Our Commitment to Access Security

We’ve received inquiries about the recent Stryker incident and how we protect our environment from similar risks.

The Stryker incident scenario is not novel. Attacks like this typically stem not from a weakness in the Mobile Device Management (MDM) platform, but rather from insufficient access controls and poorly defined role-based access control (RBAC). Here’s how we’re protecting Jamf’s systems from a similar scenario:

• Strict Access Control via RBAC and Multi-Factor Authentication (MFA): All elevated access into our Jamf Pro environment is governed through our Identity Provider (IdP) and requires formal approval through our internal service ticketing system and MFA. Access requests are restricted to our internal IT team only and must be explicitly approved by one of our two designated Jamf Pro administrators.

• Job Function-Based Roles: Every role is tied directly to a specific job function: Identity and Access Management (IAM), Support, Client Platform Engineering (CPE), and Auditor, ensuring no one has broader access than their role requires. Access for these roles is evaluated and reviewed on a regular basis.

• Ongoing Permission Hardening: We continuously monitor the design of our permission levels to ensure only Jamf's internal IT Support team and our core Jamf admin team retain the ability to execute management commands.

• Environment Monitoring: We have continuous monitoring in place for anomalous activity. Anomalous activity triggers alerts and generates event tickets that are assigned to detection and response security engineers worldwide (24/7/365).

The Styker incident is a reminder of the criticality of a sound security foundation in any organization. We continuously evaluate and refine our controls to meet the evolving threat landscape. Questions? Reach out to your Customer Success Manager. For additional technical guidance, we recommend this advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).