Posted on 01-22-2015 04:37 PM
Is anyone here using Casper at a DoD or Federal agency? We have Casper (dev only at the moment) at (Navy research lab), but since we are DOD, we have extra security and architecture to add into the Casper mix.
Any use cases or network setup suggestions?
Should we use a Hardware Security Module for the Root CA?
We obviously can't use Casper "out of the box".
So many questions.
Many Thanks!
Posted on 01-23-2015 01:37 AM
In your situation, I would just contact JAMF and gave them a list of things you want, and go from there, maybe they have some tips on how to get what you want from Casper. What kind of additional security requirements do you need?
Posted on 01-23-2015 05:26 AM
apart from what " St0rMl0rD said if you have the option i would suggest to go over the details the security requirements during an encompass visit.
Posted on 01-23-2015 05:35 AM
I've worked with Casper in Federal environments, so I can tell you it is possible, just depends on the particular environment's rules.
As the others said, talking with your JAMF rep is probably the best course of action. Likely anyone else thats done it isn't going to be in a place to just say "we do XYZ" here on a fourm.
Also, this mailing list https://lists.apple.com/mailman/listinfo/fed-talk was pretty active a few years back while I was on it. You might want to check it out, it was really helpful sometimes.
Posted on 01-23-2015 06:13 AM
I'm sure you would, but I'd also suggest you set up a test environment and if you have XYZ requirements, test for those on all new versions before installing.
Posted on 01-23-2015 07:25 AM
Your Fed Apple Rep can put you in touch with Apple Engineers specializing in these secure environments. Additionally they are VERY knowledgable on setting up the Casper suite for these environments. That would be my first call for help. Contact me and I can give you some names.
Posted on 01-24-2015 04:48 AM
I met a guy by the name of Mike at the JNUC this year. I believe he was responsible for managing a small Casper deployment and creating Mac hardening guidelines for some section at DoD. @mm2270 @donmontalvo @adamcodega Do you remember who I'm talking about? He was at the Brit Pub on the first night if that help jog the memory.
I remember him joking that his hardening guidelines took him longer to write than Apples release cycle. That must be fun!
Posted on 01-24-2015 07:25 AM
Chris may be thinking of the talk From Firewalls to Great Walls: Securing Mac in the People’s Republic Of China from 2014's JNUC. I found it to be an interesting talk about the novelty of doing business in China, he went over some basic restrictions which are useful and how he sets them via a configuration profile.
You might also like Introducing the Casper Suite to the Secure Enterprise: A Beginner's Guide which shows how Casper Suite was brought into a high security enterprise company.
Great advice here in contacting JAMF and Apple reps who work in your industry.
Posted on 01-24-2015 08:43 AM
@Chris_Hafner that was the Mike I came in with -- @Mhomar
I was thinking to ping him to check in here, all the Fed folk should be in touch.
Posted on 01-24-2015 09:21 AM
@dpertschi Yep, Damn I forgot you two came in together. I'm assuming that he's @Mhomar here? If so, hey Mike!
@adamcodega That did sound like an interesting discussion but I get to be far less security minded than a lot of the rest of you so I skipped it ;-)
Posted on 01-26-2015 12:16 PM
I just left the federal space and have been rolled out and ran the JSS across 3 different agencies for the past 5 years, if you have any questions I would contact your JAMF rep. Also the Apple Federal reps should be able to point you in the right direction. I could also answer 1 or two questions if need be
Posted on 01-29-2015 07:52 AM
@brianfox76 HI Nice to virtually meet you. Hello everyone else. I work at a DOD contracting firm and do have quite the security requirements for both the JSS installation and the clients. As others have said, I am not able to get into specifics about the hoops I jumped thru (publicly or privately) to get the environment secured enough to pass our internal requirements (as much as I would like to help you). As well, I'm sure there are different security requirement levels that I have not been exposed to. JAMF Engineering was able to work with me to understand the requirements I had and to give me direction on how to set the JSS up successfully to meet those requirements.
Posted on 01-29-2015 11:20 AM
Thanks, y'all! @Mhomar - Nice to virtually meet you as well! We are working with JAMF Engineering, but they don't seem to have some of the answers when it comes to DoD space. I am running into firewall exceptions, vulnerability testing, STIGs, DMZ, etc... and I am one man show. I will keep plowing forward and hope to get somewhere soon!
Thanks!
Posted on 01-29-2015 12:23 PM
Hi Brian, I might add that there were several Items in the Infrastructure that I ultimately had to give up, things to do with the Firewall and DMZ
Posted on 01-29-2015 01:06 PM
The DMZ portion is on the back-burner, but the firewall exception is a must-have so that I can talk to the APNs.
@Mhomar - email here: bfox@spawar.navy.mil
Posted on 02-03-2015 03:25 PM
Hit me off-board. I setup and managed Casper in a classified FFRDC and managed about 2k Macs with it for 5 years. A lot of it is up to your local security folks and CONOPS they want to run with. @ctangora has my old gig. He can likely help too.