Skip to main content

Hi Jamf Nation,


we're thrilled to announce that compliance benchmarks capability in Jamf Pro is now generally available! This release transforms how your organization manage compliance across Apple devices, making compliance validation and enforcement simpler than ever before.


 


Benefits


At the heart of this new capability is a streamlined approach to security compliance:



  • Quick Setup and Implementation - we've integrated both CIS Level 1 and Level 2 benchmark templates from macOS Security Compliance open source project (mSCP) to allow rapid deployment of compliance rules. Using compliance benchmarks, IT teams can quickly create compliance configurations across your organization.

  • Flexible Options - IT teams can assess compliance status in monitoring mode before enforcing changes, allowing them to understand impact and prepare users. This provides a risk-free way to evaluate compliance status without disrupting productivity.

  • Automated Remediation - when devices fall out of compliance, Jamf Pro mechanisms ensure quick return to compliance with minimal IT intervention.

  • Seamless Jamf Pro Integration - devices are automatically categorized as compliant or non-compliant into smart groups, enabling further workflows such as integration with Microsoft Entra and Google BeyondCorp to allow organizations to ensure that only trusted users on compliant devices can access company resources.


 


Why it matters



  • Regulatory Compliance and Risk Management - meet strict security requirements for handling sensitive data while avoiding penalties and legal issues. Compliance benchmarks provide a clear framework to achieve and maintain regulatory standards across your organization.

  • Simplified Security Implementation - instead of tracking numerous security settings changes across different operating systems, use pre-validated security standards as your guide. This makes it easier to implement and maintain security measures across all devices consistently.

  • Continuous Monitoring - track compliance status near real-time across your device fleet. This enables quick identification of security gaps, streamlines auditing processes, and helps demonstrate compliance to regulators when needed.


 


Getting started


After ensuring your Jamf Pro instance is upgraded to 11.16 and has SSO in Jamf Account enabled, you'll find the compliance benchmarks under the Compliance page in your sidebar. Creating your first compliance benchmark is remarkably straightforward: 



  • From there, you can select your preferred benchmark template and choose between monitor and enforce modes. Monitor mode helps you understand your current security posture without enforcing changes, while enforce mode automatically implements the selected security controls and continuously ensures they are in place. 

  • Scope the compliance configuration to one of your already existing smart groups.

  • Optionally refine your compliance configuration by excluding rules you do not need or adjusting values (ODVs) to meet your organisation needs.

  • Review the configuration, save and deploy it to your devices.


For detailed setup instructions and best practices, visit our documentation portal for more details.


 


Considerations



  • SSO in Jamf Account is required for compliance benchmarks to show and work correctly. Please see this blog post for comprehensive information and guide.

  • While we're starting with macOS support, we've designed this feature with expansion in mind. Expanding the support for iOS/iPadOS will come at a later date.

  • The capability is NOT available on on-premise, Premium Cloud Plus, or StateRAMP Jamf Pro environments.

  • You can choose CIS Level 1 or CIS Level 2 templates, the most common benchmarks. Support for more benchmarks from the mSCP project will come at a later date.

  • Compliance benchmarks come with some reporting functionality that will help to get high-level overviews to demonstrate compliance status to stakeholders and auditors. However, audit and endpoint assessment reporting is not available yet. In the meantime, we would like to present a possibility to create an Advanced Computer Search that allows Jamf Pro admins to get a list of non-compliant devices (learn more here)


 


Upcoming features


We're listening to your feedback and are actively working to make compliance benchmarks even better. We're excited to share some features we're considering and developing, though we want to be transparent that these plans may evolve:


Rule Reporting


Device-level compliance status reporting on each rule provides detailed visibility into individual device compliance states, enabling targeted remediation efforts and simplified compliance management.


Exports 


Sharing of comprehensive compliance status data with stakeholders and auditors, supporting compliance verification and reporting requirements.


Editing 


Post-creation editing of compliance benchmark configurations will enable flexible adjustments to scoping and enforcement modes, ensuring benchmarks can adapt to changing organizational needs.


mSCP Updates 


Streamlining the adoption of new compliance benchmark definitions, particularly during major macOS releases, reducing the administrative overhead of maintaining compliance standards.


 


Share Your Experience


Your feedback is crucial in shaping the future of compliance benchmarks. We encourage you to share your experiences and suggestions through multiple channels:



  • Join the discussion here on Jamf Nation

  • Reach out to your Jamf Account Representative

  • Submit feature requests through Jamf Support

  • Share your implementation stories and best practices with the community

Any plans to implement any of the other rules such as DISA Stig?

