CIS level one compliance for Ventura

New Contributor II

Have you encountered any challenges in achieving CIS level one compliance for Ventura on your MacBook devices, even after pushing all configuration profiles using the JAMF Compliance Editor for Mac Ventura OS and scoping all your MAC machines to these profiles? Specifically, some of the non-compliant points include

* Install.Log Retained For 365 Or More Days

* Reasonable Security Audit Log Retention

* Sudo Timeout Reduced

* Filename Extensions Turned On

* Apple Provided Software Is Current

* Wake For Network Access And Power Nap Disabled

is there any way we can cover the above setting via script?



Valued Contributor II

If you are using Jamf Compliance Editor, the script created for the audit also has the remediation steps in the script. Did you setup a policy to run the script in remediation mode (--fix) and assign it to a smart group that includes any computer with the number of findings greater than zero. 

New Contributor II


Jamf is sadly falling further behind the competition and Jamf Protect and Jamf Compliance Editor are particularly poor areas.

For Jamf Protect it has numerous bugs affecting deployment, as just some examples -

  1. The 'retry' button in Jamf Pro for retrying installation of a broken Jamf Protect does not work ever
  2. The most common broken state is that the is installed but protectctl is not, if you simply re-run the installer on a Mac in this state (likely what the 'retry' button supposedly does) the installer does nothing because it see the as already being present
  3. It is impossible to sort or filter by device name in Jamf Pro under the Jamf Protect app page when trying to find which devices are not listed in Jamf Protect

Jamf Protect has supposedly built-in lists of CIS Level 1 and CIS Level 2 controls for reporting compliance. However the names do not match the more official names e.g. they do not list the CIS control numbers, even worse, the number of entries in Jamf Protect is far smaller than the list in Jamf Compliance Editor suggesting a vast number are missing and will not be reported on.

Jamf Compliance Editor on the surface looks better, it lists the CIS controls with better names although as mentioned not matched by Jamf Protect, it lists more of them giving more confidence it is complete, it is structured so that it copes with generating settings for different versions of macOS and it has a mechanism for exempting reporting some controls for a subset of Macs.

Unfortunately it has a huge flaw. Whilst its own reporting in the form of Jamf Pro Extension attributes can indeed allow for exemptions, it does not seem to have a mechanism to actually exempt enforcement. As the remediation measures generated by Jamf Compliance Editor are either multi-control profiles or a monolithic script and the names of the profiles and scripts its generates are fixed it is effectively impossible to use Jamf Compliance Editor to generate even two sets for two groups of devices as the names will be the same and one would overwrite the other. Since the generated Jamf Profiles cover multiple CIS controls it is effectively impossible to scope things in Jamf to exempt a Mac from a single specific control.

As a result as far as I can see one would have to generate and upload a single set covering all or most controls and then in Jamf Pro clone them, edit them, edit the scripts, define new groups etc. etc. and almost have to do it all by hand again making Jamf Compliance Editor almost useless.

An alternative approach might be to equally tediously only use Jamf Compliance Editor to generate a single control at a time and still have to make multiple copies of the scripts with different names but at least then be able to have smaller profiles to deal with and be able to do different computer groups for scoping.

Despite what you may think the impression given is that whoever wrote Jamf Compliance Editor and whoever wrote Jamf Protect have never seen the other tool. It is also the impression that Jamf Protect has had little or no enhancements for years. Arguably other than fixing bugs, a logical progression would have been to add the option in Jamf Protect to report against additional different frameworks e.g. NIST which Jamf Compliance Editor does support!

Jamf sadly seem to forget what software tools like this are supposed to do.

1. Do reporting (mainly done via Jamf Protect)

2. Do enforcement (mainly done via Jamf Compliance Editor)

3. But what they forget is that such tools are supposed to also save customers time and effort and maker it easier for them to do their jobs.

This is what increasingly newer MDM competitors to Jamf are offering and starting to significantly eat in to Jamf's marketshare.

I still regard Jamf as having by far the most powerful set of tools but having implemented Jamf tools at many companies I am increasingly getting fed up having to manually do the same things each time that most organisations need and which therefore Jamf should be providing standard, automated approaches for.

PS. Jamf is also increasingly failing to support new MDM functions for many, many months after a new macOS is released and therefore breaking their long held claim to be ready on day one of a new macOS release. Once more their newer more agile competitors are beating Jamf in this area.