HERE'S WHY
Jamf can be leveraged it to verify that your employees workstation's adhere to the Security Policies monitored by Drata.
Connecting to Jamf Pro will turn on the MDM option in Workstation Configuration Monitoring on your Company's Internal Security settings. If the Drata Agent is not present and active, it will then proceed to obtain workstation configuration info from the Jamf Pro instance for compliance purposes.
BEFORE DIVING IN
You must have administrator access to your company's Jamf account.
LIMITATIONS
Jamf cannot natively pick up browser extensions, so if those are being used as a password manager, that compliance check will fail. Your users will need to use the equivalent installed desktop application. Ensure that this app shows on the device's Application List.
Jamf Now is not supported, because that product version does not expose all of the device compliance information Drata requires.
Overview of what we're going to set up
Create (or use existing) Jamf Pro Standard Account with a Privilege Set of Auditor.
Upload to your Jamf instance the scripts necessary to check for Screen Saver Lock, Firewall and Automatic Update compliance.
Set Inventory Refresh to an appropriate Execution Frequency.
Ensure required User and Location values are set on all managed machines.
Connect to your Jamf instance.
Create Account
Note: If you would like to use the credentials of an existing auditor account, you can skip this section and go to the Upload Scripts section.
Learn how to create a new account with auditor privileges.
Log into Jamf Pro with the administrator account.
In the left navigation pane, select Settings (the gear icon).
Select 'User accounts & groups'.
Select '+ New'.
Select 'Create Standard Account' and 'Next'.
Enter the account credentials, additional options and select 'Auditor' for the 'Privilege Set' field.
Do not force the user to change passwords on the next login.
Remember the account username and password. You need to enter these in Drata in a later step.
'Save' the account details.
Upload Scripts
1. Using an administrator account, under the 'Computer management' tab in Settings, select 'Extension attributes'.
2. Select '+ New'.
3. Create the 3 scripts:
Screen Saver Lock settings
Automatic updates
The following sections display the values for each field. All the fields are required and should be entered exactly as defined below.
Screen Saver Lock
Display Name:
Screen Saver Lock
Enabled (script input type only): Select the checkbox.
Description:
This attribute displays the current Screen Saver Lock time. The value to be verified is the time before the password is required to unlock the machine, as specified in System Preferences -> Security & Privacy -> General. Example: 'screenLock delay is 60 seconds' verifies that a password will be required after the machine is idle for 1 minute.
Data Type:
String
Inventory Display:
Extension Attributes
Input Type:
Script
Code (be sure to preserve line breaks as shown below):
Shell
Default Theme
NOTE: use this code for any devices running Catalina OS version 10.15.4 or earlier.
#!/bin/bash
askForPassword=$(sysadminctl -screenLock status 2>&1 | awk '{split($0,a,"]"); print a[2]}' | xargs)
idle_time=$(ioreg -c IOHIDSystem | awk '/HIDIdleTime/ {print int($NF/1000000000); exit}')
if [[ ! -z "$askForPassword" && $idle_time -le 900 ]]; then
echo "<result> $askForPassword </result>"
else
echo "<result>Disabled</result>"
fi
NOTE: use this code for any devices running Big Sur OS version 10.16 or later.
Apple deprecated
IOHIDSystem
after 10.15.4NOTE: If the following script does not work, try replacing the line of code for
idle_time
with this line of code:idle_time=$(defaults read /Library/Managed\ Preferences/com.apple.screensaver idleTime)
#!/bin/sh
askForPassword=$(sysadminctl -screenLock status 2>&1 | awk '{split($0,a,"]"); print a[2]}' | xargs)
user=$( ls -la /dev/console | cut -d " " -f 4 )
idle_time=$(sudo -u $user defaults -currentHost read com.apple.screensaver idleTime)
if [[ ! -z "$askForPassword" && $idle_time -le 900 ]]; then
echo "<result> $askForPassword </result>"
else
echo "<result>Disabled</result>"
fi
The following image shows the Screen Saver Lock setting with the entered fields.
For more information on screen lock settings, go to Auto-Lock your Workstation with Screensaver and review the MacOS section.
NOTE: Regardless of which script version you use, the script's correct operation will produce an output value of either Enabled
or Disabled
. Enabled
means the script found the expected settings on the machine, whereas Disabled
means the script did not find the expected settings. It doesn't mean that the entire extension attributer script is turned off or not working.
