Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Jamf Pro Security Recommendations

Overview

This article explains the recommended security settings for Jamf Pro servers hosted on Jamf Cloud and on-premise. You must ensure that the Jamf Pro server and all supporting technology (including the server OS, Java, Apache Tomcat, and MySQL) are compliant with your own internal security standards. This article provides some basic recommendations about how to ensure your Jamf Pro server and underlying infrastructure are up-to-date and secure.

General Settings

Jamf Pro Server Settings

To ensure your server is as secure as possible, you can enable the following security-related settings in Jamf Pro:

  • Configure the Password Policy for Jamf Pro user accounts. For more information, see the "Configuring the Password Policy" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.
  • Enable the minimum required privileges. Enable the minimum privileges required by your organization for all user accounts and groups. For more information, see the "Creating a Jamf Pro User Account" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.
  • Configure the Change Management settings to log changes. Log the changes in Jamf Pro by configuring the Change Management settings (automatically enabled for Jamf Cloud instances). For more information, see the "Viewing Change Management Logs in Jamf Pro" section of the Change Management page in the Jamf Pro Administrator's Guide.
  • Schedule log flushing at appropriate intervals. For more information, see the "Scheduling Log Flushing" section of the Flushing Logs page in the Jamf Pro Administrator's Guide.
  • Enable certificate-based authentication and configure SSL certificate verification Ensure the Jamf Pro server has a valid web server certificate before enabling this option. For more information, see the Security Settings page in the Jamf Pro Administrator's Guide and the Safely Configuring SSL Certificate Verification Knowledge Base article.
  • Require user authentication to Self Service. For more information, see the Self Service for macOS User Login Settings page in the Jamf Pro Administrator's Guide.
  • Require users to authenticate when enrolling via automated MDM enrollment. Require users to authenticate during computer or mobile device setup when enrolling via Apple’s Device Enrollment (formerly DEP) using a PreStage enrollment in Jamf Pro. For more information, see the Computer PreStage Enrollments and Mobile Device PreStage Enrollments pages in the Jamf Pro Administrator’s Guide.

Content Distribution

Cloud Distribution Points

Jamf Cloud Distribution Service (JCDS)
If your Jamf Pro server is hosted in Jamf Cloud and you have the subscription-based option, you can use Jamf Cloud Distribution Service (JCDS) as your cloud distribution point.

Amazon CloudFront
You can also use Amazon CloudFront to serve content with signed URLs. For more information, see the following documentation from Amazon: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html

Akamai
Using Akamai with Token Authorization protection enabled is also a secure content delivery network option. For more information about how to use Token Authorization in Akamai, see the following documentation for Akamai: https://learn.akamai.com/en-us/webhelp/media-services-on-demand/stream-packaging-user-guide/GUID-4EB9C226-4B31-4BBD-B545-1CAB8917E3D1.html

For more information about configuring, testing, and replicating the cloud distribution points, see the Cloud Distribution Point page of the Jamf Pro Administrator's Guide.

File Share Distribution Points

If you cannot use JCDS or you have configured your own file share distribution point, the Jamf Pro server allows you to distribute content to managed computers and devices. Consider the following recommendations for securing your content distribution:

File Sharing (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > File Sharing tab):

  • Consider using a nonstandard port for your server (For more information about standard ports, see the Network Ports Used by Jamf Pro Knowledge Base article.)
  • Create separate service accounts for read/write and read-only privileges

HTTP Downloads (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > HTTP/HTTPS tab):

  • Enable HTTP by selecting the Use HTTP downloads checkbox
  • Enable SSL (Secure Sockets Layer) by selecting the Use SSL checkbox
  • Require authentication to download files by choosing "Username and Password" from the Authentication Type pop-up menu

For more information, see the File Share Distribution Points page in the Jamf Pro Administrator's Guide.

Managed Devices

macOS Computers

It is recommended that you use the following suggestions to secure macOS computers:

  • Increase management account password security by selecting the Randomly generate new password checkbox for a computer policy and configuring the password reset frequency for the Password Policy
  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a computer configuration profile
  • Require FileVault 2 encryption (For more information, see the Deploying Disk Encryption Configurations page in the Jamf Pro Administrator's Guide.)
  • Configure conditional access (For more information, see the Microsoft Intune Integration page in the Jamf Pro Administrator's Guide.)

iOS Devices

It is recommended that you use the following suggestions to secure iOS devices:

  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a mobile device configuration profile
  • Ensure the Make app managed when possible checkbox is selected when distributing apps to keep data secure

Patch Policies and Reporting

It is important to keep your apps up-to-date with the latest security patches. For more information, see the Patch Policies and Patch Reporting pages in the Jamf Pro Administrator's Guide.

Scripts

Custom or prebuilt scripts are a common way to execute commands for computers, and can be run using a policy. Avoid hard-coding account credentials for Jamf Pro server administrators in scripts.

