Jamf Pro Security Recommendations

This article explains the recommended security settings for Jamf Pro servers hosted on Jamf Cloud and on-premise. You must ensure that the Jamf Pro server and all supporting technology (including the server OS, Java, Apache Tomcat, and MySQL) are compliant with your own internal security standards. This article provides some basic recommendations about how to ensure your Jamf Pro server and underlying infrastructure are up-to-date and secure.

Jamf Pro Server Settings

To ensure your server is as secure as possible, you can enable the following security-related settings in Jamf Pro:
  • Configure the Password Policy for Jamf Pro user accountsFor more information, see the "Configuring the Password Policy" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Documentation.
  • Enable the minimum required privilegesEnable the minimum privileges required by your organization for all user accounts and groups. For more information, see the "Creating a Jamf Pro User Account" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Documentation.
  • Configure the Change Management settings to log changesLog the changes in Jamf Pro by configuring the Change Management settings (automatically enabled for Jamf Cloud instances). For more information, see the "Viewing Change Management Logs in Jamf Pro" section of the Change Management page in the Jamf Pro Documentation.
  • Schedule log flushing at appropriate intervalsFor more information, see the "Scheduling Log Flushing" section of the Flushing Logs page in the Jamf Pro Documentation.
  • Enable certificate-based authentication and configure SSL certificate verificationEnsure the Jamf Pro server has a valid web server certificate before enabling this option. For more information, see the Security Settings page in the Jamf Pro Documentation and the Safely Configuring SSL Certificate Verification article.
  • Require user authentication to Self ServiceFor more information, see the Self Service for macOS User Login Settings page in the Jamf Pro Documentation.
  • Require users to authenticate when enrolling via automated MDM enrollmentRequire users to authenticate during computer or mobile device setup when enrolling via Apple's Device Enrollment (formerly DEP) using a PreStage enrollment in Jamf Pro. For more information, see the Computer PreStage Enrollments and Mobile Device PreStage Enrollments pages in the Jamf Pro Documentation.

Content Distribution

Cloud Distribution Points

Jamf Cloud Distribution Service (JCDS)
If your Jamf Pro server is hosted in Jamf Cloud and you have the subscription-based option, you can use Jamf Cloud Distribution Service (JCDS) as your cloud distribution point.
Amazon CloudFront
You can also use Amazon CloudFront to serve content with signed URLs. For more information, see Using signed URLs in the Amazon CloudFront Developer Guide.
Akamai

Using Akamai with Token Authorization protection enabled is also a secure content delivery network option. For more information about how to use Token Authorization in Akamai, see Using Token Authorization in the MSOD: Stream Packaging User Guide.

For more information about configuring, testing, and replicating the cloud distribution points, see Cloud Distribution Point in the Jamf Pro Documentation.

File Share Distribution Points

If you cannot use JCDS or you have configured your own file share distribution point, the Jamf Pro server allows you to distribute content to managed computers and devices. Consider the following recommendations for securing your content distribution:

File Sharing (navigate to Settings > Server Infrastructure > File Distribution Points > select distribution point > File Sharing tab):

  • Consider using a nonstandard port for your server (For more information about standard ports, see the Network Ports Used by Jamf Pro article.)

  • Create separate service accounts for read/write and read-only privileges

HTTP Downloads (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > HTTP/HTTPS tab):

  • Enable HTTP by selecting the Use HTTP downloads checkbox

  • Enable SSL (Secure Sockets Layer) by selecting the Use SSL checkbox

  • Require authentication to download files by choosing Username and Password from the Authentication Type pop-up menu

For more information, see File Share Distribution Points in the Jamf Pro Documentation.

Managed Devices

macOS Computers
It is recommended that you use the following suggestions to secure macOS computers:
  • Increase management account password security by selecting the Randomly generate new password checkbox for a computer policy and configuring the password reset frequency for the Password Policy
  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a computer configuration profile
  • Require FileVault 2 encryption (For more information, see the Deploying Disk Encryption Configurations page in the Jamf Pro Documentation.)
  • Configure conditional access (For more information, see the Conditional Access page in the Jamf Pro Documentation.)
iOS Devices
It is recommended that you use the following suggestions to secure iOS devices:
  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a mobile device configuration profile
  • Ensure the Make app managed when possible checkbox is selected when distributing apps to keep data secure
Patch Policies and Reporting
It is important to keep your apps up-to-date with the latest security patches. For more information, see the Patch Policies and Patch Reporting pages in the Jamf Pro Documentation.
Scripts
Custom or prebuilt scripts are a common way to execute commands for computers, and can be run using a policy. Avoid hard-coding account credentials for Jamf Pro server administrators in scripts.

