Jamf Pro Security Recommendations

This article explains the recommended security settings for Jamf Pro servers hosted on Jamf Cloud and on-premise. You must ensure that the Jamf Pro server and all supporting technology (including the server OS, Java, Apache Tomcat, and MySQL) are compliant with your own internal security standards. This article provides some basic recommendations about how to ensure your Jamf Pro server and underlying infrastructure are up-to-date and secure.

Jamf Pro Server Settings

To ensure your server is as secure as possible, you can enable the following security-related settings in Jamf Pro:
  • Configure the Password Policy for Jamf Pro user accountsFor more information, see the "Configuring the Password Policy" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.
  • Enable the minimum required privilegesEnable the minimum privileges required by your organization for all user accounts and groups. For more information, see the "Creating a Jamf Pro User Account" section of the Jamf Pro User Accounts and Groups page in the Jamf Pro Administrator's Guide.
  • Configure the Change Management settings to log changesLog the changes in Jamf Pro by configuring the Change Management settings (automatically enabled for Jamf Cloud instances). For more information, see the "Viewing Change Management Logs in Jamf Pro" section of the Change Management page in the Jamf Pro Administrator's Guide.
  • Schedule log flushing at appropriate intervalsFor more information, see the "Scheduling Log Flushing" section of the Flushing Logs page in the Jamf Pro Administrator's Guide.
  • Enable certificate-based authentication and configure SSL certificate verificationEnsure the Jamf Pro server has a valid web server certificate before enabling this option. For more information, see the Security Settings page in the Jamf Pro Administrator's Guide and the Safely Configuring SSL Certificate Verification article.
  • Require user authentication to Self ServiceFor more information, see the Self Service for macOS User Login Settings page in the Jamf Pro Administrator's Guide.
  • Require users to authenticate when enrolling via automated MDM enrollmentRequire users to authenticate during computer or mobile device setup when enrolling via Apple's Device Enrollment (formerly DEP) using a PreStage enrollment in Jamf Pro. For more information, see the Computer PreStage Enrollments and Mobile Device PreStage Enrollments pages in the Jamf Pro Administrator's Guide.

Content Distribution

Cloud Distribution Points

Jamf Cloud Distribution Service (JCDS)
If your Jamf Pro server is hosted in Jamf Cloud and you have the subscription-based option, you can use Jamf Cloud Distribution Service (JCDS) as your cloud distribution point.
Amazon CloudFront
You can also use Amazon CloudFront to serve content with signed URLs. For more information, see the following documentation from Amazon: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
Akamai

Using Akamai with Token Authorization protection enabled is also a secure content delivery network option. For more information about how to use Token Authorization in Akamai, see the following documentation for Akamai: https://learn.akamai.com/en-us/webhelp/media-services-on-demand/stream-packaging-user-guide/GUID-4EB9C226-4B31-4BBD-B545-1CAB8917E3D1.html

For more information about configuring, testing, and replicating the cloud distribution points, see the Cloud Distribution Point page of the Jamf Pro Administrator's Guide.

File Share Distribution Points

If you cannot use JCDS or you have configured your own file share distribution point, the Jamf Pro server allows you to distribute content to managed computers and devices. Consider the following recommendations for securing your content distribution:

File Sharing (navigate to Settings > Server Infrastructure > File Distribution Points > select distribution point > File Sharing tab):

  • Consider using a nonstandard port for your server (For more information about standard ports, see the Network Ports Used by Jamf Pro article.)

  • Create separate service accounts for read/write and read-only privileges

HTTP Downloads (navigate to Settings > Server Infrastructure > File Share Distribution Points > select distribution point > HTTP/HTTPS tab):

  • Enable HTTP by selecting the Use HTTP downloads checkbox

  • Enable SSL (Secure Sockets Layer) by selecting the Use SSL checkbox

  • Require authentication to download files by choosing "Username and Password" from the Authentication Type pop-up menu

For more information, see the File Share Distribution Points page in the Jamf Pro Administrator's Guide.

