Automated Network Isolation
  • 12 Apr 2024
  • 8 Minutes to read
  • Dark
    Light
  • PDF

Automated Network Isolation

  • Dark
    Light
  • PDF

Article summary

Organizations and security teams responsible for responding to and remediating threats often prefer to have a workflow in place that puts infected endpoints into a network-isolated state. This helps to prevent further impact to connected IT systems until the threat has been addressed and remediated.

To achieve such a workflow, you might have already been utilizing automated workflows with Jamf Pro and Jamf Protect. These isolate a device from network activities after an alert has been triggered by Jamf Protect. It's possible that you're currently using one of the Endpoint Network Isolation workflows available on Jamf Protect’s open-source repository.

If you are exploring automated network isolation or already using one of the aforementioned workflows, we may have some enhanced workflows available for you!

With the recent updates to Jamf Protect, and especially the Jamf Security Cloud portal, it's now possible to build network isolation workflows between Jamf Pro and Jamf Protect using native features and technologies!

Presented below is an demonstration of this workflow from the view point of the end user. In this workflow we have decided to notify the end user using swiftDialog and Jamf Self Service for providing remedation actions but as this is highly customisable you can use any framework for delivering notifications to a end user.


Workflow Overview

  • On-device behavioral threats are detected by Jamf Protect analytics and signaled by Jamf Pro via Webhook to Jamf Security Cloud for syncing endpoint and group state ad-hoc.
  • The macOS endpoint get’s added to a separated group in Jamf Security Cloud which’s has a restricted block policy.
  • Jamf Security Cloud will not resolve DNS requests from the affected endpoint for categories and domains that are part of the restricted block policy, making sure the endpoint can only access pre-determined resources that are allowed like *apple.com and *jamfcloud.com
  • Once the threat have been identified and the risk has been remediated, the endpoint will automatically leave the group and gains access back again to accessing resources.

NetworkIsolationDiagram.jpg

Use Cases

Before going in to the actual workflow, first let's review some relevant use-cases that could involve this workflow.

As an administrator I want to
Automatically mitigate further risk by isolating an endpoint from generating network activity once a high-severity alert is detected and has not been auto-resolved. e.g. ReverseShell or highly suspicious LaunchDaemon
When an endpoint is detected running a vulnerable version of macOS, we aim to limit its network connectivity or even isolate the device until the risk is mitigated.
Limit the content categories accessible to a user if their endpoint is flagged as non-compliant, utilizing either the Device Compliance Smart Groups or Google BeyondCorp, until the compliance status is restored.
Limit the content categories accessible to a user if their endpoint has specific security settings disabled.

Workflow pre-requisites

  • Access to Jamf Pro and Jamf Protect
    • Permissions in Jamf Pro to create Extension Attributes
    • Permissions in Jamf Protect (macOS Security Portal) to edit Analytics
    • Permissions in Jamf Protect (Jamf Security Cloud portal) to edit the UEM Connect integration and edit Block Policies
  • Enablement of Jamf Protect’s Web Protection feature
  • Configured UEM Connect between Jamf Protect and Jamf Pro
  • Enable Jamf Protect Smart Group signalling for Analytics

Create the workflow

⚠️ Before We Begin

The following configuration guide is intended to provide the base technical framework and guidance for a method of data exchange between Jamf management, endpoint security and network security platforms.
Prior to implementing this solution outside controlled testing environments careful U/X consideration with internal stakeholder alignment is advised for effective incident response (IR) planning.

Jamf Pro: Create Extension Attribute in Jamf Pro

The integration between Jamf Protect and Jamf Pro uses an Extension Attribute in Jamf Pro to add an endpoint into a Smart Computer Group

  1. Login to Jamf Pro instance that’s going to be used for this workflow
  2. Navigate to Settings from the navigation menu
    1. Navigate to Computer Management
    2. Select and open Extension Attributes
  3. On the right top corner select + New from Template
  4. Search for Jamf Protect - Smart Groups and save it.

JamfProExtensionAttribute.png


Jamf Pro: Create Smart Group in Jamf Pro

Smart Computer Groups are used to dynamically add endpoints into related Smart Computer Group based on the value set in the Extension Attribute

  1. Login to Jamf Pro instance that’s going to be used for this workflow
  2. Navigate to Computers from the navigation menu
    1. Navigate to Smart Computer Groups
  3. On the top right corner select + New
  4. Provide a display name for the Smart Group, something like Jamf Protect - High
  5. Add new criteria and show the advanced criteria and search and select Jamf Protect - Smart Groups
    1. Once selected set the operator to like and the value high
  6. Now save the Smart Group

JamfProSmartGroup.png


Jamf Security Cloud: Create group and UEM Connect Group Mapping

Between Jamf Pro and Jamf Security Cloud we map Smart Computer Groups from Jamf Pro into Device Groups in Jamf Security Cloud, meaning if a endpoint is member of a Smart Computer Group in Jamf Pro, it will be added to one mapped groups in Jamf Security Cloud

