In a government security discussion last year, Josh Harvey and Allen Golbig of NASA joined a room full of fellow IT admins to share their knowledge around securing and managing Apple devices in a government agency.
While Golbig’s team sets the security baseline requirements for all of NASA, Harvey's team — at the time of this interview, was managing NASA's Jamf instances which consisted of around 4,000 of which were at his center and 10,000 macOS devices agency-wide.
“Each organization within NASA has its own needs and technological footprint, resulting in having over 200 sites within Jamf,” Golbig said, “but we can use the same solution to accomplish all of it.”
According to Golbig, the story Fletcher Previn shared at the 2015 Jamf Nation User Conference (JNUC) about offering IBM employees device choices helped kicked off the conversation of extending NASA’s Apple selection. At the time, many NASA researchers and executives had expressed a preference for macOS, and NASA was determined to provide employees the devices that worked best for them. Golbig said they collaborated with Apple and Jamf Professional Services to ensure a successful pilot program that would meet their security needs and standards. Having the Apple devices become a first-class and secure option amongst their large Windows fleet was a priority.
Their first step was to consolidate the multiple management solutions from across the organization into one. “Moving macOS management to Jamf allowed us to have consistency for our Apple devices,” Golbig said. Sometimes, of course, working in silos remains a challenge: Golbig pointed out that getting colleagues in other locations to patch their systems at the same time, or getting users to upgrade isn’t always easy, but using Jamf helps keep everything secure and gives them data in Smart Groups via policies to take action. Once everything was moved to Jamf, Harvey's team hosted monthly agency-wide training sessions for System Administrators.
"These training sessions really helped get the System Administrators on board with using Jamf and got each of the silos to talk to each other!" Harvey said. "We would discuss the settings requirements Golbig's team publishes, break-down why they are needed and, most importantly, show them how to take advantage of Jamf to apply them . . . and like all good training sessions, we used a lot of memes!"
When it came to deploying macOS, in the case of Apple Business Manager, Golbig said they used some creativity to leverage its benefits in different areas: Golbig’s group uses DEPNotify in both Apple Business Manager enrolled devices and non-Apple Business Manager devices. Traditionally DEPNotify is used for Apple Business Manager devices only. Attendees found this to be unique and inspiring, since many hadn’t previously considered a possible architecture that consisted of both Apple Business Manager and non-Apple Business Manager devices, DEPNotify along with internal distribution points.
This unique approach continues to their Jamf setup. "We have multiple, clustered, Jamf Pro on-prem instances, which are hosted in AWS FedRAMP Gov Cloud,” Harvey explained. "We then configured AWS's Elastic Load Balancer to create 'public' and 'private' clusters. This allowed us to restrict Jamf Console access to only systems on a NASA network." This setup allows them to manage and patch macOS systems on and off the NASA network. The distribution points are all on-prem and configured to only use HTTPS. The NASA team gave a session at JNUC 2019 titled: "Cats in Space: Giving Admins the Tools They Need to Support Users" which recounts their story and the setup in more detail.
Golbig then went on to explain how he approached setting up smart card authentication in macOS. He said it was two years ago that NASA began considering moving away from the solution they had been using in favor of Apple’s native smartcard framework (CryptoTokenKit) coupled with Enterprise Connect. After evaluating smartcard authentication options, NASA decided not to implement smart card pairing, but rather use attribute mapping, “which is designed for domain-bound systems,” Golbig explained. In order to use attribute mapping for systems that are not domain-bound, he wrote a custom script which allows users to map their smart cards to their Mac via Self Service. Harvey and Golbig shared with the audience their solution, which also allows admins to map their smart cards to the local admin account even when Macs are no longer joined to the domain. For more information about this topic, watch Golbig’s JNUC presentation about Smart Card Services.
At the end of the day, Golbig realizes that not every organization has the complexities of NASA’s environment. But, Golbig noted, all organizations that use Apple devices have one big thing in common — the need for an MDM. “If you don’t have a user-approved MDM, your users will suffer,” he said.
Implementing Apple hardware and meeting rigorous security standards is possible in the government sector. Harvey and Golbig demonstrated that, though the path to get there may be different than for their Windows counterparts, it is possible. They encourage others to consider leveraging Jamf to help build workflows to that automate and secure their environments. Following this approach can enable organizations to securely provide their employees with the technology they prefer while delivering the best possible user experience.
For more information, contact us.