Some policies also update the device inventory after running. When an Apple device is enrolled into the campus configuration management system (Jamf Pro) a software inventory is automatically collected and updated on a daily basis. Read the documentation for setup as there are several options. Note: Standard Users will still have to type in their username and password to complete the install but admin permissions are not required.įor situations where full administrative access is actually the least privilege required, time limited privilege elevation can be granted using the Privileges.app from The installer for Privileges.app is available in the campus configuration management system. To allow installation of software only create a Jamf policy which configures the Files and Processes Option to have an Execute Command of: /usr/bin/security authorizationdb write group If software installation permissions are needed these can be granted using the authorization database without giving full administrative access. Best practice for software installation is the direct clients to use Jamf Self Service.app as no elevation of permissions are needed. The intent of this control is to protect the data stored on the device NOT to keep software from being installed! In today’s world software can be run from external storage like key drives or even directly downloading to the home directory and running from there where no extra permissions are required. Commonly you will hear complaints from end users that this does not allow them to install software. Creating new users with the account type Standard will meet the control. In macOS, Apple allows creation of Administrator, Standard, and Sharing Only accounts. Meeting this control is simply setup methodology where accounts are not created with full administrative access to the device. The by uploading the custom profile only the needed settings are locked. While Jamf Pro does have a Security & Privacy Option payload, setting just the Firewall in this option locks out the management of other important settings from user control. In Jamf Pro upload into the Configuration Profiles tab the custom profile that manages just the firewall preferences in the preference domain from
Use a custom Apple Configuration Profile that enables the Firewall and enables Stealth Mode.
This built-in security feature of macOS will keep the local account password in sync with the campus WOLFTECH directory. Use a Apple Configuration Profile in Jamf Pro to ensure that the Login Window option has setting for:ġ) Window tab is set to show Name and Password Fields for the Login Prompt as in Figure 1.Ģ) Options tab is set to Disable Automatic Login as in Figure 2.įigure 2: Login Window Options Tab settings Apple Kerberos Single Sign On ExtensionĪdditionally use a Jamf Configuration Profile to enable the built-in Apple Kerberos Single Sign On Extension(SSOE) provided with every macOS devices running 10.15 or newer.
Two policies are needed to ensure proper install and scanning.įull documentation is on the DetectX Setup for Jamf Pro page. Use a Jamf Policy to install DetectX as a supplement to Apple’s XProtect. While not strictly part of the Endpoint Protection Standard the University Patch Standard must be implemented at as a complete defense against threats on university data. Patch Standard RUL 08.00.14 – System and Software Security Patching Standard Quick IndexĮndpoint Protection Standard RUL 08.00.18 – Endpoint Protection Standard Note that other helpful documentation about setting up Apple device management in Jamf Pro can be found at go./jamfcheat. If a group is not able to meet these controls, an IT Exception must be submitted to Security & Compliance via this exception request form.Īs always TEST policies and profiles on a small group of devices before deploying them to an entire Site. The information below provides the baseline configuration for NC State’s Jamf Pro environment to meet the control requirements of the Endpoint Protection Standard.Īll NC State Jamf Pro administrators must implement these baseline controls in their Jamf Pro Site.
0 kommentar(er)