  1. Login to Jamf Security Cloud on https://radar.jamf.com
  2. Navigate to Devices from the navigation menu
    1. Select Manage
    2. Add a new group and provide it with a Group Name we can recognise it being used for restricting internet access e.g: Restricted Internet Access - Group
  3. Navigate to Integrations from the navigation menu
    1. Navigate to UEM Connect
    2. In this guide we assume that UEM Connect already has been configured with Jamf Pro, if that’s not the case please continue first to configure UEM Connect
  4. Expand the Group Membership Mapping
  5. Assign the UEM Group which is the Smart Computer Group we created in Jamf Pro earlier to the group in Jamf Security Cloud we created in step 2
  6. Drag and Drop the group mapping to the top
    1. It is important to give this device group the highest priority because if the endpoint belongs to several groups, the policy that restricts internet access from this particular group should take precedence

JamfSecurityCloudAddGroup.png

JamfSecurityCloudGroupMapping.png


Jamf Security Cloud: Generate Webhook token

In order to authorize the inbound webhook from Jamf Pro in to Jamf Security Cloud we can generate a Webhook Token that we use as authorization header when sending the webhook

  1. Login to Jamf Security Cloud on https://radar.jamf.com
  2. Navigate to Integrations from the navigation menu
    1. Navigate to UEM Connect
  3. If UEM Connect is configured with Jamf Pro we can generate a Webhook token
    1. Create the Webhook token and store it safely as we need it later on

JamfSecurityCloudWebhookToken.png


Jamf Pro: Create Webhook

The Jamf Pro Webhook feature can be used to trigger an ad-hoc UEM Sync for a endpoint in Jamf Security Cloud which will immediately sync the endpoint to the related device groups

  1. Login to Jamf Pro instance that’s going to be used for this workflow
  2. Navigate to Settings from the navigation menu
    1. Navigate to Webhooks
  3. On the top right corner select + New
    1. Populate a Display Name, e.g: AD-Hoc UEM Connect Sync
    2. As Webhook URL specify https://api.wandera.com/webhook/uem/jamf-pro/v1/device-group-changes
    3. Select Header Authentication as Authentication Type
      1. Paste it as following and replace <token> with the configured token from Jamf Security Cloud
      2. {"Authorization": "Bearer <token>"}
    4. Select JSON as Content Type
    5. We want to use SmartGroupComputerMembershipChange as Webhook Event trigger
    6. And select the Smart Group we created earlier in Jamf Pro as Target Smart Computer Group
  4. Now save the Webhook

JamfProWebhook.png


Jamf Security Cloud: Create Restrictive Internet Block Policy

We can use Internet Block Policies to restrict all DNS based network traffic and only allow required traffic to go through, like traffic to *.jamfcloud.com or *.apple.com

  1. Login to Jamf Security Cloud on https://radar.jamf.com
  2. Navigate to Policies from the navigation menu
    1. Navigate to Internet, and select Block Policy
  3. Click the dropdown for Group Level and select the Restricted Internet Access - Group
  4. For each category, select Block as well for the uncategorised category
    1. Optionally you could still allow Zoom or Slack or Teamviewer under the related categories to remain connectivity for those purposes
    2. Optionally you could add custom domains to be blocked or allowed
  5. Save and apply the block policy

JamfSecurityCloudBlockPolicy.png


Jamf Protect: Enable Smart Group in Jamf Protect Analytics

In Jamf Protect we can define per Analytic if we want to signal Jamf Pro in order to initiate additional workflows

  1. Login to Jamf Protect macOS Security Portal
  2. Navigate to Analytics from the navigation menu
    1. Select All Analytics
  3. Repeat these steps for either one or multiple Analytics you would like to cover in this workflow
    1. In this example search for the Analytic ReverseShellZSH
    2. Select the Analytic and select Edit
    3. Select and enable Add to Jamf Pro Smartgroup
    4. populate the value high or a custom value you used during this workflow
    5. Save the Analytic

JamfProtectAnalytic.png

Next step - Remediation

Upon configuring the above workflow, any suspicious behavior detected by Jamf Protect that results in an Alert will activate the workflow, restricting the network traffic of the affected endpoint.

At this juncture, it falls to the IT or security administrator to examine the endpoint. They can also employ the incident response workflow to gather forensic files. Based on the workflow configuration with Jamf Pro, notifications can be sent to end-users, informing them of the potential risks to their endpoint and the subsequent network connectivity limitations.

The remediation can be approached in multiple ways. Whether it's automated or manually executed via Self Service, but as part of the remediation workflow you can reset the Extension Attribute in Jamf Pro. Once done, the endpoint will be disassociated from the related groups and can resume unrestricted network traffic.

sudo /bin/rm /Library/Application\ Support/JamfProtect/groups/high
sudo jamf recon

Executing the commands above will clear the Extension Attribute and inform Jamf Pro of this modification.

Coming soon

Now as you can imagine this is the first step into signaling back from Jamf Pro to Jamf Protect but this is opening up other workflows where we can use the exact same signals and leverage the Shared Signal Framework (SSF) to inform 3rd party vendors like Okta using Identity Threat Protection capabilities or any other vendor that does support SSF and automatically protect a users identity while risk is being mitigated.



Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.