Getting Started with Jamf Protect for Mobile

This Getting Started guide serves as a playbook for the Network Threat Defense and Content Filtering services provided by Jamf Protect. Jamf Protect is offered both as an enterprise-grade macOS Endpoint Protection Platform as well as a mobile-first service protecting macOS, iOS, iPadOS as well as Android and Windows against mobile OS and network-based threats. Jamf Protect is a critical component in Jamf’s Trusted Access approach to measure the security and risk posture of devices on an ongoing basis. 

Jamf Protect’s Content Filtering service helps organizations manage mobile data usage across their entire device fleet. It also provides workflows for organizations to enforce acceptable web usage policies across iOS, iPadOS, macOS, Android and Windows on any network, not just within the company’s perimeter. 

The resources included here serve as guidelines to get started investigating, developing and deploying policy controls for each of these two Jamf security services. 

Prerequisites

Before we get started make sure you have access to:

• A working administrator login for the Jamf Security Cloud RADAR portal that has been licensed with Jamf Protect.

• (Optional but recommended) An MDM / EMM / UEM solution, such as Jamf Pro. As you will see throughout this guide, deploying these services to unmanaged mobile devices (iOS, iPadOS and Android) is possible. For efficient deployment at-scale and to enforce this on company-owned mobile and desktop OS platforms however, an MDM tool is required. Jamf Pro will be the MDM referenced in certain parts of this guide.
• (Also optional but recommended) Access to Apple Business or School Manager with the ability to acquire Apps and Books volume licenses. This will come up again during Step 2. 

Step 1. Planning and Security Standards

Throughout this guide, we will adhere to three separate security standards. It is recommended to review these security standard approaches before implementing your security policies. This will help to gain an understanding for what is most suitable for your organization. Note that adjustments and modifications of policies can be done at any time and enrolled devices receive those changes over-the-air. 

Level 1 - Bronze

To implement and become familiar with the most basic security features within Jamf Protect, Bronze can suit your environment until deciding to implement the silver or gold standards. See below for a basic summary of bronze level implementation:

• Active blocking of the top mobile security threats: phishing, malware network traffic, and cryptojacking.
• Active blocking of PII and unencrypted data leaks such as credit card and password leaks. This can be implemented using Jamf's smart policy button in the Policies > Threat Response page of the Jamf Security Cloud RADAR Portal.
• Blocking of Adult, Extreme, Illegal, and Gambling categories under Policies > Internet >  Block Policy. These websites generally host the most risky threat content on the web.

Level 2: Silver

From bronze level, we can investigate and begin implementing some or all of the intermediate security features within Jamf Protect. Silver will suit your environment until you are comfortable to implement the gold standards. This standard is suited for all organizations looking to optimize their security if they do not have the additional integrations available for MDM / EMM, SIEM, SSO, or 2FA integrations. For a basic summary of silver feature implementation, please see below:

• Implementation of all of the above Bronze level requirements.
• Blocking of all unapproved third-party cloud storage services to ensure shadow-IT coverage use-cases (protecting corporate files from being shared via unapproved mediums). This can be accomplished via Policies > Internet > Block Policy > Cloud and File Storage category.
• Blocking of Third-Party Proxies via the Technology category within Block Policy to ensure users do not circumvent the Wandera solution.
• Enabling "Block" Policy actions under Policies > Security > Threat Response for the following threats:
  • Risky iOS profile
  • Third party app store installed and / or Third Party app store traffic
  • Adversary-In-The-Middle +
    • (Compromised Trust Store)
    • (SSL Strip)
    • (Targeted Certificate Spoof)
• Enabling “Alerts” for admins under Policies > Security > Threat Response for the following threats:
  • Dangerous certificate
  • Jailbreak
  • Out-of-date OS
  • Vulnerable OS (major)
  • Adversary-In-The-Middle +
    • (Compromised Trust Store)
    • (SSL Strip)
    • (Targeted Certificate Spoof)

Level 3: Gold

For organizations looking to optimize their mobile security environment and begin implementing the advanced security features with Jamf Protect. Gold will best cover your environment from some of the most advanced security threats. This standard is suited for all organizations looking to implement holistic mobile security features available for integrations with MDM / EMM, SIEM, SSO, and/or 2FA. For a basic summary of gold feature implementation, please see below:

• Implementation of all of the above Bronze and Silver level requirements.
• Enabling 2FA integration for all Jamf Security Cloud RADAR admins (please see this Jamf Security Documentation for Enabling Two-Factor Authentication).
• Enabling SSO integration for allJamf Security Cloud RADAR admins (please see this Jamf Security Documentation for Configuring Admin Single Sign-On).
• Integration with existing organization’s SIEM for security event pulling if available (please see this Jamf Security Documentation for Enabling Data Streams).
• Additional enabling of admin security alerts in Policies > Security > Threat Response for all malware threats.
• UEM (aka MDM, EMM) Tagging / labeling setup for the threats listed below (please see this Jamf Security Documentation for Configuring Signal UEM):
  • All malware categories
  • Dangerous certificate
  • Jailbreak
  • Out-of-date OS
  • Vulnerable OS (major)
  • Adversary-In-The-Middle +
    • (Compromised Trust Store)
    • (SSL Strip)
    • (Targeted Certificate Spoof)

Defining some of the Top Mobile Security Threats:

Phishing

A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form. This makes up the majority of all corporate cyber attacks and can lead to credential harvesting. Phishing is also a conduit for many of the more severe attacks such as malware.

Phishing can be blocked automatically via the Jamf Security Cloud RADAR portal via Policies > Security > Threat Response > set "Phishing" to Block.

Malware Network Traffic

Network access from an app to a web service that is known to demonstrate malicious behavior. Can include downloading unauthorized software to a device, disrupting normal operation or gathering sensitive information. This is seen across all mobile devices and is correlated with exposure to phishing, where in addition to being phished, a user may then be subject to malware.

Malware Network Traffic can be blocked automatically via the Jamf Security Cloud RADAR portal via Policies > Security > Threat Response > set "Malware Network Traffic" to Block.

Cryptojacking

An attack in which a hacker hijacks a target’s processing power in order to mine cryptocurrency via the use of scripts that run on webpages or mobile apps. This is on the rise since cryptomining has become extremely popular in today’s world. Many public websites and services are known to host cryptomining scripts, which when run on a mobile device degrade the performance and battery life of the device significantly.

Cryptomining can be blocked automatically via the Jamf Security Cloud RADAR portal via Policies > Security > Threat Response > set "Cryptojacking" to Block.

Highlighting Jamf Protect's Machine Learning - MI:RIAM:

As discussed above, Jamf Protect can actively block the most severe security threats, preventing the users from interacting with them in the first place. There are two ways in which Jamf automatically blocks mobile attacks. The first and most basic approach is via a pre-populated list of known malicious domains or IPs. Jamf blocks these requests which prevents the user from being able to access the host website, ensuring they are never exposed to the threat.

However, as it takes approximately four hours for a mobile attack to change form via changing the IP or domain name they are being hosted from, Jamf recognizes the list approach is not enough. Mobile attacks (such as phishing or malware) are prevalent and can be generated quickly, which requires Jamf’s security engine to respond in-turn and implement zero-day threat detection on threats never before seen in the wild.

Jamf's MI:RIAM security AI intelligence engine incorporate aspects of machine learning to accomplish active blocking of zero-day threats. MI:RIAM considers multiple factors of the device and it's network state such as:

• User behavior via the services accessed on the device.
• The OS of the device and if it is more vulnerable to attacks due to the current version or model.
• Device configurations and the ability to detect vulnerabilities present in the settings established on the device.
• Apps found on the device via app inventory scanning as well as app network activity.
• Network infrastructure scanning via joining of Wi-Fi networks and performing SSL certificate checks for the presence of risky networks and Adversary-in-theMiddle.
• App store to ensure public apps are vetted. This is critical as Apple may not check security during the App Review process (Reasons Why Apps are Rejected: Apple) and the Google Play Store is largely open for any individual to upload an app.

MI:RIAM also utilizes several machine learning algorithms and methods. These methods are critical and highly recommended for making educated decisions on the above data inputs. A few examples are explained below: 

• Neural Networks – A very broad class of ML algorithms loosely based on imitating a biological brain. This is responsible for several recent breakthroughs especially in image processing and language translation.
• Clustering – A method of attempting to divide a set of samples into different groups such that samples in the same group are more similar to each other than samples in the other groups.
• Support vector machine – A binary classification algorithm that works by finding the dividing line between two types of input samples.
• Anomaly detection – A broad class of problems in machine learning and statistics about finding samples that are different from the norm. This can include unusual periods in time, users, apps etc.
• Predictive Analysis – The field of making predictions about the future based on current data by whatever method – be it holistic or partial statistics analysis.
• Markov models – A predictive model in which a system can be in one of a certain number of states and the probability of future states depends only on the current state.

For more information on MI:RIAM and Jamf's implementation of machine learning to protect against zero-day threats, visit the MI:RIAM page. Jamf Security Cloud RADAR admins can also see MI:RIAM working in real-time by navigating to Reports > Security > MI:RIAM analytics.

Step 2. Deployment with Activation Profiles

Rolling out Jamf Protect for Mobile is done with what the Jamf Security Cloud RADAR portal calls "Activation Profiles". A "Default Activation Profile" comes with every new Jamf Security Cloud RADAR portal and is found under Devices > Activation Profiles. The Default Activation Profiles has Jamf Protect for Mobile services activated ("Endpoint and Network Security" as well as "Internet Content Filtering and Usage Controls" selected with "Secure DNS" traffic vectoring. This enables Jamf Protect to function as the DNS Resolver on enrolled devices and is compatible with the widest array of device types (macOS, iOS and iPadOS for the purposes of this guide) including Android and Windows devices. Another Proxy-based traffic vectoring option is available for deeper visibility however it introduces compatibility limitations and will not be covered in this guide. 

We will continue forward using the "Default Activation Profile" provided in the portal. The profile can easily be renamed to fit your environment and use-case by clicking the "Details" tab. On the "Deployment" tab, there are two options for rolling out these services.

Open Enrollment for Unmanaged Devices

Open Enrollment allows for end user-assisted activation of Jamf Protect for mobile on mobile operating systems. Admins can invite users to activate the services using the provided Shareable link and / or a QR Code. On iOS, iPadOS or Android, users will be prompted to downloaded the Jamf Trust app from the Apple App Store or Google Play Store, respectively. Once installed, the Jamf Trust app will prompt users to activate services. This is less than ideal for organizations looking to implement new security features at-scale especially with minimal end user steps. 

For this experience as well as to support macOS and Windows, Managed Deployment is required to activate these services. 

Managed Deployment

Managed Deployment enables Jamf Protect for Mobile to install over-the-air with a UEM / EMM / MDM for macOS, iOS and iPadOS as well as Android devices. For Windows devices, Jamf Trust is available as an MSI and can be installed manually or prepared for managed installation using MDM or a package manager. More information on installing the Jamf Trust app for Windows can be found here.

For the purposes of this guide, we will be going over deployment with Jamf Pro for macOS, iOS and iPadOS. 

Pre-requisites:

• Administrator access to Jamf Pro
• Administrator access to the Jamf Security Cloud RADAR portal
• Access to Apple Business or School Manager with the ability to acquire Apps and Books volume licenses

Activation Profiles provide downloadable Configuration Profiles that can be uploaded and scoped to managed Macs, iPhones and iPads. 

We'll start in the Jamf Security Cloud RADAR portal:

1. In the Jamf Security Cloud RADAR portal, navigate to Devices > Activation Profiles > Default Activation Profile.
2. In the Managed deployment section, ensure that Jamf Pro is selected. 
3. Under UEM Configuration Profiles, click to expand the option(s) that correlate to your device types then click this configuration profile to download the respective profile(s).
   For example, if your organization deploys iPhones and iPads using Automated Device Enrollment with Apple Business or School Manager OR uses Apple Configurator to Supervise devices, expand and select the "iOS and iPadOS Supervised devices" option. macOS devices that are managed by an MDM are often considered "Supervised" by default so one macOS profile is available. 
4. Click to expand "iOS and iPadOS managed app configuration" then click "Show app configuration" to expand the XML used for Managed App Configuration. This XML will be used when distributing Jamf Trust as a managed app via Jamf Pro.
   Note: macOS apps do not support Managed App Configuration in the same way iOS and iPadOS apps do. Managed configurations for the Jamf Trust app on macOS are provided using the configuration profile downloaded under Step 3.
5. Copy the provided XML code and paste it in to a text editor (Notepad, TextEdit, CodeRunner, etc) for later use.

Next, we will acquire volume licenses of the Jamf Trust app via Apple Business or School Manager:

1. Log in to Apple Business or School Manager and select Apps on the left column.
2. Search for and select "Jamf Trust".
3. Use "Assign to" to add this app and it's licenses to the location for your Jamf Pro server.
4. Choose a quantity and click "Get". You should receive a confirmation from Apple that the app and it's licenses are available for distribution.

Note:The Jamf Trust app for Apple devices is a universal app hosted in both the iOS and Mac App Store. Though these steps are optional, volume licensing will enable silent or Self Service-based installation of the Jamf Trust app with no Apple ID prompt for end users. 

