Jamf Nation Community

obi-k · ‎01-25-2023

Hi,

Trying to figure out if I did this correctly. The EAs said it's okay, but the CIS Report says the script failed even though the configuration profile is there.

Is this how you would do the configuration profile? Maybe I got the "string" detail wrong.

@jmahlman

jmahlman · ‎01-25-2023

Looks right to me, what is your EA/check? Are you using the macOS Security Compliance project?

As a note, you may want to look into Jamf's Compliance Editor for making a baseline and configs.

obi-k · ‎01-26-2023

Thanks, I'll give this a read and play with it.

I've been trying Mischa van der Bent's CIS Script for audit, report, and remediation.

boberito · ‎01-26-2023

Firewall is a fun one where you can't use Jamf's Custom profile section because that writes it to the com.apple.ManagedClient.preferences domain which the application layer firewall can't read.

You can use Jamf's GUI to build the config profile or make your own, sign it, upload it, deploy it.

obi-k · ‎01-26-2023

Forgive me, @boberito, Jamf's GUI? Which method did you choose to use?

obi-k · ‎01-26-2023

Tried using ProfileCreator. Set the Firewall settings, signed, and uploaded to Jamf.

Jamf says, "This profile is read-only because it is signed."

When I remove the signature, Jamf cannot read the keys. "Unknown KeysJamf Pro cannot recognize one or more settings in this payload and display them in the interface."

boberito · ‎01-26-2023

Don't worry if Jamf can't display it. It can decrypt the profile. Just deploy it. You know what was set in it.

obi-k · ‎05-19-2023

When we ran the CIS Scan the Firewall was set correctly. Thank you.

Jamf Nation Community

CIS: 3.6 Ensure Firewall Logging Is Enabled and Configured