Managed Devices

macOS Computers
It is recommended that you use the following suggestions to secure macOS computers:
  • Increase management account password security by selecting the Randomly generate new password checkbox for a computer policy and configuring the password reset frequency for the Password Policy
  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a computer configuration profile
  • Require FileVault 2 encryption (For more information, see the Deploying Disk Encryption Configurations page in the Jamf Pro Administrator's Guide.)
  • Configure conditional access (For more information, see the Microsoft Intune Integration page in the Jamf Pro Administrator's Guide.)
iOS Devices
It is recommended that you use the following suggestions to secure iOS devices:
  • Configure passcode complexity for local user accounts by deploying the Passcode payload in a mobile device configuration profile
  • Ensure the Make app managed when possible checkbox is selected when distributing apps to keep data secure
Patch Policies and Reporting
It is important to keep your apps up-to-date with the latest security patches. For more information, see the Patch Policies and Patch Reporting pages in the Jamf Pro Administrator's Guide.
Scripts
Custom or prebuilt scripts are a common way to execute commands for computers, and can be run using a policy. Avoid hard-coding account credentials for Jamf Pro server administrators in scripts.

On-Premise Specific Settings

Server OS

You can host Jamf Pro on any server that meets the requirements listed on the Jamf Pro System Requirements page of the Jamf Pro Release Notes.

Note:

Although you can install Jamf Pro on any server that meets the minimum requirements, the Jamf Pro Installers for Mac, Linux, and Windows have additional requirements. For more information, see the Jamf Pro Installation and Configuration Guide for your platform.

To further secure the server OS, consider the following System Settings recommendations:
  • Disable guest access
  • Disable automatic login
  • Remove unnecessary service accounts
  • Remove or reset all default passwords
  • Restrict account privileges to minimum required
  • Restrict processes to minimum required
  • Control available ports and network services

Java

The Jamf Pro server and supporting technologies (Apache Tomcat) rely on the Java Development Kit (JDK) with unlimited strength cryptography enabled. For more information about how to install Java, see the Installing Java and MySQL for Jamf Pro 10.14.0 or Later article.

Apache Tomcat

Apache Tomcat is an open-source web server that is developed and maintained by the Apache Software Foundation, and is used to run the Jamf Pro web app. For more information about securing Apache Tomcat, see Open Web Application Security Project's (OWASP) article: https://wiki.owasp.org/index.php/Securing_tomcat

The following recommendations, some of which the Jamf Pro installers implement by default, will help you ensure Apache Tomcat is up-to-date and secure.

Note:

It is recommended that you create a backup of the server.xml file before making any changes.

(Jamf Pro 10.20.0 or later) Modify the server.xml gilr
Modify the server.xml file by doing the following:
  • Use HTTPS only and disable HTTPModify the server.xml file by disabling HTTP.
    <!--
    <Connector URIEncoding="UTF-8" executor="tomcatThreadPool" port="9006" protocol="HTTP/1.1"
    connectionTimeout="20000" maxPostSize="8388608" redirectPort="8443" />
    -->
  • Configure strong ciphers and the encryptionFor more information about which ciphers to replace, see the Configuring Supported Ciphers for Tomcat HTTPS Connections article. To configure the encryption, see the following recommendations in OWASP's article: https://wiki.owasp.org/index.php/Securing_tomcat#Encryption
  • Enable access loggingTo use the default access log valve, uncomment or set the Valve className to "org.apache.catalina.valves.AccessLogValve". You can use the default log values or configure the pattern attribute values by using the following documentation from Apache Tomcat: https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Extended_Access_Log_Valve
(Jamf Pro 10.19.0 or earlier) Modify the server.xml file
Modify the server.xml file by doing the following:
  • Modify the Connector to prevent Apache Tomcat version disclosureTo prevent the Apache Tomcat version from being reported in the response HTTP header, configure the ErrorReportValve attribute in the CATALINA_BASE/conf/server.xml file by following the documentation for the version of Apache Tomcat you are using:
  • Prevent communication over the default AJP portTo prevent the default AJP port (8009) from becoming accessible to untrusted networks, do one of the following:
    • Comment out the AJP connector in the server.xml file and restart the Jamf Pro Tomcat service.
    • Disable port 8009 on your firewall.
    • Upgrade to Jamf Pro 10.20.0 or later.
  • Modify the ServerInfo.properties file to prevent server version disclosureTo prevent server version disclosure, modify the ServerInfo.properties file using the recommendations in the "Valves" section of Apache Tomcat's documentation: https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Valves
  • Replace the default error page to prevent version disclosure (web.xml) To replace the default error page, modify the web.xml file using the recommendations in OWASP's documentation: https://wiki.owasp.org/index.php/Securing_tomcat
  • Enable SSL certificate validationUse the issuer, Subject Alternative Name (SAN), and the expiration date for validation. For more information about how to configure the SSL Certificate Validation setting, see the Safely Configuring SSL Certificate Verification article.
  • (Optional) Modify the web.xml to limit specific web application servletsModify the web.xml to limit specific web application servlets by changing their behavior or by removing them from the file.

