Skip to main content

Hi everyone,


I'm currently working on aligning our macOS fleet with the CIS Level 1 benchmarks using Jamf Protect and Jamf Pro. I have CIS18 compliance reporting enabled in Jamf Protect, and while it’s very helpful, I’m running into a significant challenge.


I’m seeing up to 25 FAIL results in the Compliance report. I’d like to remediate these via configuration profiles in Jamf Pro, but here’s where things get tricky:




  • The CIS18 report in Jamf Protect doesn't clearly state what exactly needs to be configured to fix each FAIL.




  • I’ve referred to the official CIS macOS benchmark PDF, but there are many settings that can’t be implemented via configuration profiles or are labeled differently in Jamf.




  • There’s no consistent ID or reference number in Jamf Protect's report that I can use to match it back to the CIS benchmark document it which makes it very hard to find the right section and remediation.




Has anyone dealt with this mapping issue before?
How did you go about creating your secure configuration profiles in Jamf Pro based on CIS18?


I’m open to any tips, workflows, tools, or even spreadsheets/templates you’ve used to streamline this process.


Thanks in advance!

Do you have your CIS compliance reporting mixed? You stated CIS 18, but that is for iOS 18.


I used the Jamf Compliance Editor (JCE) app to configure my macOS CIS baseline. This app helps you configure MDM profiles and scripts/settings to cover items not configured by configuration profiles.

I haven't touched the blueprints option yet, so somebody else will have to ch
https://github.com/Jamf-Concepts/jamf-compliance-editor

Honestly, Protect does a miserable job at educating admins on what CIS benchmarks they are talking about because they don't use the CISL1/L2 numbering and don't even use the same title. 


 


I myself do use Jamf Protect for reporting, but I use the NIST docs as a to do list of what configurations to be managed. However, I do not use NISTs recommendations for how to go about remediating as many of the remediation steps NIST provides are flat out wrong. Also many of the configurations like updating things like gatekeeper require SIP to be disabled, and disabling SIP is a finding in and of itself. So for things like that I just ignore them, yes gatekeeper needs to be updated but let the OS handle that for example.


 


The benchmarks are just a guide, its up to your organization to determine the baseline you use.


 


https://github.com/usnistgov/macos_security/releases/tag/sequoia_rev1.1

Reply


Terms & ConditionsCookie settings