We have an upcoming Cyber Essentials audit and currently in the process of going through devices on all platforms with me looking after the Apple side.
Our Apple devices are bound to AD but are currently OnPrem with Jamf.
I wanted to reach out and hear how other admins have gone about providing access for such scans and reports seeming as Macs are unreachable unless they have a user physically logged in. Seems to me whatever credentials I provide will not be able to remote access devices. The other platforms are also managed by the same AD.
To clarify what I am unsure about here, is if I provide the Jamf management account credentials (for which an account exists on all managed macOS devices already) so that I do not have to issue an additional account just for scanning and then have to manually FileVault enable that account on each device (as you can't do it via policy anymore), my understanding is that they will still only be able to SSH onto the device once a user has physically unlocked the disk. In which case they will need a few weeks just to cover when all users eventually log onto an Apple computer and external ones reconnect back via VPN.
We use a sample of devices, I think it is a percentage of the total. They only need to access them. For us the scans are done by a nessus server we set up. On the day the inspectors then want access to one or two Macs to test their handling of viruses and other files, they have some benign ones on a server and they try to get them, I create a local standard user account for them for this. For the scans the server requires access to an administrator account to complete its task. Not a problem for us as that server is in house and we have control of it.
Thanks for your insight Paul.
I am aware that there will be a set number of devices for the other tests and they don't seem as problematic. Like you, I will just setup a local account for them to use on those devices or likely an AD account for that purpose they can login with locally.
For the remote scans, I shared the management account details with our security team to test via Nessus and what we found was that the account was UNABLE to SSH onto a device that was asleep with a logged in user (on Lock Screen) UNTIL I added that account to the remote login access in Sys Prefs.
I was surprised by this as I would have thought that was the default so now I need to run a policy/script that ensures this is the case for all managed devices on the network.