CIS security level 1

Hey Adam-B,

CIS Level 1 is meant for basic security hardening rather than making changes to core functionality. Level 1 aims to not disrupt productivity and focuses on:

    • Enforcing password policies
    • Enabling FileVault
    • Disabling automatic login
    • Configuring Gatekeeper and Firewall
    • Enabling system updates

Some policies in Level 1 do enforce changes, but these are generally low risk. Level 2 is more restrictive and can impact workflows more. That said, with Level 1 you may encounter minor friction with things like kernel extensions, unsigned apps, or automatic login removal. 

You can configure CIS Level 1 using the new Jamf Blueprints. I recently used Blueprints to configure CIS Level 1 for Tahoe, and it took just a few minutes to deploy. The Blueprint allows you to choose a group to apply the settings to. If you’re concerned, you could apply the Level 1 settings to a test Mac first to see how things behave before deploying to production.

Hope that helps!

Cis isn’t an all or nothing set up. You need to decide what level of risk is acceptable for what parts of your org. As an example, for most of an org, airdrop could be a strict no. But if you have photographers they may need it so that would be an acceptable risk 

Hi ​@mbrown89 

Yes its a blueprint meant to be configured and essentially “Tuned” to your enviroment. We did the same thing with Windows. I just want to see if anyone had any “gotchas” they realized were too strict. Example. 1.1 in Windows actually locks out any sign ins on intune joined machines. But if you deployed and nothing went crazy, thats a good sign! thank you

No worries ​@Adam-B. As ​@mattjerome mentioned, CIS is not all or nothing. The blueprints allow you to pick what you want. But please do test before pushing out to production. If you don’t have one already, its worth asking your Jamf account manager for a development Jamf instance so that you can play around with the blueprint on a test Mac to see how things work before doing the same on your production system. Or of course just scope the blueprint to a test Mac on your production instance. Which ever works for you 😄But always test. 

I didn’t even know we could get a development JAMF instance. Is that an additional cost for the Org?

Appreciate your input for sure though thank you!

​@Adam-B nope didn’t cost my org anything extra and we have a very small amount of devices. 

CIS Level 2 is where things can have impact. Like others mentioned, test. Once you’re comfortable in Jamf testing, roll out your CIS Level 1 to some test users and get feedback.

I wouldn’t expect anything major with CIS Level 1 controls, but your environment and customer base will tell you.

Sounds good. Doesn’t seem level 1 would be too bad then. Our engineers are very noisy so I will find out very quickly. Does the blueprint allow you to do a phased roll out? maybe 3 or 4 of the policies at a time?

One of the better features of this is you can build a monitor only CIS 1 benchmark. You can build it out how you see fit in your environment, then let it show you how close you are to exisiting management restrictions. It will basically make all the reporting without the enforcement then when you are ready and it’s commuicated swithc it to an enforcement mode to deploy the restrictions.