Disclaimer: This blog is not intended to be advice on how to manage your environment. As the name suggests, these accounts are based on experiences I’ve had in my own lab. Always approach information you find outside (or inside for that matter) official documentation with skepticism and follow the golden rule: Never test in production.
So you finally convinced upper management that Macs need a security platform, but you’re not sure where to start. Maybe you already owned Jamf Protect as part of your Jamf Cloud subscription and haven’t gotten around to using it yet. More commonly, you’ve been using Jamf Protect for a while, but a recent security audit came up with something unexpected and now you have to tighten things up. In any case, this post will walk through a simple workflow to demonstrate a variety of ways to mitigate risk, communicate with users, and automate remediations for Analytics.
First, we need to define a few things that often confuse administrators within the product, but if you’re comfortable with how Jamf Protect works you can skip to Automating Remediation of Analytics with Jamf Pro.
Insights are built-in reports based on CIS Benchmarks recommended by Jamf’s MacOS Security Checklist the solutions for which can often be found on the official CIS website. While these are all good suggestions, it’s always important to note they are just that… suggestions. It is ultimately up to your organization to weigh the risks and impact such configurations will have within your environment and determine their value benefit. Some benchmarks will be simple, low hanging fruit with minimal disruption like disabling Root login; while others may provoke your users to take up torches and pitchforks like 15 character minimum passwords or 5 minute inactivity lock screens.
On the other hand, some benchmarks may be completely irrelevant due to the very nature of a solution you’re already using. For example, you wouldn’t necessarily need to impose password age limits or complexity requirements on the device itself if they are being managed by your Identity Provider and synced with Jamf Connect. Sure, you could still deploy such a requirement, but you likely wouldn’t want your local account passwords to expire in 30 days if your synced network credentials only require password changes every 45 or 90 days. The bottom line is, take your time reviewing these benchmarks and discuss them with the appropriate stakeholders within your organization and disable the Insights you don’t want or need. Just be sure to document the decision and the reasons the risk is acceptable. You’ll need them whenever you undergo a security audit.
Analytics are the beating heart of Jamf Protect and a powerful tool in automating our response and investigation into an incident. There are a fair number of moving parts to understand when creating your own Analytic which I will not be covering here but you can get a good description of them in Jamf’s documentation. For this post, the only thing we need to understand is an Analytic is a rule to detect, collect data, and alert on threats or behaviors so we can investigate, plan, and execute steps towards protecting against them. By themselves, they DO NOT block, prevent, or remediate the potential threat. This is the greatest misconception and disappointment my customers face when diving into Jamf Protect for the first time. Unlike Threat Prevention Lists — which use signatures like Team IDs, Hashes, and Signing IDs to actively stop an identified threat — Analytics require integration into Jamf Pro and/or a SIEM to do anything beyond the built-in Alert and data collection functionality.
Like most EDR solutions, in Jamf Protect we have to invest the effort in building and maintaining the workflows which drive the functionality we need. With that said, this is not a shortcoming of the product, but it’s greatest feature. What Jamf has always done well is take the closed Apple ecosystem and find deceptively simple ways to expand on it within Apple’s management framework. As opposed to products like Intune or Workspace One, Jamf really doesn’t do the work for you and expects you to take the tools available and mold them to fit your needs. Personally, if I had a dollar every time I cursed at my Intune portal for its seemingly arbitrary limitations in an effort to simplify the platform; I could retire early. Trust me on this one… the fact that Jamf gives you a blank canvas to work with by default is a blessing in many… many ways.
This is another one function that really confuses people. Actions are used to control collection of data, its verbosity, and where it is sent. Contrary to the name, Actions do not block, prevent, or remediate threats either but they do help you filter out the noise so that you only get the relevant information you want from an event to send off wherever it needs to go such as a SIEM.
As I mentioned in the Analytics section, Threat Prevention Lists are what Jamf Protect uses to actively detect, block, and prevent known files, applications, and processes from running and quarantines them for future collection and forensic analysis. The built-in lists are curated by Jamf, but you can create your own in the event you discover a zero-day threat or wish to block a less reputable, but otherwise legit developer using Team IDs, Hashes, and Signing IDs of files.
