Description
Jamf Pro 11.16 introduced Jamf Pro compliance benchmarks which is a service that makes it easier for Jamf Pro administrators to audit and enforce compliance standards on managed computers.
A few things to note:
Compliance benchmarks may have releases separate from Jamf Pro.
It has it's own Learning Hub documentation separate from Jamf Pro.
Using OIDC-based SSO in Jamf Pro is required to have access to the service.
Jamf Pro leverages the macOS Security Compliance Project (mSCP) for templates, underlying security guidance, and configurations.
For more information, see the mSCP GitHub repository.
Using Jamf Pro Compliance Benchmarks
Creating a New Benchmark
Once a benchmark has been created/deployed, it is not possible to edit the name or description. It is also not possible to duplicate benchmarks.
In Jamf Pro, go to Compliance > Available and click Get started for the desired CIS level.
Update the name and description as needed.
Select the enforcement type: monitor or monitor and enforce.
monitor: the compliance benchmarks feature reports the device compliance level to the chosen benchmark.
enforce: the compliance benchmarks feature changes and maintains device configuration so that devices remain compliant with the selected benchmark.
Click Next.
Select one group to add to the Scope for the benchmark. Click Next.
(Optional) Customize the benchmark by deselecting any settings that are not desired and/or changing any custom values.
Click Next.
The Review and Deploy page will display what will be created in Jamf Pro based on the selections for the benchmark: configuration profiles, policies, scripts, smart groups, categories, etc.. You can click Details to review the scripts.
Click Save and deploy.
Editing a Benchmark
In Jamf Pro, go to Compliance > Enabled and click Open for the desired benchmark.
Make the changes to the benchmark:
To change the enforcement type:
Click ⋮ in the top-right and select Edit details.
Click the radio button for the enforcement type
Click Save draft in the bottom-right corner.
To update the scope:
Click Open for Scope.
Select the radio button for the new Smart Group you'd like to be in Scope.
Click Save draft in the bottom-right corner.
To modify the benchmark rules:
Click Open for Benchmark rules.
Deselect or select desired rules. Change any necessary values.
Click Save.
Under Configuration, you can click Open for the Management Settings to see the artifacts (groups, profiles, policies, etc.) that were created in Jamf Pro based on that configuration. Note - you cannot change any of these items from this view.
You can click Open for Benchmark Rules and either deselect or select desired rules.
Click Save.
To distribute the changes to managed devices in scope, click Deploy in the upper-right corner.
Note - if you do not deploy the changes you will be offered the option to discard changes in a yellow banner. Clicking Discard changes will immediately remove the changes. There is no confirmation pop-up asking if you are sure. A green banner will display in the bottom right corner confirming the changes were discarded.
Deleting a Benchmark
In Jamf Pro, go to Compliance > Enabled and click Open for the desired benchmark
Click ⋮ in the top-right, and then click Delete.
Click Delete again to delete the blueprint and remove all artifacts (groups, policies, etc.) that were created due to the benchmark.
Note:
Configuration profiles will uninstall from devices.
Settings deployed via Script are not undone/reset when a benchmark is deleted. This behavior is consistent with mSCP, Jamf Compliance Editor, and other MDM solutions' implementations.
Jamf Pro Compliance Benchmarks Reporting
Option 1: Rule report within Jamf Pro compliance benchmarks
In Jamf Pro, go to Compliance > Enabled and click Open for the desired benchmark.
Click the Rule Report tab.
Each rule in the benchmark will show on this tab. Either scroll through or use the Search field to pull up the view for that rule. The example below is looking at FileVault related rules.
Note - there is no way to export this information at this time.
Option 2: Using Advanced Searches in Jamf Pro
You can build your own compliant or noncompliant report using Advanced Search. For example the group below just uses the computer group criteria and pulls from the Compliant group the benchmark created.
Ensure desired inventory columns are added for the report, for more information see Computer Inventory Display Settings in the Jamf Pro Documentation.
Create a new Advanced Search (save it for reporting ease), following the steps on Creating Reports for Advanced Computer Searches in the Jamf Pro Documentation.