On-Premise Specific Settings

Server OS

You can host Jamf Pro on any server that meets the requirements listed on the Jamf Pro System Requirements page of the Jamf Pro Release Notes.

Note:

Although you can install Jamf Pro on any server that meets the minimum requirements, the Jamf Pro Installers for Linux and Windows have additional requirements. For more information, see the Jamf Pro Installation and Configuration Guide for your platform.

To further secure the server OS, consider the following system settings recommendations:
  • Disable guest access
  • Disable automatic login
  • Remove unnecessary service accounts
  • Remove or reset all default passwords
  • Restrict account privileges to minimum required
  • Restrict processes to minimum required
  • Control available ports and network services

Java

The Jamf Pro server and supporting technologies (Apache Tomcat) rely on the Java Development Kit (JDK) with unlimited strength cryptography enabled. For more information about how to install Java, see the Installing Java and MySQL for Jamf Pro 10.14.0 or Later article.

Apache Tomcat

Apache Tomcat is an open-source web server that is developed and maintained by the Apache Software Foundation, and is used to run the Jamf Pro web app. For more information about securing Apache Tomcat, see the Securing tomcat article from the Open Web Application Security Project (OWASP).

The recommendations in this section will help you ensure Apache Tomcat is more secure.

The following table lists the default file paths to the Tomcat files you will need to configure in the instructions that follow.

FileLinux PathWindows Path
web.xml/usr/local/jss/tomcat/conf/web.xmlC:\Program Files\JSS\Tomcat\conf\web.xml
server.xml/usr/local/jss/tomcat/conf/server.xmlC:\Program Files\JSS\Tomcat\conf\server.xml
ServerInfo.properties/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/classes/ServerInfo.propertiesC:\Program Files\JSS\Tomcat\webapps\ROOT\WEB-INF\classes\ServerInfo.properties
Important:

You must restart Tomcat after making modifications to any of these files to make the changes take effect.

Note:

Jamf recommends that you back up any files that you plan to modify before making any changes.

( Jamf Pro 10.0.0 or later) Web.xml modifications
  • Add the <http-only> and <secure> flags to the HTTP response headersTo help mitigate risks from cross-site scripting (XSS) attacks, Jamf recommends adding the additional <http-only> and <secure> flags to the Set-Cookie HTTP response headers in the web.xml file.
    Open the web.xml file in the conf directory, and add the <cookie-config> values to the <session-config> section as shown below:
    <!-- ==================== Default Session Configuration ================= -->
    <!-- You can set the default session timeout (in minutes) for all newly -->
    <!-- created sessions by modifying the value below. -->
    <session-config>
    	<session-timeout>30</session-timeout>
    	<cookie-config>
    		<http-only>true</http-only>
    		<secure>true</secure>
    	</cookie-config>
    </session-config>
( Jamf Pro 10.20.0 or later) Server.xml modifications
  • Use HTTPS only and disable HTTPModify the server.xml file by disabling the non-SSL HTTP Connector.
    <!--
    <Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1"
    connectionTimeout="20000" maxPostSize="8388608" redirectPort="8443" />
    -->
  • Configure strong ciphers and the encryptionFor more information about which ciphers to replace, see the Configuring Supported Ciphers for Tomcat HTTPS Connections article. To configure the encryption, see Encryption in the Securing tomcat documentation from OWASP.
  • Enable access loggingTo use the default access log valve, uncomment or set the Valve className to "org.apache.catalina.valves.AccessLogValve". You can use the default log values or configure the pattern attribute values by following the instructions in the Extended Access Log Valve documentation in the Apache Tomcat 8 Configuration Reference.
( Jamf Pro 10.19.0 or earlier and manually installed Tomcat instances) Additional modifications to Server.xml
Note:

The following changes apply to Jamf Pro 10.19.0 or earlier and all versions of Jamf Pro with manual installations of Tomcat.

  • Prevent Tomcat version via valve modification

    To prevent the Apache Tomcat version from being reported in the response HTTP header, configure the ErrorReportValve attribute in the CATALINA_BASE/conf/server.xml file by following the Extended Access Log Valve documentation in the Apache Tomcat 8 Configuration Reference.

