STIGQter STIGQter: STIG Summary: Jamf Pro v10.x EMM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 03 Feb 2020:

The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication.

DISA Rule

SV-108685r1_rule

Vulnerability Number

V-99581

Group Title

PP-MDM-414002

Rule Version

JAMF-10-000670

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Implement one of the following options:

Option #1. Connect Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. Note: Jamf requires AGS to support SAML.

- Set up AGS / IdAM environment.
- Connect the Jamf pro EMM to the AGS:
1. Open "Settings".
2. Select "SSO" (Single Sign-on).
3. Select "Edit".
4. Enable Single Sign-on Authentication.
5. Complete the appropriate settings to connect Jamf Pro EMM to the AGS using SAML-based protocol.
6. Click "Save".

Note: If Option #1 is used, requirements JAMF-10-100700 to JAMF-10-10820 are Not Applicable and requirement JAMF-10-200040 is Applicable - Configurable.

Option #2. Implement strong password policy for admin local accounts. Configure the server password policy (JAMF-10-100700 to JAMF-10-10820).

Note: If Option #2 is used, requirement JAMF-10-200040 is Not Applicable.

Check Contents

Interview the site ISSM.

Determine if the site has connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication.

- If YES, verify the AGS implementation has been reviewed using the Application Layer Gateway SRG. Verify the Jamf Pro EMM server is configured to connect to the AGS:
1. Go to the server console.
2. Open "Settings".
3. Select "SSO" (Single Sign-on).
4. Verify Single Sign-on Authentication is enabled and connection to the AGS using SAML-based protocol is set up.

- If NO, verify strong password controls for the administrator local accounts are in place. (Verified by JAMF-10-100700 to JAMF-10-100820.)

If Jamf Pro EMM is not connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to your DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or has not been configured to use strong password controls for the administrator local accounts, this is a finding.

Vulnerability Number

V-99581

Documentable

False

Rule Version

JAMF-10-000670

Severity Override Guidance

Interview the site ISSM.

Determine if the site has connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication.

- If YES, verify the AGS implementation has been reviewed using the Application Layer Gateway SRG. Verify the Jamf Pro EMM server is configured to connect to the AGS:
1. Go to the server console.
2. Open "Settings".
3. Select "SSO" (Single Sign-on).
4. Verify Single Sign-on Authentication is enabled and connection to the AGS using SAML-based protocol is set up.

- If NO, verify strong password controls for the administrator local accounts are in place. (Verified by JAMF-10-100700 to JAMF-10-100820.)

If Jamf Pro EMM is not connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to your DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or has not been configured to use strong password controls for the administrator local accounts, this is a finding.

Check Content Reference

M

Target Key

3593

Comments