I have been tasked with bringing our Mac clients to 75% compliance with the CIS Level 1 benchmark for macOS 11. I am currently using the Jamf-provided scripts (https://github.com/gocardless/CIS-for-macOS-BigSur-CP) to automate rollout to our machines. When I run these scripts manually, the scripts more or less run as they should. However, when trying to roll these out via policy in Jamf, I am only getting around 53% compliance. This is set up in Jamf as a single policy containing the 3 scripts, which runs once per user per computer. For those who have used this script, did you run into a similar issue? I am using our in-house vulnerability scanning tool to check compliance.
Just a disclaimer, I am not the Mac admin for our organization, just a guy from security tasked with secure configuration. Hopefully someone here has encountered a similar issue and can help me out
Any help is appreciated.
Did you create extension attributes/smart groups (proper scoping)/policies /configuration profiles to compliment the scripts you're running?
For example, In order to maintain compliance you need to pipe the script results (CIS Benchmark compliance results) into extension attributes, then create smart groups predicated upon a computers extension attribute results, then scope policies/configuration profiles to the smart groups in order to remediate the machines.
Thats just one way to skin this cat.
Are those required to do the actual remediation component of the scripts? From what I understood 2.5_Audit_List_Extension and 2.6_Audit_Count were only used for if you wanted to use smart groups to track non-compliant systems (I skipped this because we are using our vulnerability management tool for this task).
is there some documentation on how to implement these benchmarks? I'm not a programmer by any stretch of the imagination and new to GH and managing Jamf Pro. I need to understand how I get what these GH repos are sharing into Jamf as a policy. I'm only used to the method of turning on the various config profiles, nothing with the scripting I see in GH. Any directional help would be greatly appreciated!
Also these two sessions will help some though a bit older
They're virtually the same presentation from 2020.
On top of that if you are a member or can join the Mac Admins slack (https://www.macadmins.org) you can find help in #macos_security_compliance on the project.
This is a platform agnostic project (meant to be used with any MDM) so it will take a little tweaking to work within Jamf itself.