This article explains the recommended security settings for Jamf Pro servers hosted on Jamf Cloud and on-premise. You must ensure that the Jamf Pro server and all supporting technology (including the server OS, Java, Apache Tomcat, and MySQL) are compliant with your own internal security standards. This article provides some basic recommendations about how to ensure your Jamf Pro server and underlying infrastructure are up-to-date and secure.
To ensure your server is as secure as possible, you can enable the following security-related settings in Jamf Pro:
Jamf Cloud Distribution Service (JCDS)
If your Jamf Pro server is hosted in Jamf Cloud and you have the subscription-based option, you can use Jamf Cloud Distribution Service (JCDS) as your cloud distribution point.
You can also use Amazon CloudFront to serve content with signed URLs. For more information, see the following documentation from Amazon: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
Using Akamai with Token Authorization protection enabled is also a secure content delivery network option. For more information about how to use Token Authorization in Akamai, see the following documentation for Akamai: https://learn.akamai.com/en-us/webhelp/media-services-on-demand/stream-packaging-user-guide/GUID-4EB9C226-4B31-4BBD-B545-1CAB8917E3D1.html
For more information about configuring, testing, and replicating the cloud distribution points, see the Cloud Distribution Point page of the Jamf Pro Administrator's Guide.
If you cannot use JCDS or you have configured your own file share distribution point, the Jamf Pro server allows you to distribute content to managed computers and devices. Consider the following recommendations for securing your content distribution:
File Sharing (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > File Sharing tab):
HTTP Downloads (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > HTTP/HTTPS tab):
For more information, see the File Share Distribution Points page in the Jamf Pro Administrator's Guide.
It is recommended that you use the following suggestions to secure macOS computers:
It is recommended that you use the following suggestions to secure iOS devices:
Custom or prebuilt scripts are a common way to execute commands for computers, and can be run using a policy. Avoid hard-coding account credentials for Jamf Pro server administrators in scripts.
You can host Jamf Pro on any server that meets the requirements listed on the Jamf Pro System Requirements page of the Jamf Pro Administrator's Guide.
To further secure the server OS, consider the following System Settings recommendations:
The Jamf Pro server and supporting technologies (Apache Tomcat) rely on the Java Development Kit (JDK) with unlimited strength Java Cryptography Extensions (JCE). It is recommended to run the latest version of the JDK that is supported on your selected operating system, including unlimited strength JCE files. For more information about how to install Java, see the Installing Java and MySQL Knowledge Base article.
Apache Tomcat is an open-source web server that is developed and maintained by the Apache Software Foundation, and is used to run the Jamf Pro web app. For more information about securing Apache Tomcat, see Open Web Application Security Project's (OWASP) article: https://www.owasp.org/index.php/Securing_tomcat
The following recommendations, some of which the Jamf Pro installers implement by default, will help you ensure Apache Tomcat is up-to-date and secure.
Modify the server.xml file by doing the following:
<!-- <Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="9006" protocol="HTTP/1.1" connectionTimeout="20000" maxPostSize="8388608" redirectPort="8443" /> -->
To prevent server version disclosure, modify the ServerInfo.properties file using the recommendations in the "Valves" section of Apache Tomcat's documentation: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Valves
To replace the default error page, modify the web.xml file using the recommendations in OWASP's documentation: https://www.owasp.org/index.php/Securing_tomcat
Use the issuer, Subject Alternative Name (SAN), and the expiration date for validation. For more information about how to configure the SSL Certificate Validation setting, see the Safely Configuring SSL Certificate Verification Knowledge Base article.
Modify the web.xml to limit specific web application servlets by changing their behavior or by removing them from the file.
MySQL is a relational database management system developed and maintained by Oracle. The Jamf Pro server uses MySQL as the back-end database for storing and maintaining system data. You should ensure MySQL is up-to-date and secure by using the following recommendations.
If mysql_secure_installation is available, running it allows you to improve the security of your MySQL installation by setting a password for root accounts and removing certain accounts, the test base, and access privileges. Use the following table to determine the mysql_secure_installation file path for your operating system.
|Operating System||File Path|
Note: Perl is required to run mysql_secure_installation separately or run it after installation.
If mysql_secure_installation is not available, do the following:
For more information about how to change the database name and the root MySQL user password, see the Creating the Jamf Pro Database Knowledge Base article.
If you want to further restrict access to MySQL, you can create separate user accounts with limited privileges. For more information, see the following webpages:
Following is a list MySQL privileges that are required for different types of environments:
INSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES
INSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES
For example, you would execute commands using the following general syntax:
GRANT <privileges> ON <database> TO <user>;
For more information, see the Backing Up the Database Using the Jamf Pro Database Utility Knowledge Base article.
If the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.
<DataBase> ... <DataBaseName>jamfsoftware</DataBaseName> <DataBaseUser>jamfsoftware</DataBaseUser> <DataBasePassword></DataBasePassword> ... </DataBase>
For additional information about securing your Jamf Pro server, see the following Knowledge Base articles: