Ensuring device compliance stands as a crucial cornerstone for organizations, safeguarding their IT assets and maintaining controlled, secure access to essential resources. Various vendors and solutions offer unique workflows and capabilities to achieve this compliance state. Jamf offers multiple integrations whether it's Microsoft Entra Conditional Access, Okta Identity Threat Prevention, Google BeyondCorp Enterprise Context-Aware Policy or AWS Verified Access, each integration targets the essential need of allowing only trusted users from compliant devices access to organizational resources.

Establishing a Compliance Baseline

When examining device compliance, it's important to recognize that each organization will have its own unique set of needs and requirements dictating what constitutes a compliant device. Consequently, there isn't a one-size-fits-all compliance baseline that covers all controls.

However, we must consider fundamental factors present in environments adhering to best practices for establishing a secure and compliant baseline. While no single compliance baseline can cater to every organization, there exists a fundamental consensus on what constitutes best practices. For the purpose of this guide, we will utilize the following criteria as a foundational baseline for establishing device compliance status:

• Jamf Pro inventory information will form the basis of the Device’s compliance state.

• Depending on what specific criteria’s are used, the macOS or iOS endpoint will fall into one of the configured Smart Group and signal a Webhook event into Jamf Security Cloud for syncing endpoint and group state mapping.

• The macOS or IOS endpoint get’s added to a corresponding group in Jamf Security Cloud which has limited access to the specific resource

• Jamf Security Cloud’s Access Policy forms the basis of the network connectivity, by using Device Group mapping, Device that does not belong to the Group Assignment will not be routed via Jamf Cloud Gateway and use the desired Egress endpoint.

  • SaaS - when combined with IP Lockdown/Allow-Listing capabilities, device will have restricted access to SaaS tenant, as a result of Device not resolving from a trusted Egress IP.

  • On-prem - connection to on-prem network will not establish if the Device does belong the Group

• Once the specific Compliance requirement (e.g. OS Update) is remediated and inventory information is synced to Jamf Pro, the endpoint will trigger the corresponding Webhook to automatically place the device back to the compliant group to re-establish the trusted connection to the corporate resource

Use Cases

Before going in to the actual workflow, first let's review some relevant use-cases that could involve this workflow.

Workflow Pre-Requisites

• Access to Jamf Pro and Jamf Security Cloud

  • Permissions in Jamf Pro to create macOS Extension Attributes

  • Permissions in Jamf Protect (Jamf Security Cloud portal) to edit the UEM Connect integration and edit Access Policy

• Configured UEM Connect between Jamf Protect (Jamf Security Cloud) and Jamf Pro

• Enable Jamf Pro Webhook into UEM Connect Integration

• Access to SaaS Tenant to enforce IP Lockdown/Allow-listing

Creating the Workflow

⚠️ Before We Begin ⚠️

The following configuration guide is intended to provide a base technical framework and guidance to establish a foundational baseline for device compliance.

Prior to implementing this solution outside controlled testing environments, please be mindful of your organization’s information security requirements.  We recommend collaborating with internal stakeholders to properly define compliance criteria definitions across your Jamf managed devices. 

Jamf Pro: Create macOS Extension Attribute in Jamf Pro 

The following settings are only required if you are configuring the workflow for macOS

As part of the Device Compliance Baseline, we will be creating extension attributes to capture the state of AV/EDR (i.e. as part of this guide we will leverage Jamf Protect) for macOS devices.

• Note - Extension Attributes can be extended for other AV/EDR solution as well.

1. Login to Jamf Pro instance that’s going to be used for this workflow

2. Navigate to Settings from the navigation menu

   • Navigate to Computer Management

   • Select and open Extension Attributes

3. On the right top corner select + New

4. Enter the following details:

   • Name: Jamf Protect Installed

   • Data Type: String

   • Inventory Display: Extension Attribute

   • Input Type: Script

#!/bin/bash

# Jamf Pro Extension Attribute which checks and validates the following:
#
# Jamf Protect is installed and located under /Applications 

ProtectStatus="/Applications/JamfProtect.app"

if [ -e "$ProtectStatus" ]; then
    echo "<result>Installed</result>"
else
    echo "<result>Not Installed</result>"
fi

exit 0

5. Then press save

Repeat Steps (1-5), amending Step 4 with the following parameters

• Name: Jamf Protect Status

• Data Type: String

• Inventory Display: Extension Attribute

• Input Type: Script

#!/bin/bash

# Jamf Pro Extension Attribute which checks and validates the following:
#
# Ensure Jamf Protect is active and running by checking for Jamf Protect process

JPProcess=$( pgrep JamfProtect )
​
if [[ -n "$JPProcess" ]]; then
    echo "<result>Active</result>"
else
    echo "<result>Not Active</result>"
fi

exit 0

5. Then press save

Repeat Steps (1-5), amending Step 4 with the following parameters

• Name: Jamf Protect Last Check-in

• Data Type: Date (YYYY-MM-DD hh-mm-ss)

• Inventory Display: Extension Attribute

• Input Type: Script

  • The extension attribute is also natively available as part of “+ New from Template” option, as “Jamf Protect - Last Check-in”

#!/bin/sh

#Jamf Protect Location
jamfProtectBinaryLocation="/usr/local/bin/protectctl"

if [ -f "$jamfProtectBinaryLocation" ]; then
    plist=$($jamfProtectBinaryLocation info --plist)
    xpath="/plist/dict/date[preceding-sibling::key='LastCheckin'][1]/text()"
    rawLastCheckin=$(/bin/echo $plist | /usr/bin/xpath -e "${xpath}" 2>/dev/null)
    jamfProtectLastCheckin=$(/bin/date -j -f "%Y-%m-%dT%H:%M:%SZ" "$rawLastCheckin" "+%Y-%m-%d %H:%M:%S")
else
	jamfProtectLastCheckin="Protect binary not found"
fi

echo "<result>$jamfProtectLastCheckin</result>"

5. Then press save

Jamf Pro: Create Smart Group in Jamf Pro (macOS)

Smart Computer Groups are used to dynamically add endpoints into related Groups based on the criteria value that is set

1. Login to Jamf Pro instance that’s going to be used for this workflow

2. Navigate to Computers from the navigation menu

   1. Navigate to Smart Computer Groups

3. On the top right corner select + New

Smart Computer Group “Compliant - High”

4. Provide a display name for the Smart Computer Group, something like Compliant - High

5. Add new criteria and show the advanced criteria and search and select the following:

   • All Criteria’s are satisfied

Smart Computer Group “Compliant - Medium”

4. Provide a display name for the Smart Computer Group, something like Compliant - Medium

5. Add new criteria and show the advanced criteria and search and select the following

   • Criteria’s are satisfied except for

     • Operating System Version is less than the specified OS version

     • or

     • Last Inventory Update is more than 3 days

Smart Computer Group “Compliant - Low”

4. Provide a display name for the Smart Computer Group, something like Compliant - Low

5. Add new criteria and show the advanced criteria and search and select the following

   • Criteria’s are satisfied except for

     • Filevault is not enabled for Boot partitions

     • and one of the following

       • Operating System Version is less than the specified OS version

       • Last Inventory Update is more than 3 days

Smart Computer Group “Non-Compliant”

4. Provide a display name for the Smart Computer Group, something like Non-Compliant

5. Add new criteria and show the advanced criteria and search and select the following

   • Device that does not belong to any of the above Device Compliance Smart Computer Group

⚠️ Optional ⚠️

Smart Device Group Criteria’s can also be incorporated to define Device compliance state for iOS/iPadOS. Refer to the following steps if the organization needs to secure access control to iOS/iPadOS.

Jamf Pro: Create Smart Group in Jamf Pro (iOS/iPadOS)

Smart Device Groups are used to dynamically add endpoints into related Groups based on the criteria value that is set

1. Login to Jamf Pro instance that’s going to be used for this workflow

2. Navigate to Devices from the navigation menu

   1. Navigate to Smart Device Groups

3. On the top right corner select + New

Smart Device Group “Compliant - High”

4. Provide a display name for the Smart Device Group, something like Compliant - High

5. Add new criteria and show the advanced criteria and search and select the following:

   • All Criteria’s are satisfied

Smart Device Group “Compliant - Medium”

4. Provide a display name for the Smart Device Group, something like Compliant - Medium

5. Add new criteria and show the advanced criteria and search and select the following

   • Criteria’s are satisfied except for

     • Last Inventory Update is more than 3 days

     • or

     • Last Backup is more than 3 days

Smart Device Group “Compliant - Low”

