Lastly, it deploys two packages: DEP Notify and Jamf Connect which will assist the workflow greatly.

b. Policies: Used to simply software deployments and manage settings configurations, while targeting devices through scoping and Smart Groups, ensuring devices have exactly what they need — right from initial deployment and allowing IT to better track and manage inventory with up-to-date user assignment.

2. Jamf Connect: Facilitates the creation of user local user accounts on Mac, tying them to your Identity Provider(IdP), while controlling the order in which items are installed. Also, helps provide branding to customize user experiences.

3. DEP Notify: Drives the user’s onboarding experience from the moment they log in to the device for the first time. Allows for much of the deployment configuration to exist centrally within Jamf Pro, offering minimal changes to scripts and pkgs, also keeping required user interaction to a minimum through the magic of customization and automation.

The last point Purves touches upon are problems encountered and how simple they were to resolve to leverage Jamf solutions to facilitate a truly smooth, trouble-free user onboarding experience.

Photo of Jesus Vigo
Jesus Vigo
Jamf
Jesus Vigo, Sr. Copywriter, Security.
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.