Implement ZTNA Risk Signaling

🛡️Jamf Security Integration

Protect | Pro | Connect

This article outlines how to automatically protect organizational data from out-of-compliance or risky macOS devices using the Jamf platform. 

Specifically, you will see how an on-device threat detected by Jamf Protect can signal an elevated device risk to Jamf Security Cloud, immediately limiting that device's access to the organization's critical SaaS, private cloud, or on-premises infrastructure and data.

This integration will dynamically sever and restore access to critical network resources stemming from a macOS threat detected in near real time. Leveraging Jamf Protect macOS Security, Jamf Pro foundations, and Jamf Connect ZTNA's Risk-based Access Control principles of Jamf Security Cloud, the integration provides the resources and configuration playbook for device-based risk signaling and response.

This integration pattern may be tailored to any organization's specific requirements, including support for other threat detection and response workflows and even to non-Jamf products.

Solution Overview

An event-driven cloud-compute function serves as the communication framework between applicable Jamf cloud systems - Jamf Protect, Jamf Pro and Jamf Security Cloud (JSC). We will leverage an AWS Lambda function to handle webhook processing for this example.

• On-device behavioral threats are detected by Jamf Protect analytics and signaled by Jamf Pro via Webhook for processing.

• The macOS device risk level within JSC is elevated to high.

• SaaS or enterprise app Access Policy within JSC determines if connectivity to resources is allowed or blocked while the elevated risk is present.

• Once the threat has been investigated and neutralized, a secure device risk state is signaled to JSC.

• Once ZTNA is re-established via Jamf Trust, authorized connectivity is restored to organizational resources.

User Experience Demo

The video below shows how this configuration can enable:

1. Requiring managed macOS devices to route traffic to a SaaS application (Dropbox) via the Jamf Security Cloud.
2. Just-in-time and passwordless-ly activate Jamf Trust and secure ZTNA networking with Okta FastPass.
3. Detect and report a malicious download using Jamf Protect.
4. Signal the elevated device risk to Jamf Security Cloud, blocking access to Dropbox on the device.
5. Remediate the threat using a Jamf Self Service-based workflow.
6. Automatically restore access to Dropbox once the threat has been remediated.

macOS Threat Management with Jamf

Threat signaling and response can be broadly defined amongst vendors responsible for securing their customers users, devices, and sensitive data.  Jamf takes a holistic approach by enabling customers to expand beyond traditional identity-based realms to assess risk by layering insights gleaned across the entire endpoint to inform whether the device meets thresholds for access to critical resources.

This is the essence of Jamf Trusted Access - a solution built upon a foundation of device management principles and capabilities, integrated with modern identity & access technologies and rounded out with sophisticated endpoint security and threat detection.

As a Jamf Protect administrator, you might be aware of the behavioral analytic detections that indicate potentially malicious activity on your system. Detections such as hidden executable files, or the output of curl commands being piped directly to an interpreter are often indicative of potential malicious activities, but they are not definitive proof of a threat. Instead, they serve as valuable signals that warrant further analysis by security professionals. 

Balancing security and usability is a crucial aspect of any successful endpoint security strategy. By first investigating these events, your team can determine if they are indeed malicious or simply benign activities that are part of your organization's normal operations. Overly aggressive threat responses could lead to a negative user experience or disrupt your organization's workflow. A transparent and open approach to security can help foster trust between users and security teams. By emphasizing both security and usability, you can create an environment in which your organization can thrive, protected from threats without sacrificing productivity.

Follow along as we put pieces in place for device-based Risk Signaling between Jamf Protect, Jamf Pro and Jamf Security Cloud.

⚠️ Before We Begin

Known Issues

1️⃣ AWS Lambda Function

AWS Lambda server is an event-driven, server-less compute platform provided by Amazon Web Services. It is a cloud service that runs code in response to events. Computing resources required by that code are automatically managed by AWS.

Completing this step will result in a Lamba function running a python layer responsible for processing the webhook signals sent from Jamf Pro. This component is required for enabling a secure pathway for threat signaling messaging between Jamf cloud systems.

1. Login to the AWS Management Console
   • Select the Region where you’d like to host the Lambda function (AWS console, top right)
   • N. Virginia is selected for this example
2. Navigate to and select: Services > Compute > Lambda (or search Lambda )
   • Select Layers within Lambda (from left navigation)
   • A python requests module (AWS calls this a Layer) is required to run the aws_lambda.py  webhook processing script
   • Use the prebuilt python 3.9 requests module available in the Protect Github Repository, or..
   • Reference How to use requests module in AWS Lambda for a tutorial that creates a requests package that can be uploaded to create the layer module in this step
3. Click Create Layer
   • Assign a name and description for the layer
   • Select Upload a requests.zip file
   • Comptable runtime
     • Choose runtime corresponding to the python version from the requests package (ie. Python 3.9)
   • Save Layer
4. Navigate to Functions within AWS Lambda (from left navigation menu)
   • Click Create Function
     • Select Author from scratch
     • Assign a Function Name
     • Select Runtime: Python 3.9
     • Select Architecture: x86_64
     • Click Create function (will take a few moments to spin up)
   • Add a Layer to the Function
     • Within the Function overview, click Layers
     • Click Add a layer
     • Select Custom Layers, choose request_layer created in previous steps
     • Select Version 1
     • Click Add
   • Add aws_lambda.py contents to Lambda Function
     • Within the Code source of the Lambda Function..
       • Select All default code content and delete the default code
     • Copy the raw aws_lambda.py code from Jamf Protect Github
     • Paste the raw aws_lambda.py code into the Code source
     • Click DeployNow that we’ve created the Lambda Function, let’s make it accessible to the internet by creating an API Gateway. AWS calls this a Trigger. A trigger is a service or resource that invokes your function when contacted. The trigger enables the lambda function to communicate device risk signals between Jamf Security clouds.
5. Enable Internet connectivity for the Lambda Function
   • Click + Add trigger under API Gateway in the Function overview
     • Select Source from the dropdown: API Gateway
     • Choose Create a new API
     • Choose REST API for type
     • Select Open fromthe Security dropdown
       • Note: An API key could be configured if desired
     • Click Add - you will be presented with the API endpoint on the Function overview
     • Save the API endpoint URL. This will be the Webhook URL used in Jamf Pro in upcoming steps

2️⃣ Jamf Security Cloud Config

The Jamf Security Cloud portal (JSC) is a web application that is used to configure and manage Jamf network connectivity policy, applications, settings, and integrations for Jamf security services such as ZTNA and secureDNS which are a part of this solution. JSC also includes dashboards and reports about the connected devices in your environment.

Risk API

Completing this step will result in enabling the JSC Risk API, which can be used to programmatically audit or change a device's security risk level. Ultimately, the device risk level will be used to gate access to network resources configured for access control.

Full documentation for the JSC Risk API can be accessed within the portal, or clicking here (requires authentication).

1. Login to the Jamf Security Cloud portal
   • From the Left Navigation, select:
     • Integrations > Risk API
2. Enable JSC Risk API by toggling the setting slider
   • Click Generate API Key
   • In the New API Key window that appears, enter a Name for the Risk API key
   • Click Generate API Key
   • Once the API Key has been created save the details in a safe place for reference. These values will be used for the webhook in later steps
     • Important: Ensure the Application Secret value has been saved, this is the only time it will be visible

Access Policy

Device Risk-based Access Control

JSC Access Policy is where we'll define the security posture level a device needs to satisfy before the user is allowed access to SaaS and Enterprise application resources critical to your organization. See the JSC Access Policy documentation for adding predefined or custom SaaS application, and/or an on-premises or private cloud application hosted by your organization.

1. Login to the Jamf Security Cloud portal
   • From the Left Navigation, select:
     • Policies > Access > Access Policies
2. In this example we'll be configuring the Dropbox application, which is a predefined app in JSC.
   • Edit the Dropbox application (If not added previously, add the Dropbox app and define other settings per Access Policy Documentation
   • Click the Security tab
     • Enable slider for Device Risk-based Access Control
       • Deny access to the devices with at least the following risk level: Medium
       • Toggle slider for Device push notifications
     • Enable slider for Restrict access when Jamf Trust is disabled
       • Toggle slider for Device push notifications
     • Click Save

Once these settings are enforced as part of the Access Policy, if the Device Risk Posture does not satisfy the “Device Risk-based access control” risk level, the user will be prevented from accessing the resource and a push notification is sent to the Device to inform the user of the reason. Additionally, Jamf Pro Policies can be leveraged as part of a Response workflow to further notify a user of the policy action resulting from the Mac threat detected by Jamf Protect.