On-Premise Specific Settings

Server OS

You can host Jamf Pro on any server that meets the requirements listed on the Jamf Pro System Requirements page of the Jamf Pro Administrator's Guide. Note: Although you can install Jamf Pro on any server that meets the minimum requirements, the Jamf Pro Installers for Mac, Linux, and Windows have additional requirements. For more information, see the Jamf Pro Installation and Configuration Guide for your platform.

To further secure the server OS, consider the following System Settings recommendations:

  • Disable guest access
  • Disable automatic login
  • Remove unnecessary service accounts
  • Remove or reset all default passwords
  • Restrict account privileges to minimum required
  • Restrict processes to minimum required
  • Control available ports and network services

Java

The Jamf Pro server and supporting technologies (Apache Tomcat) rely on the Java Development Kit (JDK) with unlimited strength Java Cryptography Extensions (JCE). It is recommended to run the latest version of the JDK that is supported on your selected operating system, including unlimited strength JCE files. For more information about how to install Java, see the Installing Java and MySQL Knowledge Base article.

Apache Tomcat

Apache Tomcat is an open-source web server that is developed and maintained by the Apache Software Foundation, and is used to run the Jamf Pro web app. For more information about securing Apache Tomcat, see Open Web Application Security Project's (OWASP) article: https://www.owasp.org/index.php/Securing_tomcat

The following recommendations, some of which the Jamf Pro installers implement by default, will help you ensure Apache Tomcat is up-to-date and secure.
Note: It is recommended that you create a backup of the server.xml file before making any changes.

Modify the server.xml file

Modify the server.xml file by doing the following:

  • Use HTTPS only and disable HTTP Modify the server.xml file by disabling HTTP.
<!--
<Connector URIEncoding=”UTF-8” executor=”tomcatThreadPool” port=“9006” protocol=”HTTP/1.1”
connectionTimeout=”20000” maxPostSize=”8388608” redirectPort=”8443” />
-->

Modify the ServerInfo.properties file to prevent server version disclosure

To prevent server version disclosure, modify the ServerInfo.properties file using the recommendations in the "Valves" section of Apache Tomcat's documentation: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Valves

Replace the default error page to prevent version disclosure (web.xml)

To replace the default error page, modify the web.xml file using the recommendations in OWASP's documentation: https://www.owasp.org/index.php/Securing_tomcat

Enable SSL certificate validation

Use the issuer, Subject Alternative Name (SAN), and the expiration date for validation. For more information about how to configure the SSL Certificate Validation setting, see the Safely Configuring SSL Certificate Verification Knowledge Base article.

(Optional) Modify the web.xml to limit specific web application servlets

Modify the web.xml to limit specific web application servlets by changing their behavior or by removing them from the file.

MySQL

MySQL is a relational database management system developed and maintained by Oracle. The Jamf Pro server uses MySQL as the back-end database for storing and maintaining system data. You should ensure MySQL is up-to-date and secure by using the following recommendations.

Run the default mysql_secure_installation

If mysql_secure_installation is available, running it allows you to improve the security of your MySQL installation by setting a password for root accounts and removing certain accounts, the test base, and access privileges. Use the following table to determine the mysql_secure_installation file path for your operating system.

Operating System File Path
macOS /usr/local/mysql/bin/mysql_secure_installation
Ubuntu /usr/bin/mysql_secure_installation
Windows perl C:\Program Files\MySQL\MySQL Server x.x\bin\mysql_secure_installation.pl
Note: Perl is required to run mysql_secure_installation separately or run it after installation.

If mysql_secure_installation is not available, do the following:

  • Set a password for the root accounts
  • Remove all privileges for anonymous user accounts
  • Remove the test database and all associated privileges

Create a unique database name and a unique MySQL user with a secure password

For more information about how to change the database name and the root MySQL user password, see the Creating the Jamf Pro Database Knowledge Base article. Note: To increase security, use a unique database name and root MySQL user password that differ from the examples in the Knowledge Base article.

Limit privileges to the minimum required

  • For a standalone web application or the master node in clustered environments, execute the following:
GRANT INSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES ON <database>.* TO ‘<username>’@’<hostname>’ IDENTIFIED BY ‘<password>’;
  • For a child node in clustered environments, execute the following:
GRANT INSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES ON <database>.* TO '<username>'@'<hostname>' IDENTIFIED BY '<password>';
  • To view connections from cluster nodes with different MySQL users, execute the following:
GRANT PROCESS ON *.* TO ‘<username>’@’<hostname>’ IDENTIFIED BY ‘<password>’;

Schedule database backups

For more information, see the Backing Up the Database Using the Jamf Pro Database Utility Knowledge Base article.

Remove the <DataBasePassword> key or set a blank value

If the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.
Note: Default values are included for reference only. Use unique values in production environments.

<DataBase>
...
<DataBaseName>jamfsoftware</DataBaseName>
<DataBaseUser>jamfsoftware</DataBaseUser>
<DataBasePassword></DataBasePassword>
...
</DataBase>

Additional Information

For additional information about securing your Jamf Pro server, see the following Knowledge Base articles:

Like Comment