Implement ZTNA Risk Signaling
  • 25 Jul 2023
  • 13 Minutes to read
  • Dark
  • PDF

Implement ZTNA Risk Signaling

  • Dark
  • PDF

Article Summary

🛡️Jamf Security Integration

Protect | Pro | Connect

This article outlines how to automatically protect organizational data from out-of-compliance or risky macOS devices using the Jamf platform. 

Specifically, you will see how an on-device threat detected by Jamf Protect can signal an elevated device risk to Jamf Security Cloud, immediately limiting that device's access to the organization's critical SaaS, private cloud, or on-premises infrastructure and data.

This integration will dynamically sever and restore access to critical network resources stemming from a macOS threat detected in near real time. Leveraging Jamf Protect macOS Security, Jamf Pro foundations, and Jamf Connect ZTNA's Risk-based Access Control principles of Jamf Security Cloud, the integration provides the resources and configuration playbook for device-based risk signaling and response.

This integration pattern may be tailored to any organization's specific requirements, including support for other threat detection and response workflows and even to non-Jamf products.

Solution Overview

An event-driven cloud-compute function serves as the communication framework between applicable Jamf cloud systems - Jamf Protect, Jamf Pro and Jamf Security Cloud (JSC). We will leverage an AWS Lambda function to handle webhook processing for this example.

  • On-device behavioral threats are detected by Jamf Protect analytics and signaled by Jamf Pro via Webhook for processing.

  • The macOS device risk level within JSC is elevated to high.

  • SaaS or enterprise app Access Policy within JSC determines if connectivity to resources is allowed or blocked while the elevated risk is present.

  • Once the threat has been investigated and neutralized, a secure device risk state is signaled to JSC.

  • Once ZTNA is re-established via Jamf Trust, authorized connectivity is restored to organizational resources.

User Experience Demo

The video below shows how this configuration can enable:

  1. Requiring managed macOS devices to route traffic to a SaaS application (Dropbox) via the Jamf Security Cloud.
  2. Just-in-time and passwordless-ly activate Jamf Trust and secure ZTNA networking with Okta FastPass.
  3. Detect and report a malicious download using Jamf Protect.
  4. Signal the elevated device risk to Jamf Security Cloud, blocking access to Dropbox on the device.
  5. Remediate the threat using a Jamf Self Service-based workflow.
  6. Automatically restore access to Dropbox once the threat has been remediated.

macOS Threat Management with Jamf

Threat signaling and response can be broadly defined amongst vendors responsible for securing their customers users, devices, and sensitive data.  Jamf takes a holistic approach by enabling customers to expand beyond traditional identity-based realms to assess risk by layering insights gleaned across the entire endpoint to inform whether the device meets thresholds for access to critical resources.

This is the essence of Jamf Trusted Access - a solution built upon a foundation of device management principles and capabilities, integrated with modern identity & access technologies and rounded out with sophisticated endpoint security and threat detection.

As a Jamf Protect administrator, you might be aware of the behavioral analytic detections that indicate potentially malicious activity on your system. Detections such as hidden executable files, or the output of curl commands being piped directly to an interpreter are often indicative of potential malicious activities, but they are not definitive proof of a threat. Instead, they serve as valuable signals that warrant further analysis by security professionals. 

Balancing security and usability is a crucial aspect of any successful endpoint security strategy. By first investigating these events, your team can determine if they are indeed malicious or simply benign activities that are part of your organization's normal operations. Overly aggressive threat responses could lead to a negative user experience or disrupt your organization's workflow. A transparent and open approach to security can help foster trust between users and security teams. By emphasizing both security and usability, you can create an environment in which your organization can thrive, protected from threats without sacrificing productivity.

Follow along as we put pieces in place for device-based Risk Signaling between Jamf Protect, Jamf Pro and Jamf Security Cloud.

⚠️ Before We Begin

The following configuration guide is intended to provide the base technical framework and guidance for a method of data exchange between Jamf management, endpoint security and network security platforms.
Prior to implementing this solution outside controlled testing environments careful U/X consideration with internal stakeholder alignment is advised for effective incident response (IR) planning.

