Jamf Security

At Jamf, we practice what we preach.

We understand that company and employee data protection is the top priority for not only our organization, but for all organizations. That's why we ensure our devices are secured with Jamf Pro, because we can't secure yours if we don't secure ours.

Like most organizations, our employees want to know how we're securing their devices, what we can and cannot access, and that their private information remains just that, private.

Take a deeper dive into our security overview and then check out the frequently asked questions that our IT staff receives from our employees. We have a feeling that yours might be similar.

Jamf security overview

Jamf has been building the world’s leading solutions to help secure and manage Apple products since 2002.

Server Architecture

At the heart of Jamf Pro is a management server running Tomcat and MySQL that hosts the management console and communicates with your devices over HTTPS.

Jamf Pro is available in Jamf Cloud - our globally available cloud offering - or as an on-premises instance using a macOS, Windows or Linux server.

Visit our System Requirements for details and learn how to best secure Jamf Pro.

Jamf Cloud

The world’s leading Apple management solutions run best on Jamf Cloud. Let our global team worry about delivering top-notch performance and availability so you can spend more time focusing on your fleet.

Jamf Cloud is available in the following regions:

  • United States (East, West, Government)
  • Germany
  • London
  • Japan
  • Australia

With Jamf Cloud, you’ll enjoy:

  • 99.9% uptime
  • 24/7 availability
  • SOC 2 compliance
  • ISO 27001 certification
  • Automatic patching and updates

For additional resources, check out the Jamf Cloud Privacy Policy and Terms of Service.

Jamf Pro Security Overview

For an overview of how we manage security across Jamf Pro’s services and components, check out the Jamf Pro Security Overview.

Security Frequently Asked Questions (FAQ)

We get asked a lot of questions, we’ve gathered them together to make it easier for you. This section is regularly updated, so be sure to check back.

Does Jamf have a SOC 2 Type 2 report?

Jamf has successfully completed a Service Organization Control 2 (SOC 2) Type 2 audit for its Jamf Pro hosted services.

The organization worked with PricewaterhouseCoopers LLP to perform an in-depth audit of our controls as they relate to security, availability and confidentiality for the period October 1, 2018 to September 30, 2019.

Please contact your sales or support representative to obtain a copy.

Is Jamf ISO 27001 certified?

Jamf has successfully completed an audit for ISO 27001 covering Jamf Pro and Jamf Now. The organization worked with Coalfire to perform a detailed audit of its controls as they relate to ISO 27001. The certification is effective May 4, 2020 through May 4, 2023

View Certificate

Is our data encrypted?

Data in transit is encrypted using TLS with Perfect Forward Security (PFS), and data at rest uses industry standard AES-256 to encrypt fields in the database that contain sensitive information, such as passwords and FileVault individual recovery keys.

Is TLS always used?

Yes, Jamf Cloud and the latest versions of Jamf Pro installers no longer include support for SSL v3.0. For existing on-premise installations, instructions are available on Jamf Nation for removing support for SSL v3.0 and configuring supported cipher suites for Tomcat HTTPS connections:

Mitigating the SSL v3.0 POODLE Vulnerability

Configuring Supported Ciphers for Tomcat HTTPS Connections

How are our passwords stored?

Passwords for local Jamf Pro user accounts are hashed using SHA-512 with a unique, random salt for each user, and all other passwords are encrypted using industry standard AES-256 with a unique, random key for each database.

Who has access to our data?

For Jamf Cloud, employee access to customer data is described in the Jamf Pro Security Overview document and our Privacy Policy.

Where are Jamf Cloud data centers located?

Jamf Cloud relies on Amazon Web Services (AWS) to provide infrastructure as a service (IaaS) within different geographic regions, including the United States, Germany, Japan and Australia. Data at rest remains in the region in which the Jamf Cloud instance was created.

Does Jamf use a secure Software Development Lifecycle (SDLC)?

Yes. We use an Agile methodology that incorporates cross-functional teams with members from Product Management, Engineering, Quality, and Technical Communications. Overarching Release and Quality processes ensure necessary oversight and consistency throughout the organization.

Does Jamf audit its security?

Jamf Pro is tested for common vulnerabilities prior to each public release, and independent third-party security assessments are periodically performed on key system components, including the Jamf Pro server and client binary. For Jamf Cloud, Jamf relies on the Amazon Web Services (AWS) Shared Responsibility Model to ensure the security of the underlying infrastructure that is provided by AWS: AWS Shared Responsibility Model

Can we undertake our own security testing?

Security testing on your own systems and networks is permitted within the terms of the Software License and Services Agreement (SLASA).

Have questions that we didn't cover? Please don't hesitate to reach out to us and talk security.