How to manage the corporate Apple fleet?

PART 1: Jamf PRO (formerly Jamf Now) features and how they work

Device registration

Automated Apple device enrollment process that allows for quick setup and configuration of devices.

Device configuration

Apply profiles and policies to devices, including network settings, security policies, and application settings.

Application management

Install, update, and uninstall apps remotely, including from the App Store and manage individual apps, device configuration, and basic security settings.

Security

Maintain device security, including data protection, remote wipe, and device locking.

Reporting and alerts

Generate detailed reports on the status of devices and actions taken, and set alerts for certain events.

Jamf School - target audience and features

Educational institutions

Designed specifically for the education sector, supporting teachers, students, and IT professionals.

Learning management

Integrated learning management features to help manage digital learning materials and classroom interactions.

Parental control

Tools for parents that allow them to monitor students' online activity and device usage. These products are just a part of Jamf's offering, which includes a variety of specialized tools and features that serve a variety of business and educational needs.

Encryption and Security

Data Transmission Encryption

HTTPS/SSL

Jamf Pro secures all network communications over HTTPS, which uses SSL/TLS encryption to protect data. This includes communications between devices and the Jamf Pro server, as well as user interface and API access.

Standards

Jamf Pro supports industry standards, including TLS 1.2 or later, to ensure the security of data transmission.

Data Storage Encryption

Database Encryption

Sensitive data stored in the database, such as passwords and security certificates, is encrypted.

FileVault

FileVault encryption management on Mac devices is also available through Jamf Pro, ensuring the protection of data stored on devices.

Network Communication and Ports

Ports required for operation

TCP 443

For HTTPS communication, which is the default port for web interface, API, and device communication.

TCP 8443

Optionally, you can use this if you want to configure a custom HTTPS port.

TCP 2195 and 2196

Apple Push Notification Service (APNs) communication, which is required to instantly notify devices.

VPNs and Firewalls

When designing your Jamf Pro network architecture, you should consider VPN usage and firewall rules to ensure that devices can communicate seamlessly with the Jamf Pro server. This is especially important for remote workers and BYOD (Bring Your Own Device) environments.

Functions and Their Technical Background

Device Registration Methods

Automatic Device Enrollment (ADE)

It allows automatic registration of devices directly upon purchase, through Apple's servers.

Manual Registration

Manually add devices using the device enrollment portal.

Application Management and Installation:

MDM Commands

Jamf Pro uses MDM (Mobile Device Management) commands to install, update, and uninstall applications. The application installation commands communicate with devices through APNs.

VPP Integration

Apple's Volume Purchase Program (VPP) integration allows for bulk purchase and installation of apps without requiring an Apple ID on devices.

Security Policies and Configuration Profiles:

Configuration profiles can be used to define and apply network settings, security policies, email configurations, and other device-specific settings. These profiles can be deployed directly to devices via MDM commands.

For Jamf Pro, the details of database encryption may vary depending on the type of database you are using (e.g. MySQL, PostgreSQL) and the level of encryption you are using to protect your data.

Two Main Database Encryption Types

1. At-Rest Encryption

This type of encryption protects database files on your data storage. If someone gains access to your database files, the encryption prevents them from reading the data without the proper decryption key.

Database-level Encryption

Some database management systems, such as MySQL Enterprise Edition or PostgreSQL, provide built-in support for database encryption. This provides the ability to encrypt data at rest at the database level, including table and log file encryption.

Filesystem-level Encryption

Operating system-level encryption solutions, such as BitLocker (Windows) or FileVault (macOS), allow you to encrypt the entire disk or partition on which your database files are stored. While this is less flexible than database-level encryption, it can offer a simpler solution.

2. In-Transit Encryption:

Data in motion encryption ensures that data is encrypted as it travels across the network between the database and the application or between databases. This is typically achieved using SSL/TLS protocols, which create an encrypted channel for communication.

SSL/TLS Configuration

To encrypt communication between Jamf Pro and your database, you must set up SSL/TLS on your database server. This involves installing a trusted certificate on your database server and configuring Jamf Pro to communicate with your database over SSL/TLS.

Implementation Considerations

Performance

Encrypting both data at rest and in motion can increase system resource requirements, which can impact performance. It is worth testing the impact of encryption on database operations, especially for large datasets.

Key management

It is essential to store and manage your encryption keys securely. Use a key management system or service to prevent unauthorized access to your keys.

Restore and Backup

Make sure that backups and restore procedures for encrypted databases are tested. Encryption can affect the restore process, so it's important that these procedures are well-documented and reliable.

Before implementing Jamf Pro database encryption, it is recommended that you consult Jamf documentation and experts to ensure configuration is in accordance with best practices.

Remote Desktop Assistance

Jamf Pro does not directly provide a remote desktop access solution like other MDM (Mobile Device Management) solutions do. Instead, Jamf Pro offers integration with third-party remote desktop solutions, such as TeamViewer or Bomgar (also known as BeyondTrust). This allows IT professionals to remotely access and provide assistance on users' Apple devices.

Through these integrations, Jamf Pro enables IT teams to:

• Quickly launch remote desktop sessions from the Jamf Pro interface.

• Ensure secure access and support by using remote desktop services security protocols and encryption.

• Log and audit remote desktop sessions to support compliance requirements and internal audits.

Scalability

Jamf Pro is designed with scalability in mind to support environments ranging from small to enterprise. Jamf Pro is available in both cloud-based and on-premises deployment options to meet different business needs and infrastructures.

To ensure scalability, Jamf Pro:

• Apply load balancing and clustering at the database and application server level to optimize performance and availability when managing a large number of devices.

• It supports database replication and database clusters for high availability and fast data access.

• It uses a modular architecture, which allows individual components, such as reporting and management functions, to be scaled separately.

Privileged Access Management (PAM)

Although Jamf Pro does not directly provide a built-in PAM solution, it can be integrated with various PAM systems using APIs and automation scripts. The goal is to provide strict access control and auditing in your device management environment. This includes:

• Fine-grained management of user access rights and privileges, including device management commands and configuration profiles.

• Auditing and logging of asset management operations, which helps to comply with IT security requirements and internal controls.

The engineering challenge of integrating Jamf Pro with PAM systems is finding the right balance between strict access control and efficient user task execution. The solution often requires developing custom scripts and automation processes that integrate Jamf Pro with the enterprise PAM system, ensuring secure and efficient asset management.