Frequently Asked Questions
What are the pre-requisites? Do I have to use OIDC SSO?
What are the pre-requisites? Do I have to use OIDC SSO?
Jamf Pro 11.16 or later
Jamf Standard Cloud-hosted or Jamf Premium Cloud-hosted environment
The Compliance menu item will not show in the left sidebar for Organizations whose environment is not compatible.
After release, compliance benchmarks will only be available for N-2 versions. Premium hosted customers will be presented with a screen stating they will need to update if the version they are on is no longer supported.
Cloud Services Connection configured in Jamf Pro
OIDC-based SSO through Jamf Account enabled in Jamf Pro; and user must sign into Jamf Pro with either:
Jamf ID
Identity Provider credentials for an SSO Connection added to Jamf Account for your Organization
if logging in with a local Jamf Pro user or via SAML SSO, compliance benchmarks will not be available to use.
Jamf Pro user with:
compliance benchmarks privileges (Create, Read, Update, Delete) and Smart Computer Groups (Read) under Jamf Pro Server Objects.
Cloud Services Connection (Read), Jamf Pro URL (Read), Sso (Read) under Jamf Pro Server Settings.
What platforms and OS versions does the compliance benchmarks feature support?
What platforms and OS versions does the compliance benchmarks feature support?
The compliance benchmarks feature supports macOS 13, 14, and 15. Scoping your benchmark to a smart group containing computers with other macOS versions may lead to unexpected results.
Our organization requires a compliance benchmark that is not defined by the CIS. How can we achieve this using the compliance benchmarks feature?
Our organization requires a compliance benchmark that is not defined by the CIS. How can we achieve this using the compliance benchmarks feature?
The compliance benchmarks feature currently contains only CIS Level 1 and CIS Level 2 benchmark templates. More templates will be available in the future.
What about existing benchmarking profiles and other configuration in Jamf Pro? Will they be automatically migrated into a compliance benchmarks configuration?
What about existing benchmarking profiles and other configuration in Jamf Pro? Will they be automatically migrated into a compliance benchmarks configuration?
No, you will need to migrate existing compliance related profiles, scripts and other configuration manually.
Are the objects created by compliance benchmarks visible or hidden? Can they be manually edited?
Are the objects created by compliance benchmarks visible or hidden? Can they be manually edited?
After the benchmark is deployed, the objects will show in Jamf Pro in their usual location (Settings > Categories, Computers > Policies, etc.) and can be edited there.
Once edited, there is no easy button to return to default or original version option. The object would either need to be edited again or the entire benchmark deleted.
The objects cannot be edited from Compliance > open benchmark > open Management Settings.
Adjusting the names of objects will not impact the association with compliance benchmarks; compliance benchmark uses unique ID not name.
What are the benefits of Jamf Pro compliance benchmarks vs Jamf Compliance Editor (JCE)?
What are the benefits of Jamf Pro compliance benchmarks vs Jamf Compliance Editor (JCE)?
Compliance benchmarks is great for organizations setting up CIS benchmarks for the first time. Benefits of Jamf Pro compliance benchmarks include:
You can set CIS once for all three operating systems instead of having to create a new one for each OS
If mSCP is updated, Jamf will automatically notify you of the change and request you update managed computers
Easier scoping, better UI experience.
JCE is not an official Jamf application, therefore not supported by Jamf whereas compliance benchmarks is.
Jamf Compliance Editor might be a better fit if your organization is already using it or if you need benchmarks besides CIS 1 or 2.
JCE utilizes mSCP to support macOS, iOS, iPadOS, visionOS for the NIST, DISA STIG, CNSSI, CMMC, and BSI Indigo baselines/benchmarks along with full reports in PDF/XML.
How can I provide feedback on how a rule is audited, deployed, managed or remediated?
How can I provide feedback on how a rule is audited, deployed, managed or remediated?
This project is based off the macOS Security Compliance Project hosted by US Government agency, NIST. Jamf does not control how a rule is created, written, scripted. Please provide that feedback in the NIST GitHub (link to project home, link for submitting issues).
More Resources