Any plans to implement any of the other rules such as DISA Stig?


Hi @Jason33 . 


Yes, we are planning to iteratively implement all rules. Specifically NIST 800-53, DISA STIG and CNSSI 1253 later this year. 

Hi @Jason33 . 


Yes, we are planning to iteratively implement all rules. Specifically NIST 800-53, DISA STIG and CNSSI 1253 later this year. 


Sounds good (I completely missed that sentence above). Are these ever going to be available for all environments?



  • The capability is NOT available on on-premise, Premium Cloud Plus, or StateRAMP Jamf Pro environments.

Any plans for existing rule detection (uploaded via Jamf Compliance Editor)?  😊

Any plans for existing rule detection (uploaded via Jamf Compliance Editor)?  😊


Hi @Jordy-Thery .


Currently we do not plan to add any automated rule detection. The recommended approach is to iteratively migrate from rules added manually to rules managed by compliance benchmarks. You can e.g.



  • create a compliance benchmark configuration excluding rules you have added manually.

  • iteratively deactivate your rules and enable them in your compliance benchmarks configuration.


We think, this approach adds minimal risk to your operation even though it is manual. Would this work for you?

Hi @Jordy-Thery .


Currently we do not plan to add any automated rule detection. The recommended approach is to iteratively migrate from rules added manually to rules managed by compliance benchmarks. You can e.g.



  • create a compliance benchmark configuration excluding rules you have added manually.

  • iteratively deactivate your rules and enable them in your compliance benchmarks configuration.


We think, this approach adds minimal risk to your operation even though it is manual. Would this work for you?


Thanks, Tomas!

Sounds good (I completely missed that sentence above). Are these ever going to be available for all environments?



  • The capability is NOT available on on-premise, Premium Cloud Plus, or StateRAMP Jamf Pro environments.


We have no current plan to extend these features to these environments. 


Jamf Cloud’s architecture allows us to be more agile in delivering new features and updates to customers, enabling faster, more iterative rollouts, including those powered by Apple’s Declarative Device Management. We are continuously evaluating the needs of our customers and exploring ways to provide services that meet the security requirements of high-compliance environments for customers in cloud environments. We appreciate your understanding as we continue to improve and expand our solutions.

Thanks, Tomas!


Hi @Jordy-Thery


another thing that might help is creating a benchmark that includes all rules in monitor only mode. This will give you a continuous overview of the compliance status while not pushing any configuration. You can then observe the effect of any changes you make, taking the approach Tomas suggested (have another benchmark in enforce mode where you gradually add rules - these two benchmarks can live next to each other with no issues).


Looking forward to hear about your experience with the new capability!

How do Compliance Benchmarks in Jamf Pro compare to what is in Jamf Protect? 

How do Compliance Benchmarks in Jamf Pro compare to what is in Jamf Protect? 


Excellent question @bfrench!


Jamf Protect offers monitoring of compliance status against the CIS benchmarks. Jamf Pro offers the same (in monitor only mode with CIS Level 1 or 2 benchmakr), where the compliance results are evaluated using script executed by policy and recorded into an extension attribute. On top of that, compliance benchmarks in Jamf Pro offers direct control of the rules - enforcement via configuration profiles and scripts. This makes both configuration and monitoring easier as they happen at the same place.


Happy to hear more about how you use the compliance report in Jamf Protect and what you would like to see in Jamf Pro compliance section.

Does this Jamf endpoint share compliance status evaluating compliance benchmarks
https://yourServer.jamfcloud.com/api/v1/conditional-access/device-compliance-information/mobile/{deviceId}?
Do we have any endpoints which sends all devices compliance at once
Will jamf create smart group on its own and put compliant devices in that group?

im loving the compliance but we NEED MORE. 

 

the biggest issue i see right now, is that whenyou look at each rule configured and see the failures, there is no direct link to see the actual profile being used that is failing. 

 

for example

CIS Lvl2 for sequoia i see a failure for rule 2.11.2 Enforce Session lock after screen saver started. the rule is configured, but i cant find out which profile is being used so i can find it on the actual mac and reassess the failure to make it a success. 

 

 

hope this made sense

Thank you for this feature, it's really great and our organization really needed it.

There are just two things missing to make it perfect:

- a way to create reports (and you have planned for it, I am looking forward to it)

- an overall compliance percentage covering all the rules. Often the managers only want to know that. If this percentage could be visible directly on the rule without having to open it, that would be even better.

Thank you for your work, keep it up!

Reply


Terms & ConditionsCookie settings