JSC Access Policy Setup Complete

---

3️⃣ Jamf Protect Analytics

A Jamf Protect analytic is a rule that detects suspicious user behavior and malicious system activity on macOS computers. Jamf Protect includes over 150 Jamf-managed analytics for you to deploy in your environment, with more added regularly as the Jamf Threat Lab team hunts down the latest Mac threats. Additionally, you can create custom analytics to detect activity specific to your security needs.

For building and testing this solution, Jamf recommends using a safe real-world analytic detection built-in to Jamf Protect. Once configured to signal to Jamf Pro in the next step, the FlashDownloadNotSignedByAdobe analytic will kick-off the risk elevation for your test Mac devices. This threat uses Defense Evasion and Masquerading, common MITRE ATT&CK Tactic and Techniques.

Check out the Jamf Protect documentation for detailed Analytic configuration.

4️⃣ Jamf Pro & Protect: Response Configuration

It's likely that Jamf Pro wears many hats for device management and security within your organization. Settings configuration and app deployment are two tentpoles that have already been leveraged up to this point when both Jamf Trust and Protect and their configuration profiles were deployed to your Mac. Next, we'll setup Jamf Pro with Smart Group logic and a Webhook to process the Jamf Protect threat detection, and serve as the cross-system communication to Jamf Security Cloud that's needed to achieve device-risk-based ZTNA.

Analytic-based Response

Between Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic detection. Once configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group.

Jamf Protect documentation contains detailed instructions for Setting Up Analytic Remediation With Jamf Pro. Following these configuration steps will involve:

• Configuring analytic action Settings in Jamf Protect

• Creating a Jamf Protect extension attribute in Jamf Pro

• Creating a smart computer group using the extension attribute in Jamf Pro

• Creating an end user alert dialog script and policy

• Resetting the analytic detection on computers

Jamf Pro Webhook Risk Signaling

The Webhooks setting in Jamf Pro allows you to create outbound webhooks for any event in the Jamf Pro Events API. We'll be using the SmartGroupComputerMembershipChange event, which is triggered when a managed computer joins or leaves the membership of a smart computer group in Jamf Pro. When smart computer group change event occurs, an HTTP POST payload is sent to a specified URL. For this workflow, the URL will be the AWS Lambda Gateway API URL.

1. Log-in to your Jamf Pro Server and navigate to:
   • Settings > Global > Webhooks
   • Click New
   • Input the following details
     • Display Name for the Webhook
     • The Webhook URL (Lambda Function API URL)
     • Authentication Type: Header Authentication 
       • The Webhook Authentication Header will communicate device UIDs, risk levels, and API credentials between Jamf Pro and Jamf Security Cloud
         
       • Header contents described below
     • Content Type: JSON
     • Webhook Event:
       • SmartGroupComputerMembershipChange
     • Target Smart Computer Group:
       • Choose the Smart Computer Group you configured in the Analytic-based Response step
         
2. Use this template for your Webhook Header Authentication, inputting your org-specific values where required

Webhook Header TemplateWebhook Header Template
{
	"jamf_pro_url":"https://jamfpro.jamfcloud.com",
	"jamf_pro_username":"apiuser",
	"jamf_pro_password":"apipassword",
	"private_access_application_id":"risk_api_app_id",
	"private_access_application_secret":"risk_api_secret",
	"set_risk_level":"MEDIUM",
	"clear_risk_level":"SECURE"
}

Description of Header values

 Jamf Pro Webhook Setup Complete

5️⃣ Testing and Implementing the Workflow

Thoroughly testing this workflow prior to deploying in production environments is strongly recommended. There is high potential for mis-configuring a threat response without careful attention. Any corrective remediation action as a result of a Mac behavioral detection should be treated on a case-by-case basis as a result of careful consideration and planning. Only threats that are understood to cause direct harm or loss to user or organizational data should utilize this solution, otherwise you may unnecessarily impact end-user productivity.

As referenced previously, it's best to start with targeted precision for any behavior analytic hits you choose to take action against via this response workflow. A well-planned communication initiative with organizational stakeholders and leadership is recommended so that employees, staff or students understand what's happening and why.

Risk Level Reset

this automation