This section explains the primary security measures in Jamf Pro:
Public key infrastructure
Jamf Pro allows you to store individual accounts for managed computers and reset the passwords if necessary.
Passwords stored in the database are encrypted using a standard 256-bit AES encryption algorithm.
Jamf Pro has security built into its design. Connections between the Jamf Pro server, the other Jamf Pro apps, and mobile devices take place over Secure Sockets Layer (SSL) using Transport Layer Security (TLS).
The Jamf Remote application and the network scanner in the Recon application connect to computers over Secure Shell (SSH), or Remote Login.
Secure Shell (SSH)
SSH is a network security protocol built into macOS. For more information, go to:
Transport Layer Security (TLS)
TLS is a security protocol for Internet communication. For more information, go to:
Public Key Infrastructure
A public key infrastructure (PKI) is the design by which digital certificates are obtained, managed, stored, and distributed to ensure a secure exchange of data over a public network.
A certificate authority (CA) is a trusted entity that signs and issues the certificates required for certificate-based authentication. It is the central component of the PKI.
In Jamf Pro, you can choose to use a built-in CA, integrate with a trusted third-party CA (DigiCert or Active Directory Certificate Services), or configure your own PKI if you have access to an external CA that supports the Simple Certificate Enrollment Protocol (SCEP). The certificate authorities can be used to issue certificates to both computers and mobile devices.
Note: An external CA can also be used to issue certificates to computers, but this is not enabled by default. For more information, contact your Jamf account representative.
For more information on certificate authorities in Jamf Pro, see PKI Certificates.
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol (SCEP) obtains certificates from the CA and distributes them to managed mobile devices, providing a simplified way of handling large-scale certificate distribution. If you do not want computers or mobile device to communicate directly with a SCEP server, you can configure settings that enable Jamf Pro to proxy the communication between a SCEP server and the computers and mobile devices in your environment. This allows Jamf Pro to communicate directly with a SCEP server to obtain certificates and install them on the device. For more information, see the Enabling Jamf Pro as SCEP Proxy technical paper.
The CA hosted by Jamf Pro (the “built-in CA”) supports SCEP. If you plan to use an external CA hosted by your organization or by a third-party vendor, this CA must support SCEP as well.
Jamf Pro uses the following certificates to ensure security:
SSL Certificate—Jamf Pro requires a valid SSL certificate to ensure that computers and mobile devices communicate with the Jamf Pro server and not an imposter server. The SSL certificate that you can create from the built-in CA secures communication using a 2048-bit RSA encryption.
Device Certificates—Device certificates allow Jamf Pro to verify the identity of computers and mobile devices each time they communicate with the Jamf Pro server.
CA Certificate—This certificate establishes trust between the CA and computers, and between the CA and mobile devices.
Signing Certificate—This certificate is used to sign messages passed between the Jamf Pro server and Mac computers, and between the Jamf Pro server and mobile devices.
Push Certificate—Jamf Pro requires a valid push certificate to communicate with Apple Push Notification service (APNs).
Anchor Certificate—This certificate allows mobile devices and computers to trust the SSL certificate.
The following applications are signed by Jamf:
Jamf Self Service
For related information, see the following Knowledge Base article:
Network Ports Used by Jamf Pro
Learn about the network ports used by Jamf Pro.