MySQL

MySQL is a relational database management system developed and maintained by Oracle. The Jamf Pro server uses MySQL as the back-end database for storing and maintaining system data. You should ensure MySQL is up-to-date and secure by using the following recommendations.
Run the default mysql_secure_installation
The MySQL installation includes the mysql_secure_installation command-line utility, which automates the tasks for securing your MySQL installation. Running mysql_secure_installation allows you to improve the security of your MySQL installation by setting a password for root accounts and removing certain accounts, the test base, and access privileges.
For more information, see the following documentation for your version of MySQL:
If mysql_secure_installation is not available, do the following:
  • Set a password for the root accounts
  • Remove all privileges for anonymous user accounts
  • Remove the test database and all associated privileges
Create a unique database name and a unique MySQL user with a secure password
For more information about how to change the database name and the root MySQL user password, see the Manually Creating the Jamf Pro Database article.
Note:

To increase security, use a unique database name and root MySQL user password that differ from the examples in the article.

Limit privileges to the minimum required
If you want to further restrict access to MySQL, you can create separate user accounts with limited privileges. For more information, see the following webpages:
Following is a list MySQL privileges that are required for different types of environments:
  • For a standalone web application or the primary node in clustered environments:
    INSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES
  • For a child node in clustered environments:
    INSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES
  • To view connections from cluster nodes with different MySQL users:
    PROCESS
    Note:

    The PROCESS privilege requires the use of "*.*".

For example, you would execute commands using the following general syntax:
GRANT <privileges> ON <database> TO <user>;
Schedule database backups
For more information, see the Backing Up the Database Using Jamf Pro Server Tools article.
Remove the <DataBasePassword> key or set a blank value
If the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.
Note:

Default values are included for reference only. Use unique values in production environments.

<DataBase>
...
<DataBaseName>jamfsoftware</DataBaseName>
<DataBaseUser>jamfsoftware</DataBaseUser>
<DataBasePassword></DataBasePassword>
...
</DataBase>

Securing Memcached

There are a number of ways to secure Memcached, depending on your environment. Some examples include:
  • Not configuring Memcached servers to be accessible externally
  • Implementing firewall rules to limit traffic between Memcached servers and the Jamf Pro clustered tomcat nodes
  • Disabling UDP in the memcached.conf file
  • Using the -l flag to limit traffic to a specific IP
The following excerpt of an example memcached.conf file shows how you might disable UDP and limit traffic to a specific IP:
PORT="11211"
USER="memcached"
# max connection 2048
MAXCONN="2048"
# set ram size to 2048 - 2GiB
CACHESIZE="4096"
# disable UDP and listen to loopback ip 127.0.0.1, for network connection use real ip e.g., 10.0.0.5
OPTIONS="-U 0 -l 127.0.0.1"

For more information on which ports are used in a typical Jamf Pro environment, see the Network Ports Used by Jamf Pro article.