Enabling AWS Verified Access for macOS
  • 02 May 2023
  • 5 Minutes to read
  • Dark
    Light
  • PDF

Enabling AWS Verified Access for macOS

  • Dark
    Light
  • PDF

Article summary

With Amazon Web Services (AWS) Verified Access, organizations can define contextual "Zero Trust" policies that define user and device claims – such a user's group membership or device's management state (which is where Jamf comes in!) – that must be met to authorize access to a protected AWS workload.

Traditionally the only way to control access to workloads on AWS has been through the use of source IP-based ACLs, certificates, or VPNs.

Jamf has worked closely with Amazon to provide metadata about managed macOS devices that may be used in AWS Verified Access policies. Specifically, Jamf is able to provide the following information that can be used during policy evaluation:

  • Device Management State: A signed and attested claim that the device making the request is managed by your organization.
  • Device Group Memberships: The groups that the device is a member of in your MDM.
  • Risk Level: The device's current risk level (Secure, Low, Medium, High), as determined by Jamf's Security Cloud.
  • OS Version: The macOS version on the device.

Using the Verified Access policy language, these claims may be evaluated to granularly permit access to your organization's workloads.

How it Works

On macOS devices, AWS Verified Access is realized through an Amazon-built Chrome and Firefox extension. An example of Chrome’s extension is shown below: setup instructions

AWS Chrome Browser Extension.png

This extension communicates with the Jamf Trust app, which is deployed and activated silently on the managed macOS device via MDM, to securely obtain the above device claims from the Jamf Security Cloud.

Jamf Trust App Showing Device Trust Status.png

These claims are in turn sent along with requests made within Chrome and Firefox, providing the Verified Access policy engine with the metadata it needs to make an access decision.

Amazon has provided setup instructions for AWS Verified Access browser extensions working with Jamf on macOS.

Use Cases

When Jamf is used with other "Trust Providers", such as your organization's Identity Provider, AWS Verified Access unlocks a wide array of access use cases, including:

  • Restricting access to only managed Macs
  • Only allowing access to managed Macs with an authenticated user that belongs to a specific domain or user group
  • Requiring device management and a "Secure" risk level to access resources. Examples from Jamf Pro and Jamf Security Cloud shown below:

Jamf Pro Compliance Smart Group.png

The image above is an example of using a Smart Group in Jamf Pro. This can help define minimum to device-level compliance criteria before AWS Verified Access and other Jamf Security Cloud services apply.

UEM Connect Group Mapping.png

This image above is an example of UEM Connect within the Jamf Security Cloud portal. UEM Connect can be configured to synchronize with Jamf Pro. This integration is used to map appropriate Smart Groups (like the example above) to Jamf Security Cloud groups for more consistent, granular access controls.

In addition to group mapping, UEM Connect also syncs a managed device's inventory details like device name and other metadata from Jamf Pro. This provides consistency between the two dashboards and helps to monitor devices and their overall risk level (as shown below).

Managed Mac With Secure Risk Status.png

Shown below, the end user will see similar security assessments and connection status using the Jamf Trust app (via the top menubar on macOS).

Jamf Trust App Shows Macs Security Posture.png

AWS Verified Access also compliments Jamf’s Trusted Access architecture. Jamf Trusted Access is a combination of tools and solutions (like Jamf Pro, Jamf Connect and Jamf Protect) for management and security to use with an organization’s chosen Identity Provider (IdP). When AWS Verified Access is used in a Jamf Trusted Access environment:

  • AWS Verified Access can define very granular access policies to Amazon-based resources with the added protection of Jamf's ZTNA encryption
  • Jamf can provide Layer 3 routing to applications/workloads that are not supported through Verified Access via ZTNA (e.g. SSH, RDP, DB)
  • Jamf can provide similar access controls at the networking layer for non-AWS applications, such as on-premise apps or services

Setup

Requirements

Configuring AWS Verified Access for Mac involves configurations provided from the following systems, all of which require appropriate licensing and administrative access as indicated below:

  • Access to a Jamf Pro Server with a Jamf Pro administrator account
    Note: Currently the use of Microsoft Endpoint Manager (aka Intune) is also supported.
  • The Jamf Security Cloud Portal (formerly known as RADAR)
    Note: Existing Jamf Customers can contact us to acquire a free license to use the Verified Access integration. Non-Jamf Customers can purchase a license of Jamf Protect for Mac or Jamf Connect to obtain this functionality.
  • A valid AWS account with administrative privileges

Steps

Follow the below steps and guides to configure Verified Access in your environment:

  1. Set up AWS Verified Access in your AWS account.

  2. Configure Jamf Pro and Security Cloud, which will have you configure and deploy:

    1. The integration between Jamf Security Cloud and Amazon Verified Access cloud services.
      AWS Verified Access Integration in JSC.png
    2. The Verified Access Chrome and/or Firefox browser extensions and manifest file
    3. The Jamf Trust app for macOS, which is available for volume licensing (VPP) and managed distribution with Jamf Pro or another supporting MDM
    4. A downloaded Jamf Security Cloud Activation Profile that contains the "Device Identity" service capability as well as the Chrome and / or Firefox browser extensions and manifest file. This Activation Profile is uploaded to Jamf Pro as a Configuration Profile. The browser extension manifests are PKGs.
      JSC Activation Profile for AWS Device Identity.png{height="" width=""}
      JSC Activation Profile Downloadable Resources.png
  3. After configuring a Verified Access endpoint in the AWS console, define a policy for that endpoint that utilizes Jamf trust provider claims.
    a. Tip: If using this alongside Jamf Connect ZTNA (formerly known as Jamf Private Access), you can also configure IP-based access policies to only allow connections from Jamf's edge IP addresses for an additional layer of security. E.g.

permit(principal, action, resource) 
when {
    ip(context.http_request.client_ip).isInRange(ip("54.209.62.128/32"))
};

b. Tip: You MUST define a permitting Verified Access policy as AWS's default action is DENY. A basic example policy to allow access to Devices with no higher than a LOW risk level would be:-

permit(principal,action,resource)
when {
    ["LOW", "SECURE"].contains(context.jamf.risk)
};
  1. Using a macOS device that has been configured with the Verified Access browser extension and Jamf Trust, attempt a connection to the defined endpoint and verify connectivity.
    1. You should see the Jamf Trust icon appear in the macOS menu bar, which will indicate "You're all set" when clicked.
  2. You can also configure logging to aide with troubleshooting and to otherwise monitor Verified Access use.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.