Sign in Subscribe

Streamline MacOS Security Compliance with JAMF Compliance Editor

Andrea Pancrazi

2 min read
Streamline MacOS Security Compliance with JAMF Compliance Editor
Photo by Nikola Johnny Mirkovic / Unsplash

Introducing the MacOS Security Compliance Project

The MacOS Security Compliance Project (mSCP) is an open source framework for programmatically generating security guidance. This project contains security baselines of technical security controls such as CIS Benchmark, NIST-800-171, NIST-800-53, DISA STIG which can be adapted to the specific needs of any organization. The workflow is quite simple:

Where tailoring is used to select which rules to include in a benchmark, customizing is modifying the rules themselves.

Jamf Compliance Editor

The Jamf Compliance Editor is a utility for sysadmins to create and manage compliance baselines on their fleet of Apple devices (MacOS, iOS/iPadOS).

This tool is built on the foundations of the macOS Security Compliance Project and allows you to generate mobile config files for custom MDM policies with all the selected rules. Different compliance profiles are available: CIS Benchmark, NIST-800-171, NIST-800-53, DISA STIG which can also be tailored to your specific environment. For MacOS, it is necessary to run compliance remediation shell scripts because not all settings can be enforced by mobileconfig files.

Where mSCP is for MacOS the equivalent of OpenSCAP for Linux, Jamf Compliance Editor is the equivalent of SCAP Workbench.

For example, building a compliance profile with all the possible rules (not recommended):

Once generated, you have a summary of your tailored profile in html, pdf and xlsx formats for use by management.

And under macos_security-version > build > profile-name > mobileconfigs > unsigned, you will find all the mobileconfig files for your MDM policies:

Jamf Compliance Reporter

In addition to Jamf Compliance Editor, I strongly recommend to combine it with Jamf Compliance Reporter which is a security monitoring tool for macOS. Compliance Reporter collects data and can stream real-time logs to SIEMs (Splunk, SumoLogic, etc).

In conclusion, the Jamf Compliance Editor allows organizations to build mobileconfig files for MDM policies, enforcing security compliance settings, and running remediation scripts on MacOS devices to comply with industry standards and regulations.