Posted on 08-09-2024 12:10 PM
We had a security incident where somebody gained access to one of our jamf administrator accounts and made unauthorized change to configuration profiles. How can we see everything done with that account in the last 30 days or something?
Posted on 08-09-2024 12:16 PM
Change management logs
Posted on 08-09-2024 01:06 PM
This has what we need. Thanks so much!
Posted on 08-09-2024 01:09 PM
As @jamf-42 stated, start with your change management logs. But assuming you have not already, get that password rotated and made far more complicated. If possible retired that username also as its a known variable now.
Ideally:
Posted on 08-09-2024 01:42 PM
@AJPinto You might want to clarify your recommenadion for SSO with MFA as that definitely works with Directory Service Groups in additional to Local Groups.
Anyone using the Classic or Jamf API, especially if you're using it from a script running on all managed Macs, should really take the time to look at API Roles and clients introduced in Jamf Pro 10.49 which provides API only access tokens so the credentials cannot be used to access a JSS Console (see https://developer.jamf.com/jamf-pro/docs/client-credentials for more details)
Posted on 08-09-2024 04:05 PM
It's been so long since I needed to use LDAP that I forgot the options were added depending on how you configure things. Thanks for pointing out my error.