Jamf Nation Community

Hi Jamf Nation,

we're thrilled to announce that compliance benchmarks capability in Jamf Pro is now generally available! This release transforms how your organization manage compliance across Apple devices, making compliance validation and enforcement simpler than ever before.

Benefits

At the heart of this new capability is a streamlined approach to security compliance:

• Quick Setup and Implementation - we've integrated both CIS Level 1 and Level 2 benchmark templates from macOS Security Compliance open source project (mSCP) to allow rapid deployment of compliance rules. Using compliance benchmarks, IT teams can quickly create compliance configurations across your organization.
• Flexible Options - IT teams can assess compliance status in monitoring mode before enforcing changes, allowing them to understand impact and prepare users. This provides a risk-free way to evaluate compliance status without disrupting productivity.
• Automated Remediation - when devices fall out of compliance, Jamf Pro mechanisms ensure quick return to compliance with minimal IT intervention.
• Seamless Jamf Pro Integration - devices are automatically categorized as compliant or non-compliant into smart groups, enabling further workflows such as integration with Microsoft Entra and Google BeyondCorp to allow organizations to ensure that only trusted users on compliant devices can access company resources.

Why it matters

• Regulatory Compliance and Risk Management - meet strict security requirements for handling sensitive data while avoiding penalties and legal issues. Compliance benchmarks provide a clear framework to achieve and maintain regulatory standards across your organization.
• Simplified Security Implementation - instead of tracking numerous security settings changes across different operating systems, use pre-validated security standards as your guide. This makes it easier to implement and maintain security measures across all devices consistently.
• Continuous Monitoring - track compliance status near real-time across your device fleet. This enables quick identification of security gaps, streamlines auditing processes, and helps demonstrate compliance to regulators when needed.

Getting started

After ensuring your Jamf Pro instance is upgraded to 11.16 and has SSO in Jamf Account enabled, you'll find the compliance benchmarks under the Compliance page in your sidebar. Creating your first compliance benchmark is remarkably straightforward: 

• From there, you can select your preferred benchmark template and choose between monitor and enforce modes. Monitor mode helps you understand your current security posture without enforcing changes, while enforce mode automatically implements the selected security controls and continuously ensures they are in place. 
• Scope the compliance configuration to one of your already existing smart groups.
• Optionally refine your compliance configuration by excluding rules you do not need or adjusting values (ODVs) to meet your organisation needs.
• Review the configuration, save and deploy it to your devices.

For detailed setup instructions and best practices, visit our documentation portal for more details.

Considerations

• SSO in Jamf Account is required for compliance benchmarks to show and work correctly. Please see this blog post for comprehensive information and guide.
• While we're starting with macOS support, we've designed this feature with expansion in mind. Expanding the support for iOS/iPadOS will come at a later date.
• The capability is NOT available on on-premise, Premium Cloud Plus, or StateRAMP Jamf Pro environments.
• You can choose CIS Level 1 or CIS Level 2 templates, the most common benchmarks. Support for more benchmarks from the mSCP project will come at a later date.
• Compliance benchmarks come with some reporting functionality that will help to get high-level overviews to demonstrate compliance status to stakeholders and auditors. However, audit and endpoint assessment reporting is not available yet. In the meantime, we would like to present a possibility to create an Advanced Computer Search that allows Jamf Pro admins to get a list of non-compliant devices (learn more here)

Upcoming features

We're listening to your feedback and are actively working to make compliance benchmarks even better. We're excited to share some features we're considering and developing, though we want to be transparent that these plans may evolve:

Rule Reporting

Device-level compliance status reporting on each rule provides detailed visibility into individual device compliance states, enabling targeted remediation efforts and simplified compliance management.

Exports 

Sharing of comprehensive compliance status data with stakeholders and auditors, supporting compliance verification and reporting requirements.

Editing 

Post-creation editing of compliance benchmark configurations will enable flexible adjustments to scoping and enforcement modes, ensuring benchmarks can adapt to changing organizational needs.

mSCP Updates 

Streamlining the adoption of new compliance benchmark definitions, particularly during major macOS releases, reducing the administrative overhead of maintaining compliance standards.

Share Your Experience

Your feedback is crucial in shaping the future of compliance benchmarks. We encourage you to share your experiences and suggestions through multiple channels:

• Join the discussion here on Jamf Nation
• Reach out to your Jamf Account Representative
• Submit feature requests through Jamf Support
• Share your implementation stories and best practices with the community