Skip to main content
Jamf Connection

This article walks through the details of configuring Jamf to connect to Drata.

Updated over 2 months ago

HERE'S WHY

Jamf can be leveraged it to verify that your employees workstation's adhere to the Security Policies monitored by Drata.

Connecting to Jamf Pro will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration info from the Jamf Pro instance for compliance purposes.

BEFORE DIVING IN

You must have administrator access to your company's Jamf account.

LIMITATIONS

  • Jamf cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.

  • Jamf Now is not supported, because that product version does not expose all of the device compliance information Drata requires.

Overview of what we're going to set up

  1. Create (or use existing) Jamf Pro Standard Account with a Privilege Set of Auditor.

  2. Upload to your Jamf instance the scripts necessary to check for Screen Saver Lock, Firewall and Automatic Update compliance.

  3. Set Inventory Refresh to an appropriate Execution Frequency.

  4. Ensure required User and Location values are set on all managed machines.

  5. Connect to your Jamf instance.


Create Account

Note: If you would like to use the credentials of an existing auditor account, you can skip this section and go to the Upload Scripts section.

Learn how to create a new account with auditor privileges.

  1. Log into Jamf Pro with the administrator account.

  2. In the left navigation pane, select Settings (the gear icon).

  3. Select 'User accounts & groups'.

    A screenshot of a computer

Description automatically generated

  4. Select '+ New'.

  5. Select 'Create Standard Account' and 'Next'.

  6. Enter the account credentials, additional options and select 'Auditor' for the 'Privilege Set' field.

  7. Do not force the user to change passwords on the next login.

    1. Remember the account username and password. You need to enter these in Drata in a later step.

  8. 'Save' the account details.

    A red line on a white background

Description automatically generated

Upload Scripts

1. Using an administrator account, under the 'Computer management' tab in Settings, select 'Extension attributes'.

A screenshot of a computer

Description automatically generated

2. Select '+ New'.

A white background with black lines

Description automatically generated

3. Create the 3 scripts:

  1. Automatic updates

The following sections display the values for each field. All the fields are required and should be entered exactly as defined below.

Screen Saver Lock

  • Display Name: Screen Saver Lock

  • Enabled (script input type only): Select the checkbox.

  • Description: This attribute displays the current Screen Saver Lock time. The value to be verified is the time before the password is required to unlock the machine, as specified in System Preferences -> Security & Privacy -> General. Example: 'screenLock delay is 60 seconds' verifies that a password will be required after the machine is idle for 1 minute.

  • Data Type: String

  • Inventory Display: Extension Attributes

  • Input Type: Script

  • Code (be sure to preserve line breaks as shown below): Shell Default Theme

NOTE: use this code for any devices running Catalina OS version 10.15.4 or earlier.

#!/bin/bash
askForPassword=$(sysadminctl -screenLock status 2>&1 | awk '{split($0,a,"]"); print a[2]}' | xargs)
idle_time=$(ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print int($NF/1000000000); exit}')

if [[ ! -z "$askForPassword" && $idle_time -le 900 ]]; then
echo "<result> $askForPassword </result>"
else
echo "<result>Disabled</result>"
fi

NOTE: use this code for any devices running Big Sur OS version 10.16 or later.

  • Apple deprecated IOHIDSystem after 10.15.4

  • NOTE: If the following script does not work, try replacing the line of code for idle_time with this line of code: idle_time=$(defaults read /Library/Managed\ Preferences/com.apple.screensaver idleTime)

#!/bin/sh
askForPassword=$(sysadminctl -screenLock status 2>&1 | awk '{split($0,a,"]"); print a[2]}' | xargs)
user=$( ls -la /dev/console | cut -d " " -f 4 )
idle_time=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime)

if [[ ! -z "$askForPassword" && $idle_time -le 900 ]]; then
echo "<result> $askForPassword </result>"
else
echo "<result>Disabled</result>"
fi

The following image shows the Screen Saver Lock setting with the entered fields.

A screenshot of a computer

Description automatically generated


For more information on screen lock settings, go to Auto-Lock your Workstation with Screensaver and review the MacOS section.

NOTE: Regardless of which script version you use, the script's correct operation will produce an output value of either Enabled or Disabled. Enabled means the script found the expected settings on the machine, whereas Disabled means the script did not find the expected settings. It doesn't mean that the entire extension attributer script is turned off or not working.

