Jamf Nation Community

A few I looked at did appear to have Jamf Protect installed, but others did not even though it says completed. 

Thanks @AntMac  I am going to set some time aside this afternoon to look at this.  I am VERY new to JAMF and Mac in general, so I will probably need to spend most of the time googling how to do what you are suggesting, but I will look into it. 

Ok, yes thank you. I originally did the Cloud services connection and registered the tenant. I am going through the manually creating the extensions but I am not seeing the states. 

Ok, great. The main extension you would want would be the  application protect status one. jamfprotect/jamf_protect_application_status.sh at main · jamf/jamfprotect (github.com)

The states will populate on the next inventory cycle the workstation runs. Your only other way to get the state information would be to run terminal commands on the machine. For future, the terminal command line to get the state is sudo protectctl info. Rather than trying to walk your users through the terminal commands you could try this potential alternative option to force an inventory cycle. This assumes that the JAMF Pro Binary is healthy.  

Create a new policy, set an update inventory maintenance task, make it available in self service for users to run. This will enable you to get the inventory information updated to troubleshoot as a once off.

As a side thought as well, for ongoing maintenance it would be worth configuring a policy to inventory update with a recurring check in to execute once every week. This will give you regular updates for your inventory.     

Thanks! I am now seeing them all show up in Protect, I believe the issue was we had the original scope set to all computers and all users, I changed it to the smart group of all managed computers and Voila! they started showing up. 

Now to go through the insights. Is there any documentation that maps the insights to policies you can make in JAMF pro? 

Glad to hear things are now working for you. 

CIS compliance/insight is pretty curly one. Here be dragons as they say. From personal experience I would say have a good look at what insights you want to comply with and what things it breaks for your environment. Also test, test and re test on a non production machine before trying to roll this out. Some of these settings once set are a beast to reverse. :)

My recommendation to you would be if you are keen to implement these things and are new to MacOS, JAMF etc to consider paying for a JAMF engineer engagement. This does have a significant cost but it will save you a lot of frustration and heartache. But if you are keen to do this in house see below for a suggested solution.   

There are some things you can remediate with the JAMF inbuilt payloads, others need plists to work. The solution that takes a lot of the ouch out of this process is written by Mischa van der Bent and is published here mvdbent/CIS-Script (github.com)  

I'd suggest have a read through of the read me but in nut shell what this tool does is: 
Generate compliance reports on local workstation
Pull those values into JAMF by use of Extension attributes
Custom configuration profile to set if workstation is to report only or report and remediate failures  
Scripted remediation policy to make devices compliant again

sudo jamf manage and sudo jamf recon 

On the local machine, correct? These are all remote machines so talking an end user through it may be a little difficult but I can try.