Finally, we bring it all together with Plans. Plans are the actual Configuration Profiles which assign all the above sections to our devices. They can be deployed directly with Jamf Pro or you can download the .mobileconfig file to install via other means if you want to. Do note that the Default plan is set to Report Only for Threat Prevention out of the box. You should create a new one once you’ve got everything else in order and enable blocking to deploy in your environment.
Automating Remediation of Analytics with Jamf Pro
If you’ve read all the above, congratulations! You’ve made it to the fun part. If you skipped ahead and Jamf Protect is new to you; I highly recommend you go back and make sure you have a solid understanding of what to expect within the product.
In either case, let me preface this section by saying the example workflow below is an extreme and unnecessarily complex response to a specific Analytic that I chose purely because it doesn’t require any actual malware or questionable behavior to trigger for testing. The automations themselves are an over-reaction and require more steps than necessary to demonstrate multiple potential methods for remediation you can use for all sorts of things.
In this lab we will create smart groups in Jamf Pro with Jamf Protect for an Analytic to notify the user and isolate the offending computer from the network while maintaining management capabilities with Jamf Pro and the Apple Push Notification Service. We will also remediate the analytic by prompting the user and opening Self Service for them to execute the necessary policy (you could obviously just do it automatically, but what fun would that be?). Lastly, once the remediation is complete, we will automatically restore network connectivity and reset our smart groups and inventory. Let’s begin.
WARNING: Do not deploy this example to production as it may result in what I love to call a “resume generating event” if deployed at scale by breaking the computer’s internet connection. Proceed at your own risk!
NOTE: This post assumes you’ve already completed the Jamf Protect Integration with Jamf Pro. If you have not done that, please visit the documentation and complete the setup before starting this lab.
1) Add the Jamf Protect – Smart Groups Extension Attribute Template to Jamf Pro
2) Edit the Analytic to Add to Jamf Pro Smart Group
In this example, I’ve chosen PlistDisguisedAsGoogle. This Analytic is a simple Launch Agent or Daemon with the com.google prefix, but does not run software signed by Google. Click on Edit Analytic and check the Add to Jamf Pro Smart Group checkbox. Whatever you enter in the Identifier field will be used to create a directory in /Library/Application Support/ JamfProtect/groups for the Jamf Protect – Smart Groups extension attribute to collect in Jamf Pro’s inventory.
You can’t technically add more than one smart group per Analytic, but you can include multiple words to use as “like” or regex criteria in your smart groups. Just make sure you don’t accidentally collect more than what you’re looking for by using the same words for different policies. Since I’m going to trigger two different policies from this one, I’ll enter “isolate fakeGooglePlist”.
I’ve chosen isolate as a generic term which I can use for multiple workflows anytime I want to ‘isolate’ the device from the network without cutting off the ability to manage it with Jamf Pro or APNS.
Since fakeGooglePlist is very specific to this analytic I can perform a more surgical remediation to perform the actions needed.
3) Create the Smart Groups to look for these values in the Jamf Protect – Smart Groups extension attribute.
4) Package and deploy your User Notification tool of choice to be executed later.
The scripts provided by Jamf to isolate the computer from the network include commands for IBM Notifier installed in /Library/Application Support/IRSupport, but can be adapted to use JamfHelper, DEPNotify, or any other tool you prefer from any directory. The important thing is that it’s there when you need it.
5) Customize and upload your remediation scripts and Extension Attributes to Jamf Pro
Jamf has an official SOAR Playbook with documentation on their GitHub with the necessary Isolation, Revert, and Extension Attribute scripts. However, while building out this lab I had to correct a couple errors in the syntax and made my own customizations. You can find my versions of these scripts on the NverseLab GitHub
NOTE: While these scripts may be provided by Jamf, they are presented as-is and are not officially supported.