Known Issues

⛔️ Device risk level must be returned from high to secure via this automation (or similarly scripted manually via cmd line shell)  Currently, there is no GUI method available within Jamf Security Cloud for managing macOS device risk elevated via the API, such as in this workflow.

Pre-requisites for Success

  • Familiarity and prior completion of the majority Phase 2 items within the Implementation Roadmap for Trusted Access focussing on macOS for this solution. 
  • All systems configured to minimum viable functionality to support the solution. 
  • Ability to fully Administer all system components is required. 
  • At minimum, Intermediate experience with macOS management, systems and components involved is recommended.

Core Solution Components: Roles & Requirements

Cloud Compute Platformmanaged macOS DeviceCloud Identity ProviderJamf ProJamf Security CloudJamf Protect

AWS Lambda function with API Gateway trigger
(Other platforms forthcoming)
Jamf Pro - Managed

Okta, Azure

Device ManagementNetwork threat detectionEndpoint behavioral threat detection
python requests moduleJamf Protect - Plan profile and agent deployed via Jamf ProJamf Trust ZTNA activationWorkflow configuration & signalingZTNA access policyThreat signal to Jamf Pro

Jamf - ZTNA Activation profile deployed via Jamf Pro

User IdentityResponse & RemediationThreat risk access policySecurity event reporting

Other Resources

Jamf Protect GithubJamf Threat Labs

🛠️  Build the Components

For this example we will leverage an AWS Lambda function, python layer and script to process the webhook risk signals. Jamf Security Cloud configuration will use a predefined SaaS app (Dropbox). We’ll be utilizing portions of the Jamf Protect Evaluation Guide and Jamf Protect Documentation to setup the behavioral analytics that will trigger the risk elevation for your test Mac devices. This will simulate a real-world detection that’s built-in to the product while lessening the possibility of harm for more advanced threats. 

1️⃣ AWS Lambda Function

AWS Lambda server is an event-driven, server-less compute platform provided by Amazon Web Services. It is a cloud service that runs code in response to events. Computing resources required by that code are automatically managed by AWS.

Completing this step will result in a Lamba function running a python layer responsible for processing the webhook signals sent from Jamf Pro. This component is required for enabling a secure pathway for threat signaling messaging between Jamf cloud systems.

  1. Login to the AWS Management Console
    • Select the Region where you’d like to host the Lambda function (AWS console, top right)
    • N. Virginia is selected for this exampleaws_lambda-search
  2. Navigate to and select: Services > Compute > Lambda (or search Lambda )
  3. Click Create Layeraws_create-layer
    • Assign a name and description for the layer
    • Select Upload a file
    • Comptable runtime
      • Choose runtime corresponding to the python version from the requests package (ie. Python 3.9)
    • Save Layer
  4. Navigate to Functions within AWS Lambda (from left navigation menu)
    • Click Create Function
      • Select Author from scratch
      • Assign a Function Name
      • Select Runtime: Python 3.9
      • Select Architecture: x86_64
      • Click Create function (will take a few moments to spin up)aws_create-function
    • Add a Layer to the Function
      • Within the Function overview, click Layersaws_add-layer-to-function
      • Click Add a layeraws_add-layer-to-function-2
      • Select Custom Layers, choose request_layer created in previous steps
      • Select Version 1aws_choose-custom-layer
      • Click Add
    • Add contents to Lambda Function
      • Within the Code source of the Lambda Function..
        • Select All default code content and delete the default code
      • Copy the raw code from Jamf Protect Github
      • Paste the raw code into the Code source
      • Click Deployaws_code-source_deployNow that we’ve created the Lambda Function, let’s make it accessible to the internet by creating an API Gateway. AWS calls this a Trigger. A trigger is a service or resource that invokes your function when contacted. The trigger enables the lambda function to communicate device risk signals between Jamf Security clouds.
  5. Enable Internet connectivity for the Lambda Function
    • Click + Add trigger under API Gateway in the Function overviewadd_trigger
      • Select Source from the dropdown: API Gateway
      • Choose Create a new API
      • Choose REST API for type
      • Select Open fromthe Security dropdown
        • Note: An API key could be configured if desired
      • Click Add - you will be presented with the API endpoint on the Function overview
      • Save the API endpoint URL. This will be the Webhook URL used in Jamf Pro in upcoming stepsaws_api-gateway
AWS Lambda Function Setup Complete

2️⃣ Jamf Security Cloud Config

The Jamf Security Cloud portal (JSC) is a web application that is used to configure and manage Jamf network connectivity policy, applications, settings, and integrations for Jamf security services such as ZTNA and secureDNS which are a part of this solution. JSC also includes dashboards and reports about the connected devices in your environment.

Risk API

Completing this step will result in enabling the JSC Risk API, which can be used to programmatically audit or change a device's security risk level. Ultimately, the device risk level will be used to gate access to network resources configured for access control.

Full documentation for the JSC Risk API can be accessed within the portal, or clicking here (requires authentication).

  1. Login to the Jamf Security Cloud portal
    • From the Left Navigation, select:
      • Integrations > Risk API
  2. Enable JSC Risk API by toggling the setting slider
    • Click Generate API Keyjsc_RiskAPI_enable
    • In the New API Key window that appears, enter a Name for the Risk API key
    • Click Generate API Keyjsc_new-api-key
    • Once the API Key has been created save the details in a safe place for reference. These values will be used for the webhook in later steps
      • Important: Ensure the Application Secret value has been saved, this is the only time it will be visiblejsc_API-key-success-blurred

Access Policy

Device Risk-based Access Control

JSC Access Policy is where we'll define the security posture level a device needs to satisfy before the user is allowed access to SaaS and Enterprise application resources critical to your organization. See the JSC Access Policy documentation for adding predefined or custom SaaS application, and/or an on-premises or private cloud application hosted by your organization.

  1. Login to the Jamf Security Cloud portal
    • From the Left Navigation, select:
      • Policies > Access > Access Policies
  2. In this example we'll be configuring the Dropbox application, which is a predefined app in JSC.
    • Edit the Dropbox application (If not added previously, add the Dropbox app and define other settings per Access Policy Documentationjsc_access-policy1
    • Click the Security tab
      • Enable slider for Device Risk-based Access Control
        • Deny access to the devices with at least the following risk level: Medium
        • Toggle slider for Device push notifications
      • Enable slider for Restrict access when Jamf Trust is disabled
        • Toggle slider for Device push notificationsjsc_access-policy2
      • Click Save

Once these settings are enforced as part of the Access Policy, if the Device Risk Posture does not satisfy the “Device Risk-based access control” risk level, the user will be prevented from accessing the resource and a push notification is sent to the Device to inform the user of the reason. Additionally, Jamf Pro Policies can be leveraged as part of a Response workflow to further notify a user of the policy action resulting from the Mac threat detected by Jamf Protect.

JSC Access Policy Setup Complete

3️⃣ Jamf Protect Analytics

A Jamf Protect analytic is a rule that detects suspicious user behavior and malicious system activity on macOS computers. Jamf Protect includes over 150 Jamf-managed analytics for you to deploy in your environment, with more added regularly as the Jamf Threat Lab team hunts down the latest Mac threats. Additionally, you can create custom analytics to detect activity specific to your security needs.

For building and testing this solution, Jamf recommends using a safe real-world analytic detection built-in to Jamf Protect. Once configured to signal to Jamf Pro in the next step, the FlashDownloadNotSignedByAdobe analytic will kick-off the risk elevation for your test Mac devices. This threat uses Defense Evasion and Masquerading, common MITRE ATT&CK Tactic and Techniques.

Check out the Jamf Protect documentation for detailed Analytic configuration.

4️⃣ Jamf Pro & Protect: Response Configuration

It's likely that Jamf Pro wears many hats for device management and security within your organization. Settings configuration and app deployment are two tentpoles that have already been leveraged up to this point when both Jamf Trust and Protect and their configuration profiles were deployed to your Mac. Next, we'll setup Jamf Pro with Smart Group logic and a Webhook to process the Jamf Protect threat detection, and serve as the cross-system communication to Jamf Security Cloud that's needed to achieve device-risk-based ZTNA.

