Hey,What is the recommended way of handling compliance with the upcoming Sequioa release? I have used the Jamf Compliance Editor to create config profiles for Sonoma, which was very convenient, since the JCE let's you upload perfectly name config profiles for Sonoma and its predecessors.If I am not mistaken, the JCE does not currently support Sequoia, yet. For now, I have set major OS updates to be deferred by 90 days, so I can sort this out.How do you guys handle this?When is the JCE likely to be updated? Thank you for your help.Toby

Yeah, I saw that. I am using the Compliance Editor GUI. How does that tie in with the release?At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project. Compliance Editor just has a really user friendly GUI instead of command line only. As far as I know, you have 2 options at this point in time.Use the MacOS Security Compliance project command line versionModify your JCE Preferences to show all branches (including draft) If you choose to make the modification it will show branches that are still under development as well as released. Run this with JCE closed:defaults write com.jamf.complianceeditor showAllBranches -bool trueOn open it will show all of the branches with Sequioa towards the bottom of the list. Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.

Jamf Compliance Editor: Sequioa

Sequioa release for MSCP was published a few days ago. Beware some of the benchmarks listed are still marked as draft.
Release Sequoia Guidance Revision 1.0 · usnistgov/macos_security (github.com)

Yeah, I saw that. I am using the Compliance Editor GUI. How does that tie in with the release?

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only.

As far as I know, you have 2 options at this point in time.

Use the MacOS Security Compliance project command line version

Modify your JCE Preferences to show all branches (including draft)

If you choose to make the modification it will show branches that are still under development as well as released. Run this with JCE closed:

defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list.

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only.

As far as I know, you have 2 options at this point in time.

Use the MacOS Security Compliance project command line version

Modify your JCE Preferences to show all branches (including draft)

If you choose to make the modification it will show branches that are still under development as well as released. Run this with JCE closed:

defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list.

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.

Brilliant answer. Thank you for your help!

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only.

As far as I know, you have 2 options at this point in time.

Use the MacOS Security Compliance project command line version

Modify your JCE Preferences to show all branches (including draft)

If you choose to make the modification it will show branches that are still under development as well as released. Run this with JCE closed:

defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list.

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.

Did you hear or see anthing on iOS 18 CIS Benchmark by chance?

@exo - just out of curiosity, how did you create the actual config profile for managing the OS update deferrals while also using the config profiles that JCE auto built?

The OS update deferrals are pretty easily set if you use the UI for Restrictions.... but there's a lot of other settings in there that will also step all over the arcane XML/mobileconfigs that JCE has put in place. So I'm not really sure where to actually put the settings for the deferral.

What did you do? Thanks

Did you hear or see anthing on iOS 18 CIS Benchmark by chance?

No sorry I have not. Was mainly keeping an eye out for desktop/laptop side.

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only.

As far as I know, you have 2 options at this point in time.

Use the MacOS Security Compliance project command line version

Modify your JCE Preferences to show all branches (including draft)

If you choose to make the modification it will show branches that are still under development as well as released. Run this with JCE closed:

defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list.

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.

I'm interested in learning more about the compliance project's CLI. Is there a separate binary for that which is different from the JCE I guess? I haven't seen anything about a CLI except for this post.

Has the JCE been updated for Sequoia yet? Just tried downloading it again, but nothing there... always possible that I'm being a dummy.

Yes, it's there. Did you get the latest version of JCE?

I'll go get it - thanks!

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded