Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:
- Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
- We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
- "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
- Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.
ability to switch coming-EXCELLENT
workaround worked!
and I still dont see the profiles in device management
ability to switch coming-EXCELLENT
workaround worked!
and I still dont see the profiles in device management
@danlaw777 Do you mind sharing your compliance benchmark configuration as well as the profiles section under device management (screenshots incl. rules, if that is ok)? If you can't share it publicly for privacy reasons, please share it via DM to me or open a support ticket. Thank you.
if you have time, send me a calendar req and I can show you live
if you have time, send me a calendar req and I can show you live
Hi@danlaw777 . Here is my Calendly link. Feel free to pick a time that suits you the best! Thank you.
I was just looking and is there no way to edit the scope of compliance readiness after it is created? I saw I can edit which rules are enforced but not any scoping.
I was just looking and is there no way to edit the scope of compliance readiness after it is created? I saw I can edit which rules are enforced but not any scoping.
Hi @mattjerome . Thank you for your feedback. We are actively working on many improvements to the compliance benchmarks capability - allowing to change the smart group (scope) is one of the items that are on our near-term roadmap. Please stay tuned for updates. In the meantime, as a workaround, you could potentially use nested smart groups feature in Jamf Pro to achieve what you need.
Could you please describe the use case for which you need to edit the scope?
Hi @mattjerome . Thank you for your feedback. We are actively working on many improvements to the compliance benchmarks capability - allowing to change the smart group (scope) is one of the items that are on our near-term roadmap. Please stay tuned for updates. In the meantime, as a workaround, you could potentially use nested smart groups feature in Jamf Pro to achieve what you need.
Could you please describe the use case for which you need to edit the scope?
scoping feature is NEEDED!
1. pilot this configuration
2. post pilot, rescope to all devices
3. pilot next macOS
these are 3 but there are more I know
Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:
- Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
- We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
- "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
- Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.
Hi @Tomas_Lukl1 are their plans to support the exceptions.plist so you can exempt some rules from a subset of computers in scope of the benchmark? The JCE supports this with the Compliance - Failed Results Count EA and the Compliance - Exemptions EA.
scoping feature is NEEDED!
1. pilot this configuration
2. post pilot, rescope to all devices
3. pilot next macOS
these are 3 but there are more I know
This makes sense. Thank you for the context. Ability to edit scoping (by changing smart group) will come very soon.
Hi @Tomas_Lukl1 are their plans to support the exceptions.plist so you can exempt some rules from a subset of computers in scope of the benchmark? The JCE supports this with the Compliance - Failed Results Count EA and the Compliance - Exemptions EA.
Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?
Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?
I have an open feature request for this https://ideas.jamf.com/ideas/JPRO-I-1278
Here's the situation I face. My creative team needs all our CIS benchmarks except 1. Airdrop. It would be very beneficial if I could go to the CIS rule, click an 'exception' button, and add a smart or static group to exclude it from that specific rule without having to create a whole new set of benchmarks for just one small group. That makes things very confusing and conveluded when trying to assess our security standards.
Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?
For us we need a small number of Macs to have Apple Remote Desktop and SSH enabled but we don't want to have to create a seperate benchmark for them. There might be further exemptions a few users might need in the future and again we don't want to create more benchmarks. The script that Jamf Pro Compliance creates for the Benchmark already supports the Exemption plist its just your Failed Result List EA for the benchmark that doesn't. It reports rules that have been exempt as failures instead of ignoring them.
Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:
- Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
- We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
- "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
- Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.
Are their plans to be able to sort the rules in a benchmark numerically instead of alphabetically to rule 1.10 comes after rule 1.2 ?
Are their plans to be able to sort the rules in a benchmark numerically instead of alphabetically to rule 1.10 comes after rule 1.2 ?
Actually that's been fixed so ignore.
Hi @danlaw777 . Thanks for your interest in compliance benchmarks and your feedback. Let me comment those:
- Ability to switch between monitor and enforce mode will come in very near future. We are actively working on it.
- We understand the need to easily see what machines are out of compliance. This is also under development and will come in near future. In the meantime, there is a workaround to get this information - please see this post. Please let us know if this helped.
- "using the advanced search fails to yield any results as there is no way to point to these standards in the search function" - could you please elaborate a bit more? Do you mean that the workaround does not produce what you need or that it does not work at all?
- Compliance benchmarks creates and manages profiles, scripts and other artefacts that are stored under device management tab. They are organised into a category that is named after your compliance benchmark configuration name.
@Tomas_Lukl1 is their going to be an API for Benchmarks so we can access the reporting data?
ability to switch coming-EXCELLENT
workaround worked!
and I still dont see the profiles in device management
Hi @danlaw777. A bit guessing about the configuration profiles in device management. You've mentioned that you haven't 'enforce quite yet'. The profiles are only used for enforcing the rules - monitoring is done via a script (executed via a policy, resulting in a filled extension attribute).
Checking our test instance, I can see the profiles used for benchmark enforcement in the computer inventory.
Is this what you've been looking for?
@Tomas_Lukl1 is their going to be an API for Benchmarks so we can access the reporting data?
@c_kay yes, creating an API to get reporting data programatically is on our roadmap. Is there anything specific you would expect this API to provide and what would you use it for?
Actually that's been fixed so ignore.
Yes, right on Monday! But keep this feedback coming please!
@c_kay yes, creating an API to get reporting data programatically is on our roadmap. Is there anything specific you would expect this API to provide and what would you use it for?
I'd like the API to be able to get the Rule report data. So the pass, fail, unknown numbers for each rule please.
I'd like the API to be able to get the Rule report data. So the pass, fail, unknown numbers for each rule please.
Speaking of the Rule report. I've noticed that a rule with 0 pass 0 fail 0 unknown is calculated to 0% Computers passed. I'm think that should be 100% Computers passed otherwise it looks like the rule failed where really it just doesn't apply to any other the Macs in scope.
For example, rule 5.9 Ensure Extensible Firmware Interface Version is Valid
Speaking of the Rule report. I've noticed that a rule with 0 pass 0 fail 0 unknown is calculated to 0% Computers passed. I'm think that should be 100% Computers passed otherwise it looks like the rule failed where really it just doesn't apply to any other the Macs in scope.
For example, rule 5.9 Ensure Extensible Firmware Interface Version is Valid
Good point, thank you for the feedback! Let me look at that and get back to you.
Hi @danlaw777 @mattjerome and others,
I wanted to share that editing of benchmark scope (smart group) and mode/type (monitor or enforcement) has been enabled just today. Go check your Jamf Pro instances and let us know if the new capability works well for you!
Hi @danlaw777 @mattjerome and others,
I wanted to share that editing of benchmark scope (smart group) and mode/type (monitor or enforcement) has been enabled just today. Go check your Jamf Pro instances and let us know if the new capability works well for you!
this is wonderful!!!
