Configuration Profile Security

jesseshipley
Contributor

This may be a simple question that I'm just missing the answer for. I'm about to switch how we give access to our network so it is done by configuration profiles. In the interest of not needing to change the password every time an admin leaves the company I had our CEO generate a 50 character PSK for the network and create the config profile for me. He is the only person with access to it.

My problem is any JAMF admin can just login, download the profile, and install it on any device they want. Is it possible to restrict downloading the profile from the JSS? Or preferably make it so the profile can only be installed on a managed machine? Input would be greatly appreciated.

9 REPLIES 9

bentoms
Release Candidate Programs Tester

@jesseshipley, the profile should be encrypted on download.. So will be pretty unreadable.

davidacland
Honored Contributor II

The create/read/update/delete privileges can be set specifically for OS X Configuration Profiles if you wanted to restrict access to them.

Other than that It sounds like it will come down to making sure only the right people have access to the JSS.

The actual profile contents is fairly safe though as @bentoms mentioned.

jesseshipley
Contributor

@bentoms my concern though is the ability to copy that file around. It installs on any machine. So even though they can't see the password it still gives them access to the network.

@davidacland I'd looked at the permissions there but sadly there isn't one for restricting download and I can't restrict read.

bentoms
Release Candidate Programs Tester

@jesseshipley, so the issue is another admin logging into the JSS, downloading the profile & manually installing it on a Mac that's not to have it?

davidacland
Honored Contributor II

You could look at deploying that particular profile a different way. Just thinking out loud really but some kind if authenticated curl or scp to get the file from a secure location, followed by an install with the profiles command.

Pretty convoluted but could get around the problem.

CasperSally
Valued Contributor II

If you want something more secure than keys, start looking into 802.1x. Our setup requires our cert (which can be copied to another machine), but it's useless without AD domain membership.

jesseshipley
Contributor

@davidacland I like the idea but distribution isn't really the problem. Everything is pushed by the JSS properly. I just don't want any admins to be able to login and grab a copy. Also it looks like you can just copy /private/var/db/ConfigurationProfiles from any managed machine to another and you get access to wifi networks which means anyone with admin rights on their machine can get any other machine on the network...

davidacland
Honored Contributor II

Good point. I'd definitely vote for the suggestion made by @CasperSally.

If that's not really possible you could go for some simple additions like MAC address filtering on the WiFi network. You'll have all the addresses in the JSS so would be easy to do. Not massively secure but would at least improve things a bit. Of course 802.1x is the real answer.

Does your wireless network have any other capabilities you could take advantage of?

jesseshipley
Contributor

We are currently secured with 802.1X actually and want to move away from it. It's reliability is a real issue. It is also really confusing for users to deal with the fact that they can be connected to a network and yet still not be authenticated (OS X shows the connection as green in Network settings.)