Analytic-based Response

Between Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic detection. Once configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group.

Jamf Protect documentation contains detailed instructions for Setting Up Analytic Remediation With Jamf Pro. Following these configuration steps will involve:

  • Configuring analytic action Settings in Jamf Protect

  • Creating a Jamf Protect extension attribute in Jamf Pro

  • Creating a smart computer group using the extension attribute in Jamf Pro

  • Creating an end user alert dialog script and policy

  • Resetting the analytic detection on computers

Jamf Pro Webhook Risk Signaling

The Webhooks setting in Jamf Pro allows you to create outbound webhooks for any event in the Jamf Pro Events API. We'll be using the SmartGroupComputerMembershipChange event, which is triggered when a managed computer joins or leaves the membership of a smart computer group in Jamf Pro. When smart computer group change event occurs, an HTTP POST payload is sent to a specified URL. For this workflow, the URL will be the AWS Lambda Gateway API URL.

  1. Log-in to your Jamf Pro Server and navigate to:
    • Settings > Global > WebhooksWebhooks
    • Click New
    • Input the following details
      • Display Name for the Webhook
      • The Webhook URL (Lambda Function API URL)
      • Authentication Type: Header Authentication 
        • The Webhook Authentication Header will communicate device UIDs, risk levels, and API credentials between Jamf Pro and Jamf Security Cloud
        • Header contents described below
      • Content Type: JSON
      • Webhook Event:
        • SmartGroupComputerMembershipChange
      • Target Smart Computer Group:
  2. Use this template for your Webhook Header Authentication, inputting your org-specific values where required
Webhook Header Template
{ "jamf_pro_url":"", "jamf_pro_username":"apiuser", "jamf_pro_password":"apipassword", "private_access_application_id":"risk_api_app_id", "private_access_application_secret":"risk_api_secret", "set_risk_level":"MEDIUM", "clear_risk_level":"SECURE" }

Description of Header values

jamf_pro_urlThe URL of the Jamf Pro Instance
jamf_pro_usernameJamf Pro API User account with computer read permissions only
jamf_pro_passwordJamf Pro API User password
private_access_application_idThe Application ID of the Risk API Key generated in Jamf Security Cloud Portal
private_access_application_secretThe Application Secret of the Risk API Key generated in Jamf Security Cloud Portal
set_risk_levelSet Risk level can be one of the following: HIGH, MEDIUM or LOW - This value will be sent to the JSC Risk API when the Mac device becomes a member of the selected smart group
clear_risk_levelClear Risk level can be one of the following: SECURE, MEDIUM, LOW - This value will be sent to the JSC Risk API when the Mac device falls out of the selected smart group.
You can configure multiple Jamf Pro Webhooks that can respond to numerous logic-based conditions within Jamf Pro.

For instance, if a device violates your Compliance Baseline policy, it can be moved into a smart group that can signal if the device should be treated as High, Medium, or Low risk when it comes to accessing organizational data. 

 Jamf Pro Webhook Setup Complete

5️⃣ Testing and Implementing the Workflow

Thoroughly testing this workflow prior to deploying in production environments is strongly recommended. There is high potential for mis-configuring a threat response without careful attention. Any corrective remediation action as a result of a Mac behavioral detection should be treated on a case-by-case basis as a result of careful consideration and planning. Only threats that are understood to cause direct harm or loss to user or organizational data should utilize this solution, otherwise you may unnecessarily impact end-user productivity.

As referenced previously, it's best to start with targeted precision for any behavior analytic hits you choose to take action against via this response workflow. A well-planned communication initiative with organizational stakeholders and leadership is recommended so that employees, staff or students understand what's happening and why.

Risk Level Reset

Please refer to the Jamf Protect Documentation as referenced for best understanding how the Jamf Protect <> Jamf Pro threat classification is enabled and disabled via extension attributes and smart groups. Pay close attention to the Resetting Analytic Detections on Computers.

this automation

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.