Security

This section explains the primary security measures in the Casper Suite:

  • Passwords

  • Communication protocols

  • Public key infrastructure

  • Signed applications

Passwords

The Casper Suite allows you to store individual accounts for managed computers and reset the passwords if necessary.

Passwords stored in the database are encrypted using a standard 256-bit AES encryption algorithm.

Communication Protocols

The Casper Suite has security built into its design. Connections between the Jamf Software Server (JSS), the other applications in the Casper Suite, and mobile devices take place over Secure Sockets Layer (SSL) using the latest version of Transport Layer Security (TLS) the operating system is capable of using. The following table shows the TLS version capabilities for the macOS and iOS operating systems:

TLS Version

macOS Version

iOS Version

 

10.7

10.8

10.9

10.10

10.11

10.12

4

5

6

7

8

9

10

1.0

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

1.1

 

 

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

 

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

1.2

 

 

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

 

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

images/download/thumbnails/656169/checkmark.png

The Casper Remote application and the network scanner in the Recon application connect to computers over Secure Shell (SSH), or Remote Login.

Secure Shell (SSH)

SSH is a network security protocol built into macOS. For more information, go to:
http://openssh.com/

Transport Layer Security (TLS)

TLS is a security protocol for Internet communication. For more information, go to:
http://tools.ietf.org/html/rfc5246

Public Key Infrastructure

A public key infrastructure (PKI) is the design by which digital certificates are obtained, managed, stored, and distributed to ensure a secure exchange of data over a public network.

Certificate Authority

A certificate authority (CA) is a trusted entity that signs and issues the certificates required for certificate-based authentication. It is the central component of the PKI.

In the JSS, you can choose to use a built-in CA, integrate with a trusted third-party CA (Symantec), or configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP). The certificate authorities can be used to issue certificates to both computers and mobile devices.

Note: An external CA can also be used to issue certificates to computers, but this is not enabled by default. For more information, contact Jamf Support.

For more information on certificate authorities in the JSS, see PKI Certificates.

Simple Certificate Enrollment Protocol

Simple Certificate Enrollment Protocol (SCEP) obtains certificates from the CA and distributes them to managed mobile devices, providing a simplified way of handling large-scale certificate distribution.

The CA hosted by the JSS (the “built-in CA”) supports SCEP. If you plan to use an external CA hosted by your organization or by a third-party vendor, this CA must support SCEP as well.

Certificates

The Casper Suite uses the following certificates to ensure security:

  • SSL Certificate—The JSS requires a valid SSL certificate to ensure that computers and mobile devices communicate with the JSS and not an imposter server. The SSL certificate that you can create from the built-in CA secures communication using a 2048-bit RSA encryption.

  • Device Certificates—Device certificates allow the JSS to verify the identity of computers and mobile devices each time they communicate with the JSS.

  • CA Certificate—This certificate establishes trust between the CA and computers, and between the CA and mobile devices.

  • Signing Certificate—This certificate is used to sign messages passed between the JSS and Mac computers, and between the JSS and mobile devices.

  • Push Certificate—The JSS requires a valid push certificate to communicate with Apple Push Notification service (APNs).

  • Anchor Certificate—This certificate allows mobile devices and computers to trust the SSL certificate.

Signed Applications

The following applications are signed by Jamf:

  • Casper Admin

  • Casper Imaging

  • Casper Remote

  • Composer

  • jamf binary

  • Jamf Helper

  • JDS Installer for Mac

  • Recon

  • Recon.exe

  • Self Service

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.