  • Prevent communication over AJP port via connector modificationTo prevent the default AJP port (8009) from becoming accessible to untrusted networks, do one of the following:
    • Comment out the AJP connector in the server.xml file and restart the Jamf Pro Tomcat service.
    • Disable port 8009 on your firewall.
    • Upgrade to Jamf Pro 10.20.0 or later.
( Jamf Pro 10.19.0 or earlier) ServerInfo.properties modifications
  • Prevent server version disclosureTo prevent server version disclosure, modify the ServerInfo.properties file using the recommendations in the Valves section in the Apache Tomcat 8 documentation.
( Jamf Pro 10.19.0 or earlier) Web.xml modifications
  • Replace the default error page to prevent version disclosureTo replace the default error page, modify the web.xml file using the recommendations in the Securing tomcat documentation from OWASP.
  • (Optional) Limit specific web application servletsModify the web.xml file to limit specific web application servlets by changing their behavior or by removing them from the file.
Enable SSL certificate validation
Use the issuer, Subject Alternative Name (SAN), and the expiration date for validation. For more information about how to configure the SSL Certificate Validation setting, see the Safely Configuring SSL Certificate Verification article.

MySQL

MySQL is a relational database management system developed and maintained by Oracle. The Jamf Pro server uses MySQL as the back-end database for storing and maintaining system data. You should ensure MySQL is up-to-date and secure by using the following recommendations:
Run the default mysql_secure_installation
The MySQL installation includes the mysql_secure_installation command-line utility, which automates the tasks for securing your MySQL installation. Running mysql_secure_installation allows you to improve the security of your MySQL installation by setting a password for root accounts and removing certain accounts, the test base, and access privileges.
For more information, see the following documentation for your version of MySQL:
If mysql_secure_installation is not available, do the following:
  • Set a password for the root accounts
  • Remove all privileges for anonymous user accounts
  • Remove the test database and all associated privileges
Create a unique database name and a unique MySQL user with a secure password
For more information about how to change the database name and the root MySQL user password, see the Manually Creating the Jamf Pro Database article.
Note:

To increase security, use a unique database name and root MySQL user password that differ from the examples in the article.

Limit privileges to the minimum required
If you want to further restrict access to MySQL, you can create separate user accounts with limited privileges. For more information, see the following webpages:
Following is a list of MySQL privileges that are required for different types of environments:
  • For a standalone web application or the primary node in clustered environments:
    • ALTER

    • CREATE

    • DELETE

    • DROP

    • INDEX

    • INSERT

    • LOCK TABLES

    • REFERENCE

    • SELECT

    • UPDATE

  • For a child node in clustered environments:
    • DELETE

    • DROP

    • INSERT

    • LOCK TABLES

    • SELECT

    • UPDATE

  • To view connections from cluster nodes with different MySQL users:
    • PROCESS

    Note:

    The PROCESS privilege requires the use of "*.*".

For example, you would execute commands using the following general syntax:
GRANT <privileges> ON <database> TO <user>;
Schedule database backups
For more information, see the Backing Up the Database Using Jamf Pro Server Tools article.
Remove the <DataBasePassword> key or set a blank value
If the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.
Note:

Default values are included for reference only. Use unique values in production environments.

<DataBase>
...
<DataBaseName>jamfsoftware</DataBaseName>
<DataBaseUser>jamfsoftware</DataBaseUser>
<DataBasePassword></DataBasePassword>
...
</DataBase>

Securing Memcached

There are a number of ways to secure Memcached, depending on your environment. Some examples include:
  • Not configuring Memcached servers to be accessible externally
  • Implementing firewall rules to limit traffic between Memcached servers and the Jamf Pro clustered tomcat nodes
  • Disabling UDP in the memcached.conf file
  • Using the -l flag to limit traffic to a specific IP
The following excerpt of an example memcached.conf file shows how you might disable UDP and limit traffic to a specific IP:
PORT="11211"
USER="memcached"
# max connection 2048
MAXCONN="2048"
# set ram size to 2048 - 2GiB
CACHESIZE="4096"
# disable UDP and listen to loopback ip 127.0.0.1, for network connection use real ip e.g., 10.0.0.5
OPTIONS="-U 0 -l 127.0.0.1"

For more information on which ports are used in a typical Jamf Pro environment, see the Network Ports Used by Jamf Pro article.