Posted on 10-19-2023 12:41 PM
Hi All,
I'm still gaining my footing as a person in the security sector while trying to manage Macs in our environment with Jamf Pro. We have protection software such as CrowdStrike and Rapid 7. I tried searching through the community, but I'm not finding clear examples of what I'm looking for, yet.
Is there a way to prevent administrators of Macs from tampering with software like CrowdStrike and Rapid 7? Specifically, after the programs are installed I want to prevent them from being able to disable it. I thought something like a configuration profile would do the trick, but I'm not quite seeing what I'm looking for as I go through them. I would appreciate someone pointing me in a potential direction to look.
10-19-2023 01:00 PM - edited 10-19-2023 01:01 PM
Every package is different - some harder than others to disable.
Generally, we send lists of Macs not complying with such software and have managers send emails.
If you use something like Intune or Entra they can setup compliance policies and if the Macs are busted, they can't get to company assets.
Basically, that is the best technical way, but it usually takes a combination of the above to get users straight.
Nothing like losing access to emails or getting an email from your boss to stop that behavior...
Posted on 10-25-2023 05:27 AM
Yep, I agree that it's going to take some atypical method involving conditional access either in Intune/Entra or on the Jamf side.
Thanks for your feedback!
Posted on 10-19-2023 01:05 PM
Are the users local administrators on their Macs? Because if they are, you/your org should really consider removing that ability from them. One of the nice things about using Jamf Pro for device management is that it greatly lessens the need for the users to have any admin rights on their Macs to do stuff. A lot can be pushed to their machines from Jamf, especially software installs, which tends to be the biggest reason why someone wants to be admin, or these things can be published to them in Self Service to run on their own.
Because once a user has admin rights, the unfortunate fact is that it's really hard to prevent them from making changes to 3rd party installed software. Apple has the OS itself locked down now for several OS versions, so there's not much to worry about there, but other tools can be fair game.
Of course, Crowdstrike can be configured to use InstallShield, which prevents it from being removed, which can help. I don't know about Rapid 7 and if it has something similar.
Other options could be restricting programs like Terminal and tools like Activity Monitor, so they can't tamper with much.
Posted on 10-25-2023 05:30 AM
Some are administrators, yes. The wheels are already turning to get that removed from them, unfortunately, things like that tend to be akin to pulling teeth with pliers to get everyone on board with the idea.
I'm thinking of tying it to a conditional access or an amalgamation of extension attributes on the Jamf side to restrict device use if not active or turned on.
Thanks for your feedback!
Posted on 10-19-2023 01:08 PM
They are admins, based on the original post...
But I agree with @mm2270 about self service. Some folks need to be admins, but many don't. Self Service can take care of most needs for an average user...
Posted on 10-19-2023 01:12 PM
Yeah, I realized after I posted above that I didn't see the mention of them being admins in the OP. The point still stands though. Once a device is managed, most people don't need admin rights on them for most tasks.
Posted on 10-19-2023 01:36 PM
For those applications specifically you will need to look into the "tamper" options if the vendor allows it. you can also restrict the launching of other common applications. The other super effective option is to enforce penalties for users who disable or remove certain apps that are required. I.E. - If you are able to read a plist from crowd strike to see if its working(state)...based off that info you can then say, have a restrictive profile dropped onto the machine that restricts the opening of Outlook or other essential apps and maybe cutting network access - making your own on-device-based compliance that's non-removable as its a profile. If they remove the software you can create a smart group that reports the violation and send it off to their manager(s). I only bring these to the table as many places that have Admin rights currently will pushback hard when you start removing it.
Posted on 10-25-2023 05:32 AM
Thanks for your input!
This could be the route that I take. I was thinking about using something related to CA or EA in Jamf to restrict the device use if the programs become inactive.
You're absolutely right on the pushback of removing administrator rights once it was initially given.
Posted on 10-20-2023 05:36 AM
You need to reach out to the respective vendors. If they don't want their products messed with, they need to add anti tamper options.
I suggest letting the venders earn their paycheck. However, if you want to try to reinvent the wheel. You can write scripts and extension attributes for JAMF to run which can do a health check on the applications and take action based on the results. Granted the fastest this could be is every check in but may prove to be a useful stopgap.
Posted on 10-25-2023 05:35 AM
That's a very good point about letting the vendor earn their keep!
I was thinking something along the lines of CA and/or EA to restrict device use if the programs are inactive. Like you said, no point in reinventing the wheel if the vendors have already encountered this scenario.
Posted on 10-20-2023 06:07 AM
We faced a similar dilemma. Our solution (as other companies have tried) is CyberArk. We're slowly on-boarding that app, but it should have the ability to control what your users can/can't do even if they're admins. It was brought in for our Windows population, and the Macs are lumped in (we're about 1% of our overall fleet, so sort of an afterthought). But in early testing it does allow me to granularly control what can be done, even from terminal commands. So far, I've got it blocking everyone's favorite - sudo jamf removeFramework - successfully. We also tested BeyondTrust, but found CA to be more robust/better user interface as well. It is not a cheap/quick/easy fix but if you go that route, you'll get the control you're after.
Posted on 10-20-2023 06:11 AM
We have also onboarded CyberArk EPM for this exact same reason. It is far from the perfect scenario they try to paint, but it is far better than the other tools I had seen.
Its beyond me why EPM cannot have LAN account escalation or pin escalation of binaries on macOS like they have on Windows. There are some situations where a given user may need to run something, like remove JAMF framework and you need to override the block on the console rather than prompting for pin or credentials, both of which are options on the Windows side.
Posted on 10-25-2023 05:37 AM
Thanks for that suggestion and feedback. I'll have to look into pricing and see if leadership would be interested in that tool.
The problem is our Mac footprint is very small and it can be difficult to get everything we need to secure them as well.
Posted on 10-20-2023 06:30 AM
Very true - it falls into line with the traditional mantra that Macs are second class citizens when working with corporate apps.
Posted on 11-18-2023 05:19 AM
Securing Macs in a corporate environment is crucial. To prevent administrators from tampering with security software like CrowdStrike and Rapid7 on Macs managed by Jamf Pro, consider using a configuration profile to enforce restrictions. Create a profile using Jamf Pro that limits administrative access, restricts certain system preferences, and prevents users from modifying or disabling specified applications. Additionally, leverage Jamf Pro's management capabilities to regularly audit and ensure the integrity of your security software configurations.
Posted on 02-28-2024 04:38 PM
I think providing a secure environment may depend on administrators discouraging tampering with Mac security software. Configuration profiles may give you some control over settings, but they may not give you the fine-grained control you're looking for. Using Jamf Pro's management features to impose restrictions on specific applications or system configurations is one way worth exploring. To prevent administrators from removing or disabling important security programs, custom configuration profiles or scripts can be written. Personally, I don't always pay attention to this. I can play here now on a slot machine, and in a couple hours go to play somewhere already on a non-authoritative resource. Therefore, in the light of constant changes, I advise you to pay attention to security and authoritativeness, if it is, for example, gaming.