Jamf Compliance Editor: Sequioa

exo
New Contributor II

Hey,

What is the recommended way of handling compliance with the upcoming Sequioa release? I have used the Jamf Compliance Editor to create config profiles for Sonoma, which was very convenient, since the JCE let's you upload perfectly name config profiles for Sonoma and its predecessors.

If I am not mistaken, the JCE does not currently support Sequoia, yet. For now, I have set major OS updates to be deferred by 90 days, so I can sort this out.

How do you guys handle this?

When is the JCE likely to be updated?

 

Thank you for your help.

Toby

1 ACCEPTED SOLUTION

AntMac
Contributor II

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only. 

As far as I know, you have 2 options at this point in time.

  1. Use the MacOS Security Compliance project command line version
  2. Modify your JCE Preferences to show all branches (including draft) 

    If you choose to make the modification it will show branches that are still under development as well as released.  Run this with JCE closed:
defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list. 

 

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.     

View solution in original post

8 REPLIES 8

AntMac
Contributor II

Sequioa release for MSCP was published a few days ago. Beware some of the benchmarks listed are still marked as draft. 
Release Sequoia Guidance Revision 1.0 · usnistgov/macos_security (github.com)

exo
New Contributor II

Yeah, I saw that. I am using the Compliance Editor GUI. How does that tie in with the release?

AntMac
Contributor II

At its core Compliance Editor relies pretty heavily on MacOS Security Compliance project.
Compliance Editor just has a really user friendly GUI instead of command line only. 

As far as I know, you have 2 options at this point in time.

  1. Use the MacOS Security Compliance project command line version
  2. Modify your JCE Preferences to show all branches (including draft) 

    If you choose to make the modification it will show branches that are still under development as well as released.  Run this with JCE closed:
defaults write com.jamf.complianceeditor showAllBranches -bool true

On open it will show all of the branches with Sequioa towards the bottom of the list. 

 

Side note - I have heard the final version for the CIS benchmarks will probably be an October release. Maybe this is when Sequioa branch will come out of draft branch? But no official word yet. You may want to join the Macadmins slack and join the #jamf-compliance-editor channel as it will likely be posted there first.     

exo
New Contributor II

Brilliant answer. Thank you for your help!

obi-k
Valued Contributor III

Did you hear or see anthing on iOS 18 CIS Benchmark by chance?

AntMac
Contributor II

No sorry I have not. Was mainly keeping an eye out for desktop/laptop side. 

cwaldrip
Valued Contributor

I'm interested in learning more about the compliance project's CLI. Is there a separate binary for that which is different from the JCE I guess? I haven't seen anything about a CLI except for this post.

curtisklope
New Contributor

@exo  - just out of curiosity, how did you create the actual config profile for managing the OS update deferrals while also using the config profiles that JCE auto built?

The OS update deferrals are pretty easily set if you use the UI for Restrictions....  but there's a lot of other settings in there that will also step all over the arcane XML/mobileconfigs that JCE has put in place.  So I'm not really sure where to actually put the settings for the deferral.

What did you do?  Thanks