Hacked Jamf Administrator - what did they do after?

duckp
New Contributor

We had a security incident where somebody gained access to one of our jamf administrator accounts and made unauthorized change to configuration profiles. How can we see everything done with that account in the last 30 days or something?

5 REPLIES 5

jamf-42
Valued Contributor II

Change management logs

duckp
New Contributor

This has what we need. Thanks so much!

AJPinto
Honored Contributor III

As @jamf-42 stated, start with your change management logs. But assuming you have not already, get that password rotated and made far more complicated. If possible retired that username also as its a known variable now.

 

Ideally:

  • You should only have a single Local Account that is an Administrator with as long and complicated of a password as possible, and vault the password somewhere secure.
  • Anyone with Jamf Access (admin or not) should be using SSO with Local Jamf Groups and MFA setup or LDAP with LDAP Jamf Groups (SSO is better as it supports MFA) and not local Jamf accounts
  • Any other local accounts should have very limited access to VIEW only what they need such as to view policies or enroll computers (if not using SSO enrollment customizations).
  • If you have API integrations still using Local Accounts, set the longest and most complex passwords possible and they should never have administrative access.

sdagley
Esteemed Contributor II

@AJPinto You might want to clarify your recommenadion for SSO with MFA as that definitely works with Directory Service Groups in additional to Local Groups.

Anyone using the Classic or Jamf API, especially if you're using it from a script running on all managed Macs, should really take the time to look at API Roles and clients introduced in Jamf Pro 10.49 which provides API only access tokens so the credentials cannot be used to access a JSS Console (see https://developer.jamf.com/jamf-pro/docs/client-credentials for more details)

AJPinto
Honored Contributor III

It's been so long since I needed to use LDAP that I forgot the options were added depending on how you configure things. Thanks for pointing out my error.