Firewall
Display Name:
Firewall
Enabled (script input type only): Select the checkbox.
Description:
This attribute displays whether or not the system firewall is enabled. This attribute applies to both Mac and Windows.
Data Type:
String
Inventory Display:
Extension Attributes
Input Type:
Script
Code (be sure to preserve line breaks as shown below):
Shell
Default Theme
#!/bin/bash
OS=`/usr/bin/sw_vers -productVersion | /usr/bin/colrm 5`
if [[ "$OS" < "10.5" ]]; then
result=`/usr/bin/defaults read /Library/Preferences/com.apple.sharing.firewall state`
if [ "$result" == "YES" ]; then
echo "<result>On</result>"
elif [ "$result" == "NO" ]; then
echo "<result>Off</result>"
fi
else
result=`/usr/bin/defaults read /Library/Preferences/com.apple.alf globalstate`
if [ "$result" == "0" ]; then
echo "<result>Off</result>"
else echo "<result>On</result>"
fi
fi
The following image shows the Firewall setting with the entered fields.
Automatic Updates
Display Name:
Automatic Updates Enabled
Enabled (script input type only): Select the checkbox.
Description:
Auto updates on OS.
Data Type:
String
Inventory Display:
Extension Attributes
Input Type:
Script
Code (be sure to preserve line breaks as shown below):
Shell
Default Theme
NOTE: The following script is looking for the system value written by the "Install macOS updates" checkbox in System Preferences -> Software Updates -> Advanced. If you wish to instead look for "Install system data files and security updates," in the script code, change AutomaticallyInstallMacOSUpdates
to CriticalUpdateInstall
.
#!/bin/bash
automaticInstallUserPreference="$(/usr/bin/defaults read /Library/Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"
automaticInstallMdmPreference="$(/usr/bin/defaults read /Library/Managed\ Preferences/com.apple.SoftwareUpdate AutomaticallyInstallMacOSUpdates 2> /dev/null)"
if [[ $automaticInstallMdmPreference == 1 || $automaticInstallUserPreference == 1 ]]; then
echo "<result>Enabled</result>"
else
echo "<result>Disabled</result>"
fi
The following image shows Automatic Updates settings with the entered fields.
If you wish to look for both together, please reach out to Support.
Inventory Refresh - Execution Frequency
Select 'Computers', 'Policies' and then 'Update Inventory'.
Select 'Edit' and add your preferred frequency under 'Execution Frequency' and 'Save'.
We recommend a frequency of 'Once every day' to ensure continuous compliance.
Check Required User and Location Values
Drata will update workstation configuration compliance values based on the email address of the user matching to your Personnel records. For each managed machine in Jamf, ensure the Username, Full Name, and Email Address are filled out in the User and Location tab.
1. Select 'Computers' and 'Search' at the top right to bring up the list of managed machines.
2. Select the name of a given computer.
3. Select 'User and Location' in the left sidebar under 'Inventory.'
4. If there are no values in the Username, Full Name, and Email Address fields, select 'Edit' at the top right to fill in these values. Ensure the value for Email Address matches the Personnel email record in Drata. Only if email is null, then Drata will try to sync according to the value in the Username field.
NOTE: If an invalid email is entered in the Email Address field, the device will not sync to the Personnel record in Drata.
Connect to your Jamf Instance
1. Select "Connections" from the left side navigation menu.
2. Select the 'Available connections' tab and then search the connection to select the connect button for the Jamf Pro integration.
3. A drawer will extend from the right of the screen. Enter your Jamf Auditor account details you created above. Omit the trailing slash from your Jamf Pro URL. Since this URL will be used as the API endpoint prefix, it might differ from the URL you use to log in to the web interface. Select 'Save & Test Connection'.
NOTE: Drata does not sync Jamf device data immediately upon connection. Device data syncs nightly when all user syncs run on your account.
If successful, a success banner appears at the top of the drawer.
Final step - configure Jamf in Drata for employee onboarding
Go to your Settings page and select 'Internal Security'.
Select 'Automated via Jamf MDM' and toggle off 'Automated via Drata Agent' to disable the Drata agent.
If both remain on, and the Drata agent is installed on an employee computer, the Drata agent will take precedence. Meaning, employee compliance checks will come from the agent.