Jamf Cloud and Enforced MFA

tzeilstra
New Contributor III

We've been using on-prem for years and have occasionally been taking a look at moving to Jamf Cloud hosting for Jamf Pro.  There's one item that just has me completely baffled though - Jamf Cloud allows anyone anywhere in the world to sign into your Jamf Pro instance with only a username/password.  Sure, you can set up SSO but just adding /?failover to the end of the URL bypasses that.  Am I correct in understanding that for every customer of Jamf Cloud, there exists a username and password which, if it became compromised, could be used to issue wipe commands to every Mac in the org (and given the potential fallout of data leaks, that'd be a best-case scenario?)  That just seems like an overwhelming risk given I can't even sign into Slack without using MFA but a system with all the power of Jamf will happily let someone in with just a straight username/password?

The only potential solution I've heard is Jamf Cloud Premium to restrict access to Jamf Pro to specific IP addresses but an additional $20k/year on top of the existing Jamf Cloud cost seems excessive.

How have others addressed this?

3 REPLIES 3

mojo21221
Contributor II

Host jamf in your own cloud and implement the IP restrictions yourself seems like the best of both worlds.

snowfox
Contributor III

Hello there,

The server admins should be the only ones with failover account access.

There is a password policy that can be set along with the failover accounts to limit the number of failed login attempts before auto locking the account.  If you use a suitably long enough passphrase (not password) i.e. 25 characters etc., an attacker will never be able to brute force the account before it becomes auto locked (limit it to 5 login attempts etc.).  For normal operations everyone should use the SSO login.  The failover is only for server Admins to gain access to the server in the event of SSO failure.

jpeters21
Contributor II

We haven't .. as stated already I think most people are using a third part identity provider with MFA, but that will leave  the account of the owner as a local account available via failover. It is going to be on that person to have a secure password, and change it regularly. This has been a pretty common feature request, but to my knowledge Jamfs has no intention of doing so, and official response is you have the ability to use MFA via the way already described.