{"id":323,"date":"2025-07-28T20:00:10","date_gmt":"2025-07-29T02:00:10","guid":{"rendered":"https:\/\/rasulnazriev.tech\/?p=323"},"modified":"2025-07-28T20:00:10","modified_gmt":"2025-07-29T02:00:10","slug":"compliance-benchmark-with-jamf","status":"publish","type":"post","link":"https:\/\/rasulnazriev.tech\/?p=323","title":{"rendered":"Compliance Benchmark with Jamf"},"content":{"rendered":"\n

As I finished Jamf 100, I started my journey towards Jamf 170 and hopefully Jamf 200 which I am asking my IT job to pay for me. Before I go to the topic, I would like to briefly recap what I learned in Jamf 100. <\/p>\n\n\n\n

The first section was a general and basic overview of macOS and mobile devices such as storage, file system and app management which I mostly knew. The only new thing for me was that there are 5 volumes by default in macOS: data, system, preboot, virtual memory and recovery. The second section moved into introduction to Jamf Pro which I was familiar with from my Computer Support Specialist role as I had to do a lot of tasks with Jamf Pro. I learned that Apple School or Business Manager plays important role in device management. I also learned that Jamf Pro send commands through Apple Push Notification. I got a good glance at automatic enrollment vs user-initiated enrollment. This leads me to section three where I grasped groups, advanced searches and configuration policies while section four focused mainly on policies. The key difference between a policy and configuration profile is that policy uses binary stored on user’s machine to execute a payload instead of APN (Apple Push Notification). Ok, let’s get started into Compliance Benchmark for macOS!<\/p>\n\n\n\n

Compliance benchmarks are specific recommendation or rules concerning security of a device. In this simple lab, I would like to use Jamf Compliance Editor to import them into Jamf Pro. The compliance pdf is in CIS website ready for download in case I need to review that.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Next, I am going to get Jamf Compliance Editor. Suppose my supervisor said to comply all devices with Level 1 compliance of CIS. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And I have got them here<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

If I go to password policy, I see<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

There are $ODV which means they are Organizational Defined Values and need to be set by me. Here, I can configure some of the policies <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Above I am defining account lockout time to 3 from 5 which was default. Jamf recommends to keep default values perhaps because Level 1 are essential, practical security tips. It makes sense what jamf is telling; however, organization’s security baseline can differ significantly. In the Jamf Editor, it is possible to include Level 2 security guidelines by clicking “showing all”.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Now, I can customize benchmark for our organization and get a security guideline from Level 2. After choosing my policies for my organization I create the security baseline. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

There is a pdf file containing my chosen security rules. To upload this security guideline to Jamf Pro, I simply need to click “Upload to Jamf Pro” button. As for other device management solution, I need to do it manually. In Jamf Pro, it would under Computers -> Configuration Files. The scripts are now ready to be scoped and deployed. In Jamf Protect, this would be under Compliance -> Baseline. The access to Jamf Pro and Jamf Protect are given by an employer and are not available for me at the time of writing. <\/p>\n","protected":false},"excerpt":{"rendered":"

As I finished Jamf 100, I started my journey towards Jamf 170 and hopefully Jamf 200 which I am asking my IT job to pay for me. Before I go to the topic, I would like to briefly recap what I learned in Jamf 100. The first section was a general and basic overview of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-323","post","type-post","status-publish","format-standard","hentry","category-uncategorised"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/323","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=323"}],"version-history":[{"count":8,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/323\/revisions"}],"predecessor-version":[{"id":342,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/323\/revisions\/342"}],"wp:attachment":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}