Next, we'll upload our configuration profiles downloaded from the Jamf Security Cloud RADAR portal to Jamf Pro before we distribute the Jamf Trust app to devices:

1. Log in to Jamf Pro and select Devices at the top of the sidebar. 
2. Select Configuration Profiles in the sidebar.
3. Click Upload.
4. Select the previously downloadedconfiguration profile. Once uploaded, the name of the profile can be changed from "Jamf Trust" to whatever best fits your environment. 
5. Select Scope to select which devices receive these Jamf Protect network-based configurations.
6. Click Save.
7. Repeat steps 2-6 for macOS by selecting Computers at the top of the sidebar.

Finally, we will take our volume-licensed Jamf Trust app and distribute it to devices for easy installation:

1. Log in to Jamf Pro and select Devices at the top of the sidebar then select Mobile Device Apps in the sidebar.
2. Jamf Trust should already be in the list of apps. If is is not, click + New on the top right of the screen. Choose "App Store app or apps purchased in volume" then click Next. Search "Jamf Trust" then click Next. Locate Jamf Trust on the list, then click Add.
3. Under the General tab, optionally select a Category. Under Distribution Method, select either "Make Available in Self Service" or "Install Automatically/Prompt Users to Install". In addition, select any additional update and management options that fit your environment.
4. Select the App Configuration tab. Remember when we copied and pasted some XML code in to a text editor document? Locate this document, copy that XML and paste it in to the Preferences text field. (This XML code makes for much easier activation of Jamf's network services after the Jamf Trust app is installed and opened).
5. Next, select Managed Distribution and under the Device Assignments tab, check the box next to "Assign Content Purchased in Volume". This will ensure each time the Jamf Trust is installed by Jamf Pro, a license is used instead of an Apple ID and password prompt.
6. Select Scope to select which devices receive the Jamf Trust app. 
7. Once the Jamf Trust app is installed on devices, the end user can open the app and check their own security posture and find more information about threats when Jamf Protect uncovers them.

Step 3. Testing Jamf Protect for Mobile

Now that we've established network security and acceptable use policy standards as well as deployed the Jamf Trust app along with it's configuration profile, it's time to check our work! Security and Internet policy preferences can be updated at any time in the Jamf Security Cloud RADAR portal and will go out to enrolled devices over-the-air. 

Checking for Jamf's Network Settings on Apple Devices:

macOS 13 Ventura+: 

1. Open macOS System Settings > Privacy and Security > under Others click Profiles.
   A profile should be listed with the same name as what was uploaded to Jamf Pro from the Jamf Security Cloud RADAR portal. Clicking to open the profile should show a "DNS Settings" payload.
2. Navigate back to macOS System Settings > Network.
   In the DNS Settings section, verify that the profile is active as indicated by a green dot and the word Running beneath the title of the profile.
   Alternatively, navigate to https://dns-test.wandera.com to validate that the DNS Service is active.

iOS and iPadOS:

1. Open Settings > General > VPN & Device Management.
   VPN status should show "Connected". For further verification, tap the "MDM Profile". Next, under "Contains" and a "VPN Settings" payload should be listed. Tap "More Details" and under "VPN Settings" it should reflect "Jamf Trust". 
2. Back on the main Settings page, locate "VPN" and it should show "Connected"

Testing Threat Response on Devices:

1. To get started, we recommend navigating to a safe site to test threat response, such as https://malware.threatops.co.uk. This attempt should be redirected to https://block.jamf.com to ensure that the end-user and device are protected by Jamf Protect's network security services.
2. To view the security threat alert, log in to the Jamf Security Cloud RADAR portal and go to Reports > Security > Threat view and confirm that a Phishing threat has been blocked.

Testing Content Filtering on Devices: 

1. Reference the previously established Block Policy under Policies > Internet > Block Policy. For example, in addition to configuring our recommended security standards during the planning phase, you may choose to block additional websites and categories. Blocking the entire category of "Video and Photo" or expanding the category and blocking "YouTube" is a useful test. 
2. Review the Block policy and make sure to Save and apply any changes.
3. To validate Jamf Protect's content filtering services are working with the steps above, attempting to visit https://www.youtube.com should be redirected to https://block.jamf.com.
4. To view the blocked web usage event in the Jamf Security Cloud RADAR portal, navigate to Reports > Internet > Blocks and confirm in the Category column that a "Video & Photo" site has been blocked.