New to Jamf - Higher Ed Baselines and Starting Policies/Configs?

egnompaln
New Contributor

Hellllooooo! I've recently finished the Jamf Connect onboarding and am in the process of setting up our environment. Can anyone recommend some configurations and policies that make for a good, secure baseline? I am in higher ed and some of our computers will be with faculty and staff, other with classes and labs. If you have any scripts, know of sites, or anything else helpful I would super appreciate it! Thank you

2 REPLIES 2

AJPinto
Honored Contributor III

Unfortunately there is no one size fits all, or even one size fits most. Your organizations needs and goals are unique to your organization. As far as securing things I would start with Configuration Profiles to enable FileVault, and limit user access (restrictions). You may need fundamental environment reworks to properly secure devices. For example MacOS is designed to be deployed 1:1, and you really want FileVault enabled to encrypt the disk. However if you are using shared Macs, enabling FileVault puts a lot of work on the Admin as you need to assign Secure Tokens to new users as they log in (manually or with a script). If the device is secured within a lab you may not want to enable FileVault. Policies would install applications and configure things with scripts, I would do Policies after having the Configuration Profiles in place.

 

 

A good goal to use would be the NIST Benchmarks, you can start with CIS L1 but many orgs use CIS L2. There are tools you can run to see what your gaps are against the benchmark. JAMFs Compliance editor may be worth looking in to if you are just starting out, it will make many of the configuration profiles for you.

usnistgov/macos_security: macOS Security Compliance Project (github.com)

Establishing Compliance Baselines (jamf.com)

As AJPinto already said there is no one fits all...
I would add some way to enforce or strongly encourage System Updates (we are using Nudge, since the apple given options in MDM are not working as intended).
Also collecting some additional Informations via Extension Attributes can be usefull. Some examples:
- Find My Status
- Last User
- Rosetta2 Installed?
- Last Time Machine Backup


But keep in mind that Extensions Attributes are always collected for your whole fleet.