Security Settings

The Security settings in Jamf Pro allow you to do the following:

  • Enable certificate-based authentication.

  • Enable push notifications.

  • Automatically install the Privacy Preferences Policy Control profile.

  • Automatically install a Jamf Notifications profile.

  • Configure SSL certificate verification.

  • Specify the condition under which the checksum will be used to validate packages. If you choose to validate packages, the validation occurs after the package is downloaded.

  • Specify a maximum clock skew between managed computers and the Jamf Pro host server.

When a Mac computer attempts to communicate with the Jamf Pro server and the security requirements specified in Jamf Pro are not met, communication is blocked.

Automatically Installing the Privacy Preferences Policy Control Profile

When you enroll a computer with Jamf Pro, the computer automatically becomes managed by Jamf Pro. This allows you to perform remote management tasks on the computer. To perform some tasks on computers with macOS 10.14 or later, you must allow the Jamf management framework to access the target computer's system files and processes by installing the Privacy Preferences Policy Control profile.

Note:

The Privacy Preferences Policy Control profile is part of a security feature introduced in macOS 10.14.For more information about the Privacy Preferences Policy Control profile, see Privacy Preferences Policy Control MDM payload settings for Apple devices in Apple Platform Deployment.

This option is enabled by default and allows Jamf Pro to automatically install the Privacy Preferences Policy Control profile on computers with macOS 10.14 or later that have a User Approved MDM status. This allows the Jamf management framework to be installed on computers to access the necessary system files and processes for managing computers and performing the remote management tasks on the computers.

The Enable certificate-based authentication and Enable push notifications settings must be enabled to access this feature.

For more information about the contents of the Privacy Preferences Policy Control profile, see the "Privacy Preferences Policy Control Profile Contents" section of the Preparing your Organization for User Data Protections on macOS 10.14 article.

Automatically Installing a Jamf Notifications Profile

Configuring the Automatically install a Jamf Notifications profile setting in Jamf Pro automatically enables notifications from the Jamf management framework and Jamf Self Service for macOS. End users are not prompted to allow notifications the first time they log in to Self Service.

This option is enabled by default and allows Jamf Pro to automatically install the Notifications profile on computers with macOS 10.15 or later.

The Enable certificate-based authentication andEnable push notifications settings must be enabled to access this feature.

Configuring SSL Certificate Verification

Configuring the SSL Certificate Verification setting in Jamf Pro ensures that computers only communicate with a host server that has a valid SSL certificate. This prevents computers from communicating with an imposter server and protects against man-in-the-middle attacks.

Consider the following when configuring SSL certificate verification:

  • If you are using the self-signed certificate from Apache Tomcat that is built into Jamf Pro, you must select Always except during enrollment.

  • If you are using an SSL certificate from an internal CA or a trusted third-party vendor, select either Always or Always except during enrollment. It is recommended that you use Always if computers in your environment are configured to trust the certificate before they are enrolled.

For more information, see the following articles:

Configuring Security Settings

Requirements

To enable push notifications, you must have a push certificate in Jamf Pro. For more information, see Push Certificates.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Computer Management–Management Framework section, click Security .
  3. Click Edit .
  4. Configure the settings on the pane.
  5. Click Save .