Leveraging CIS benchmarking on the Mac with Jamf Protect

Yannis LagogiannisApple, macOS, Management

Every organisation has valuable data residing on their corporate devices, whether it is intellectual property, customer or student data, regulated or even classified data they need to protect. A potential security breach, and subsequent release of those data to the general public, could lead to severe consequences with significant reputational damage and even legal liability or fines. 

A good device management implementation, coupled with strong security-focused policies, is a solid first step in reducing the likelihood of a data breach. But even so, for large and complex environments that have COPE (corporate-owned, privately-enabled ) and BYOD (bring your own device) services in place, the continuous enforcement of device configurations can become a demanding activity, both in terms of time and resources.

As a result, we are seeing an increasing trend of passing much of the responsibility in terms of system and user settings, network connections, system defaults and other areas of the device, to the user. While this provides more flexibility and freedom to users, it also opens the system up to exploitation with malicious actors potentially gaining access to corporate resources, while end-users may inadvertently cause sensitive data to leave the organisation. 

To address the need to find a balance between security and productivity, IT administrators employ security benchmarking such as the ones issued by the Center for Internet Security (CIS), the Information Security Forum (ISF) and the UK government-backed Cyber Essentials scheme across their managed environments. The principle behind security benchmarking is to identify a set of measurable and enforceable configurations and processes that must be followed and scored accordingly to provide a level of security assurance to the business. 

At dataJAR, we have found CIS to be the most responsive group, consistently releasing the latest guidance for macOS, iOS and iPadOS. The CIS security benchmarks provide organisations with guidance when securing or hardening the operating systems in order to limit your risks of exfiltration. Jamf has been making huge improvements on their ability to provide security benchmarking for their customers, by developing Jamf Protect. This is a new addition to the Jamf product portfolio that provides organisations with Apple-native security reporting capabilities and security benchmarking. Jamf Protect has recently received the CIS certification for properly assessing the CIS Security Benchmarks on macOS devices.

Leveraging native Apple security tools, Apple’s new Endpoint Security framework and on-device analysis of macOS system events, Jamf Protect creates customised telemetry and detections that give enterprise security teams unprecedented visibility into their macOS fleet.

Jamf Protect can be used together with Jamf Pro, to provide a more complete remediation solution for managed Macs. Jamf Pro has an exhaustive collection of MDM configuration profile keys (settings) that can be set across your Apple fleet, and the capability to apply and enforce scripts on your macOS devices when configuration profiles are not sufficient.

Working in partnership with Jamf, dataJAR recommends your organisation thoroughly assesses whether or not Apple’s mobile device management (MDM) framework can enforce the settings selected. For example, the MDM macOS configuration profiles will continue to function in macOS updates, whereas implementing scripts for the enforcement of settings may not function in the next macOS update. If you find Apple’s MDM framework cannot enforce a particular setting you need, please submit that feedback to Apple.

Our team has been taking an in-depth look at Jamf Protect’s architecture and capabilities since launch and are excited to be able to leverage native macOS tools to secure sensitive data with security benchmarks, as well as having access to reports and analysis on device security posturing.

Learn more about Jamf Protect and gain access to an extended trial for your own environment here.