4. Provide a display name for the Smart Device Group, something like Compliant - Low

5. Add new criteria and show the advanced criteria and search and select the following

   • Criteria’s are satisfied except for

     • Operating System Version is less than the specified OS version

     • and one of the following

       • Last Inventory Update is more than 3 days

       • or

       • Last Backup is more than 3 days

Smart Device Group “Non-Compliant”

4. Provide a display name for the Smart Device Group, something like Non-Compliant

5. Add new criteria and show the advanced criteria and search and select the following

   • Device that does not belong to any of the above Device Compliance Smart Group

Jamf Security Cloud: Create group and UEM Connect Group Mapping

Between Jamf Pro and Jamf Security Cloud we can map the Smart Computer/Device Groups from Jamf Pro into Device Groups in Jamf Security Cloud, meaning if a endpoint is member of a Smart Computer/Device Group in Jamf Pro, it will be added to one mapped groups in Jamf Security Cloud

1. Login to Jamf Security Cloud on https://radar.jamf.com

2. Navigate to Devices from the navigation menu

   • Select Manage

   • Add the corresponding groups which was created in Jamf Pro

     • Compliant - High

     • Compliant - Medium

     • Compliant - Low

     • Non-Compliant

3. Navigate to Integrations from the navigation menu

   • Navigate to UEM Connect

   • In this guide we assume that UEM Connect already has been configured with Jamf Pro, if that’s not the case please continue first to configure UEM Connect

4. Expand the Group Membership Mapping

5. Assign the UEM Group which is the Smart Computer Group we created in Jamf Pro earlier to the group in Jamf Security Cloud we created in step 2

6. Drag and Drop the group mapping to the top

   • It is important to give this device group the highest priority because if the endpoint belongs to several groups, as the Device membership is evaluated from top to bottom.

   • Note - multiple UEM Groups can be mapped to the same Device group in Jamf Security Cloud (1 to many mapping)

7. Then press save

Jamf Security Cloud: Generate Webhook token

In order to authorize the inbound webhook from Jamf Pro in to Jamf Security Cloud we can generate a Webhook Token that we use as authorization header when sending the webhook

1. Login to Jamf Security Cloud on https://radar.jamf.com

2. Navigate to Integrations from the navigation menu

   1. Navigate to UEM Connect

3. If UEM Connect is configured with Jamf Pro we can generate a Webhook token

   1. Create the Webhook token and store it safely as we need it later on

Jamf Pro: Create Webhook 

The Jamf Pro Webhook feature can be used to trigger an ad-hoc UEM Sync for a endpoint in Jamf Security Cloud which will immediately sync the endpoint to the related device groups

1. Login to Jamf Pro instance that’s going to be used for this workflow

2. Navigate to Settings from the navigation menu

   1. Navigate to Webhooks

3. On the top right corner select + New

   1. Populate with a Display Name

   2. As Webhook URL specify https://api.wandera.com/webhook/uem/jamf-pro/v1/device-group-changes

   3. Select Header Authentication as Authentication Type

      1. Paste it as following and replace <token> with the configured token from Jamf Security Cloud

      2. {"Authorization": "Bearer <token>"}

   4. Select JSON as Content Type

   5. We want to use

      1. SmartGroupComputerMembershipChange for Mac as the Webhook Event trigger

      2. SmartGroupMobileDeviceMembershipChange for iOS as the Webhook Event trigger

   6. And select the Smart Group we created earlier in Jamf Pro as Target Smart Computer Group

4. Now save the Webhook

Webhook Trigger for Smart Computer Group Membership Change

Webhook Trigger for Smart Mobile Device Group Membership Change

5. Repeat the above steps and update the SmartGroupComputerMembershipChange and/or SmartGroupMobileDeviceMembershipChange with the corresponding Device Compliance Smart Groups created in previous steps.

Jamf Security Cloud: Access Policy

Using Users & Group assignment within Access Policy is used to define access control to specific Group of Users that are allowed access to the resource by establishing a per-app connection via the selected Jamf Cloud Egress point

1. Login to Jamf Security Cloud on https://radar.jamf.com

2. Navigate to Policies → Access Policy from the navigation menu

   • In this guide we assume that Device is already deployed with Jamf Connect ZTNA and associated Access Policy is defined and actively routing through the Shared or Dedicated Egress.

