I'm still gaining my footing as a person in the security sector while trying to manage Macs in our environment with Jamf Pro. We have protection software such as CrowdStrike and Rapid 7. I tried searching through the community, but I'm not finding clear examples of what I'm looking for, yet.
Is there a way to prevent administrators of Macs from tampering with software like CrowdStrike and Rapid 7? Specifically, after the programs are installed I want to prevent them from being able to disable it. I thought something like a configuration profile would do the trick, but I'm not quite seeing what I'm looking for as I go through them. I would appreciate someone pointing me in a potential direction to look.
Every package is different - some harder than others to disable.
Generally, we send lists of Macs not complying with such software and have managers send emails.
If you use something like Intune or Entra they can setup compliance policies and if the Macs are busted, they can't get to company assets.
Basically, that is the best technical way, but it usually takes a combination of the above to get users straight.
Nothing like losing access to emails or getting an email from your boss to stop that behavior...
Are the users local administrators on their Macs? Because if they are, you/your org should really consider removing that ability from them. One of the nice things about using Jamf Pro for device management is that it greatly lessens the need for the users to have any admin rights on their Macs to do stuff. A lot can be pushed to their machines from Jamf, especially software installs, which tends to be the biggest reason why someone wants to be admin, or these things can be published to them in Self Service to run on their own.
Because once a user has admin rights, the unfortunate fact is that it's really hard to prevent them from making changes to 3rd party installed software. Apple has the OS itself locked down now for several OS versions, so there's not much to worry about there, but other tools can be fair game.
Of course, Crowdstrike can be configured to use InstallShield, which prevents it from being removed, which can help. I don't know about Rapid 7 and if it has something similar.
Other options could be restricting programs like Terminal and tools like Activity Monitor, so they can't tamper with much.
Some are administrators, yes. The wheels are already turning to get that removed from them, unfortunately, things like that tend to be akin to pulling teeth with pliers to get everyone on board with the idea.
I'm thinking of tying it to a conditional access or an amalgamation of extension attributes on the Jamf side to restrict device use if not active or turned on.
Thanks for your feedback!
For those applications specifically you will need to look into the "tamper" options if the vendor allows it. you can also restrict the launching of other common applications. The other super effective option is to enforce penalties for users who disable or remove certain apps that are required. I.E. - If you are able to read a plist from crowd strike to see if its working(state)...based off that info you can then say, have a restrictive profile dropped onto the machine that restricts the opening of Outlook or other essential apps and maybe cutting network access - making your own on-device-based compliance that's non-removable as its a profile. If they remove the software you can create a smart group that reports the violation and send it off to their manager(s). I only bring these to the table as many places that have Admin rights currently will pushback hard when you start removing it.
Thanks for your input!
This could be the route that I take. I was thinking about using something related to CA or EA in Jamf to restrict the device use if the programs become inactive.
You're absolutely right on the pushback of removing administrator rights once it was initially given.
You need to reach out to the respective vendors. If they don't want their products messed with, they need to add anti tamper options.
I suggest letting the venders earn their paycheck. However, if you want to try to reinvent the wheel. You can write scripts and extension attributes for JAMF to run which can do a health check on the applications and take action based on the results. Granted the fastest this could be is every check in but may prove to be a useful stopgap.
That's a very good point about letting the vendor earn their keep!
I was thinking something along the lines of CA and/or EA to restrict device use if the programs are inactive. Like you said, no point in reinventing the wheel if the vendors have already encountered this scenario.
We faced a similar dilemma. Our solution (as other companies have tried) is CyberArk. We're slowly on-boarding that app, but it should have the ability to control what your users can/can't do even if they're admins. It was brought in for our Windows population, and the Macs are lumped in (we're about 1% of our overall fleet, so sort of an afterthought). But in early testing it does allow me to granularly control what can be done, even from terminal commands. So far, I've got it blocking everyone's favorite - sudo jamf removeFramework - successfully. We also tested BeyondTrust, but found CA to be more robust/better user interface as well. It is not a cheap/quick/easy fix but if you go that route, you'll get the control you're after.
We have also onboarded CyberArk EPM for this exact same reason. It is far from the perfect scenario they try to paint, but it is far better than the other tools I had seen.
Its beyond me why EPM cannot have LAN account escalation or pin escalation of binaries on macOS like they have on Windows. There are some situations where a given user may need to run something, like remove JAMF framework and you need to override the block on the console rather than prompting for pin or credentials, both of which are options on the Windows side.
Thanks for that suggestion and feedback. I'll have to look into pricing and see if leadership would be interested in that tool.
The problem is our Mac footprint is very small and it can be difficult to get everything we need to secure them as well.
Securing Macs in a corporate environment is crucial. To prevent administrators from tampering with security software like CrowdStrike and Rapid7 on Macs managed by Jamf Pro, consider using a configuration profile to enforce restrictions. Create a profile using Jamf Pro that limits administrative access, restricts certain system preferences, and prevents users from modifying or disabling specified applications. Additionally, leverage Jamf Pro's management capabilities to regularly audit and ensure the integrity of your security software configurations.