Firewall

  • Display Name: Firewall

  • Enabled (script input type only): Select the checkbox.

  • Description: This attribute displays whether or not the system firewall is enabled. This attribute applies to both Mac and Windows.

  • Data Type: String

  • Inventory Display: Extension Attributes

  • Input Type: Script

  • Code (be sure to preserve line breaks as shown below): Shell Default Theme

#!/bin/bash
OS=`/usr/bin/sw_vers -productVersion | /usr/bin/colrm 5`
if [[ "$OS" < "10.5" ]]; then
result=`/usr/bin/defaults read /Library/Preferences/com.apple.sharing.firewall state`
if [ "$result" == "YES" ]; then
echo "<result>On</result>"
elif [ "$result" == "NO" ]; then
echo "<result>Off</result>"
fi
else
result=`/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$result" == "0" ]; then
echo "<result>Off</result>"
else echo "<result>On</result>"
fi
fi

The following image shows the Firewall setting with the entered fields.

A screenshot of a computer

Description automatically generated

Automatic Updates

  • Display Name: Automatic Updates Enabled

  • Enabled (script input type only): Select the checkbox.

  • Description: Auto updates on OS.

  • Data Type: String

  • Inventory Display: Extension Attributes

  • Input Type: Script

  • Code (be sure to preserve line breaks as shown below): Shell Default Theme

NOTE: The following script is looking for the system value written by the "Install macOS updates" checkbox in System Preferences -> Software Updates -> Advanced. If you wish to instead look for "Install system data files and security updates," in the script code, change AutomaticallyInstallMacOSUpdates to CriticalUpdateInstall.

#!/bin/bash
automaticInstallUserPreference="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"
automaticInstallMdmPreference="$(/usr/bin/defaults read /Library/Managed\ Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"

if [[ $automaticInstallMdmPreference == 1 || $automaticInstallUserPreference == 1 ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi

The following image shows Automatic Updates settings with the entered fields.

If you wish to look for both together, please reach out to Support.

Inventory Refresh - Execution Frequency

  1. Select 'Computers', 'Policies' and then 'Update Inventory'.

    A screenshot of a computer

Description automatically generated

  2. Select 'Edit' and add your preferred frequency under 'Execution Frequency' and 'Save'.

    1. We recommend a frequency of 'Once every day' to ensure continuous compliance.

A screenshot of a computer

Description automatically generated

Check Required User and Location Values

Drata will update workstation configuration compliance values based on the email address of the user matching to your Personnel records. For each managed machine in Jamf, ensure the Username, Full Name, and Email Address are filled out in the User and Location tab.

1. Select 'Computers' and 'Search' at the top right to bring up the list of managed machines.

2. Select the name of a given computer.

3. Select 'User and Location' in the left sidebar under 'Inventory.'

A screenshot of a computer

Description automatically generated

4. If there are no values in the Username, Full Name, and Email Address fields, select 'Edit' at the top right to fill in these values. Ensure the value for Email Address matches the Personnel email record in Drata. Only if email is null, then Drata will try to sync according to the value in the Username field.

  • NOTE: If an invalid email is entered in the Email Address field, the device will not sync to the Personnel record in Drata.

Connect to your Jamf Instance

1. Select "Connections" from the left side navigation menu.

2. Select the 'Available connections' tab and then search the connection to select the connect button for the Jamf Pro integration.

3. A drawer will extend from the right of the screen. Enter your Jamf Auditor account details you created above. Omit the trailing slash from your Jamf Pro URL. Since this URL will be used as the API endpoint prefix, it might differ from the URL you use to log in to the web interface. Select 'Save & Test Connection'.

NOTE: Drata does not sync Jamf device data immediately upon connection. Device data syncs nightly when all user syncs run on your account.

A screenshot of a computer

Description automatically generated

If successful, a success banner appears at the top of the drawer.

Final step - configure Jamf in Drata for employee onboarding

  1. Go to your Settings page and select 'Internal Security'.

  2. Select 'Automated via Jamf MDM' and toggle off 'Automated via Drata Agent' to disable the Drata agent.

    1. If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence. Meaning, employee compliance checks will come from the agent.

A white rectangular object with a black border

Description automatically generated

Did this answer your question?