     • For more details please refer to Jamf Connect ZTNA Quick Start Guide

3. Select Edit on the Access Policy for specific SaaS or On-prem App and navigate to Users & Group to add associated Groups that satisfy organizational compliance

4. Then press Save

Jamf Security Cloud: Egress IP & IP Lockdown/Whitelisting

You can restrict access to common SaaS based App, by enforcing additional lockdown using the Jamf Trusted IP serviced through the Shared or Dedicated Egress. This will reduce the risk that attackers will be able to log in, while ensuring that only trusted users on an approved devices is able to access the data stored in the SaaS Platform.

Here is relevant documentation for different SaaS Apps and the methods to enforce the lockdown:

• Microsoft 365: Restricting Login Access - Jamf Connect Documentation 2.33.0 | Jamf

• Microsoft Exchange: Restricting Login Access - Jamf Connect Documentation 2.33.0 | Jamf

• Google: Restricting Login Access - Jamf Connect Documentation 2.33.0 | Jamf

• Amazon Web Services: Restricting Login Access - Jamf Connect Documentation 2.33.0 | Jamf

• Okta: Restricting Login Access - Jamf Connect Documentation 2.33.0 | Jamf

Next step - Remediation

Upon configuring the above workflow, if a Device does not satisfy the required Compliance criteria it will trigger the relevant webhook to limit access to the specific SaaS or On-prem App as defined in Jamf Security Cloud.

The remediation of Device Compliance can be approached in multiple ways.

• Whether it's automated through Jamf Pro by scoping an App, Configuration or pushing an OS update to the Device.

• Use Notifications to inform the end-user and have actions that can be manually executed via Self Service.

The following is a basic end-user notification script that can be used as part of a Policy that triggers when a macOS falls out of Compliance, directing the user to the corresponding section within Self Service to remediate and elevate Device Compliance state.

#!/bin/bash

# Jamf Helper Script 

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Header for Pop Up
heading="$4"
#Description for Pop Up
description="$5"
#Button Text
button1="Ok"
#Category ID for policy in Self Service
categoryID="x"
#Path for Icon Displayed
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -icon "$icon")
    
    if [[ $userChoice == 0 ]]; then
        echo "user clicked $button1"
        open "jamfselfservice://content?action=category&id=$categoryID"
fi

Layering On Additional Security Controls

Endpoint Detection (macOS)

As part of the Jamf Trust App that is deployed to deliver Jamf Connect, additional settings can be enforced using the following key (requiredEndpointsAgents) where organizational required Security Software needs to be running on the most acOS before Jamf Connect ZTNA will be enabled. Please refer to the below documentation for more details.

• Endpoint Detection - Jamf Connect Documentation 2.33.0 | Jamf

⚠️ Before We Begin ⚠️

The following section is optional if the organization requires additional restrictive network control and will require Jamf Protect licenses and the deployment of Endpoint Network Threat Prevention and Content Filtering.

Jamf Security Cloud: Create Restrictive Internet Block Policy

You can enforce additional control on non-compliant Device, leveraging the Internet Block Policies to restrict all DNS based network traffic and only allow required traffic to go through, like traffic to *.jamfcloud.com or *.apple.com, until the Device compliant state is remediated 

1. Login to Jamf Security Cloud on https://radar.jamf.com

2. Navigate to Policies from the navigation menu

   1. Navigate to Internet, and select Block Policy

3. Click the dropdown for Group Level and select the Non-Compliant

4. For each category, select Block as well for the uncategorised category

   1. Optionally you could add custom domains to be blocked or allowed

5. Save and apply the block policy

For additional Security Control and network isolation when a Device encounters a potential threat, please refer to the following guide to configure automated network isolation.

• Automated Network Isolation with Jamf Protect

Coming soon

Now as you can imagine this is the first step into signaling back from Jamf Pro to Jamf Security Cloud but this will open up other workflows where we can use the exact same signals and leverage the Shared Signal Framework (SSF) to inform 3rd party vendors like Okta using Identity Threat Protection capabilities or any other vendor that does support SSF and automatically protect a users identity while maintaining secure access control to

Related articles

Automated Network Isolation with Jamf Protect

Implement ZTNA Risk Signaling

Establishing Compliance Baselines