6) Create Policy 1 of 4 to isolate the computer from the Network
When Jamf Protect detects an Analytic, it always triggers an inventory update and a custom policy event aptly named ‘protect’ which we can use in Jamf Pro to kick off our remediations for any scoped devices in our smart group. Make sure you make the Execution Frequency ‘Ongoing’ so that the policy runs every time it needs to.
Add the Script Payload to run our Isolation Enforcement script ‘Before’ anything else. If you’ve added any special parameters to make this more dynamic, don’t forget to add them here where appropriate. Your imagination is the limit.
If you plan to use the Packet Filter extension attribute script for reporting, make sure you include an inventory update on this policy as well.
Then scope this one to our Jamf Protect – isolate Smart Group
7) Create Policy 2 of 4 to Remediate and remove the offending plist and application.
You could kick this off automatically, but for the sake of demonstration we’re going to make the user do it. Instead of triggering with the ‘protect’ event, we’ll just drop this one in Self Service for anyone scoped to the Jamf Protect – fakeGooglePlist Smart Group.
To shake things up a bit, instead of remediating with a script we’re going to use the Files and Processes payload to do it since it’s a relatively simple procedure to find and delete a file, kill a running process, and kick-off the next policy to restore the network.
As always, don’t forget to scope it to our Jamf Protect – fakeGooglePlist Smart Group
Make it available in Self Service and make note of the policy ID in either the URL or at the bottom of the page. We’ll use that later to give our prompt to run policy script the ability to run different policies instead of being a one-off.
8) Create Policy 3 of 4 to Prompt the User to execute the remediation from Self Service
Upload this script to Jamf Pro to handle the user prompt with JamfHelper. You can use the jamfHelper Constructor by BIG-RAT to make your own if you’d like. The important thing is to pair the right buttons with the right if statement. Test before you deploy.
This step isn’t necessary if you trigger the remediation with the ‘protect’ event, but you can use this method to prompt the user to do any number of things we wouldn’t want to arbitrarily do such as delete potentially important documents by clearing out their downloads folder. Why the only copy of the company’s tax forms was saved there is anyone’s guess… but better safe than sorry sometimes.
This one we will trigger with the ‘protect’ event since we want the user to see the notification right away.
Add the Prompt to Open Self Service Policy script payload and add the policy ID number from the remediation script to Parameter 4. This will tell the script which policy to kick off and we can reuse the script for something else another time.
And of course, make sure to scope it to our Jamf Protect – fakeGooglePlist Smart Group
8) Create Policy 4 of 4 to Restore the Network after Remediation
This one we’ll trigger with the restoreNetwork event we are calling with the Files and Processes payload from our remediation script. This way you can call this policy after any remediation that requires it.
Add the network restore script to the scripts payload and run it Before. Include any custom parameters necessary.
And like before if you’re using the Packet Filter extension attribute to report on locked down computers, make sure you do an inventory update as part of the policy.
Go ahead and scope this one to All Computers since we want it to be available when needed and it will only trigger using jamf policy -event restoreNetwork anyway. Otherwise you can scope it to the Jamf Protect – isolate Smart Group if you want to be extra safe, but be aware your remediation policies may completer so fast they don’t have time to update the inventory fast enough.
9) Test out the workflow with a simulated attack.
Since this lab doesn’t include any actual malware of malicious code I’ll include the script I used to simulate this attack below, but its worth mentioning that I pulled it off of the Jamf Protect Threat Prevention Simulations documentation. Check it out if you want to try some others.
This particular example will copy the whoami application to the tmp folder and create a LaunchDaemon to run it at load.
WARNING: Never detonate actual malware on a production machine. Always use a VM or a test device on an isolated network.
10) Watch the results unfold as you go
Since each step of this progresses one at a time, you can check the smart group memberships, file deletions, network loss, and restore at your own pace. For the curious, here is the demo in real time from my own Macbook. Note the creation of directories in the groups window. These are the object Jamf Pro uses to create smart groups. You will have to grant yourself access to see these folders as Jamf Protect locks everyone out of them.
Remember, this example is not an actual workflow you would use in production, but a spread of examples you can use to automate your remediations. How you build your environment from here is up to you. Happy tinkering!