17:["$","div",null,{"className":"mx-auto max-w-7xl px-6 py-10","children":[["$","div",null,{"className":"mb-2","children":["$","$L2",null,{"href":"/stigs","className":"text-link text-sm hover:underline","children":"← Back to STIGs"}]}],["$","div",null,{"className":"mb-6 flex flex-wrap items-center gap-3","children":[["$","h1",null,{"className":"font-display text-3xl font-bold","children":"Jamf Pro v10.x EMM Security Technical Implementation Guide"}],false,["$","$L21",null,{}]]}],["$","section",null,{"className":"border-border bg-surface mb-8 rounded-lg border p-6","children":[["$","div",null,{"className":"grid grid-cols-2 gap-4 sm:grid-cols-5","children":[["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Version"}],["$","p",null,{"className":"font-semibold","children":["V","3","R","1"]}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Release Date"}],["$","p",null,{"className":"font-semibold","children":"May 31, 2024"}]]}],["$","div",null,{"className":"min-w-0","children":[["$","p",null,{"className":"text-text-muted text-xs","children":"SCAP Benchmark ID"}],["$","p",null,{"className":"truncate font-mono text-sm","title":"Jamf_Pro_v10-x_EMM_STIG","children":"Jamf_Pro_v10-x_EMM_STIG"}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Total Checks"}],["$","p",null,{"className":"font-semibold","children":29}]]}],["$","div",null,{"children":[["$","p",null,{"className":"text-text-muted text-xs","children":"Tags"}],["$","div",null,{"className":"flex flex-wrap gap-1","children":[["$","span","other",{"className":"bg-tag-bg text-tag-text rounded-full px-2 py-0.5 text-xs","children":"other"}]]}]]}]]}],["$","div",null,{"className":"mt-4 flex gap-4","children":[["$","span",null,{"className":"bg-severity-high-bg text-severity-high-text rounded px-3 py-1 text-sm font-medium","children":["CAT I: ",2]}],["$","span",null,{"className":"bg-severity-medium-bg text-severity-medium-text rounded px-3 py-1 text-sm font-medium","children":["CAT II: ",26]}],["$","span",null,{"className":"bg-severity-low-bg text-severity-low-text rounded px-3 py-1 text-sm font-medium","children":["CAT III: ",1]}]]}],["$","p",null,{"className":"text-text-secondary mt-4 text-sm","children":"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil."}],["$","div",null,{"className":"mt-4 flex flex-wrap gap-3","children":[["$","a",null,{"href":"/api/export/checklist?stigTitle=Jamf%20Pro%20v10.x%20EMM%20Security%20Technical%20Implementation%20Guide&format=ckl","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CKL"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Jamf%20Pro%20v10.x%20EMM%20Security%20Technical%20Implementation%20Guide&format=csv","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export CSV"}],["$","a",null,{"href":"/api/export/checklist?stigTitle=Jamf%20Pro%20v10.x%20EMM%20Security%20Technical%20Implementation%20Guide&format=json","className":"text-text-primary hover:bg-surface-hover border-border rounded border px-3 py-1 text-sm","children":"Export JSON"}],["$","a",null,{"href":"https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Jamf_Pro_v10-x_EMM_V3R1_STIG.zip","target":"_blank","rel":"noopener noreferrer","className":"bg-link/10 text-link hover:bg-link/20 border-link/30 rounded border px-3 py-1 text-sm font-medium","children":"Download STIG ZIP"}]]}]]}],["$","$L22",null,{"checks":[{"id":"e7fdef03-2f35-4a4a-93b5-224b787df59d","vulnId":"V-241790","severity":"medium","ruleTitle":"When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.","description":"When a Jamf Pro EMM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks.\n\nSFR ID: FIA_X509_EXT.2.2","checkContent":"Validate the Jamf Pro EMM server has been configured to not accept a certificate if the certificate cannot be validated.\n\n1. Open the Jamf Pro EMM console.\n2. Open \"Settings\".\n3. Select \"User-Initiated Enrollment\".\n4. Under the General tab, verify \"Use a third-party signing certificate\" is selected.\n5. Verify the name and certificate extension of the DoD p12 certificate is listed.\n\nIf the Jamf Pro EMM server has been not been configured to not accept a certificate if the certificate cannot be validated, this is a finding.","fixText":"Configure the Jamf Pro EMM server to not accept a certificate if the certificate cannot be validated.\n\n1. Open the Jamf Pro EMM console.\n2. Open \"Settings\".\n3. Select \"User-Initiated Enrollment\".\n4. Under the General tab, select \"Use a third-party signing certificate\".\n5. Drag and drop the DoD p12 certificate.\n6. Click \"Save\"."},{"id":"d4e2d0b9-591f-4489-b33c-6e5a37279df8","vulnId":"V-241791","severity":"medium","ruleTitle":"The Jamf Pro EMM server or platform must be configured to initiate a session lock after a 15-minute period of inactivity.","description":"A session time-out lock is a temporary action taken when a user (MDM system administrator) stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock.\n\nThe session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead.\n\nSFR ID: FMT_SMF.1.1(2) i","checkContent":"Verify the Jamf Pro EMM server or platform is configured to initiate a session lock after a 15-minute period of inactivity.\n\nReview the variable in the Jamf Pro web.xml file.\n\nOn the Jamf Pro host server, open the web.xml file:\n\nIf using macOS, the web.xml file is located at the following filepath:\n/Library/JSS/Tomcat/webapps/ROOT/WEB-INF/\n\nIf using Windows, the web.xml file is located at the following filepath:\nC:\\Program Files\\JSS\\Tomcat\\webapps\\ROOT\\WEB-INF\\\n\nIf using Linux, the web.xml file is located at the following filepath:\n/usr/local/jss/tomcat/webapps/ROOT/WEB-INF/\n\nLocate the following setting:\n\n15 \n\n\nEnsure that the code is not commented out. If the code is commented out, remove the comment tags that encase the code.\nNote: Session timeout is in minutes.\n\nIf the code is commented out or session-timeout is not configured to \"15\" minutes or less, this is a finding.","fixText":"$23"},{"id":"685aceef-cebc-4734-bb81-ce2dd1beb63e","vulnId":"V-241792","severity":"medium","ruleTitle":"The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install).","description":"It is critical that only authorized certificates are used for key activities such as code signing for system software updates, code signing for integrity verification, and policy signing. Otherwise, there is no assurance that a malicious actor has not inserted itself in the process of packaging the code or policy. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. Therefore, the Jamf Pro EMM server must have the capability to configure the enterprise certificate.\n\nSFR ID: FMT_SMF.1.1(2) i, FMT_POL_EXT.1.1","checkContent":"Verify Jamf Pro is utilizing an External CA for signing communication to mobile devices:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"PKI Certificates\".\n4. Select \"Management Certificate Template\".\n5. Select \"External CA\" tab.\n6. Verify the \"Use a SCEP-enabled external CA for computer and mobile device enrollment\" is enabled.\n7. Verify that the Signing Certificate is listed at the bottom of the page.\n\nIf these settings are confirmed, Jamf Pro is set to use an external CA.\n\nIf Jamf Pro is not configured to use an External CA for signing communication to mobile devices, this is a finding.","fixText":"Configure the following settings within the Jamf Pro EMM server for ensuring an authorized DoD certificate is used for signing enrollment and configuration profiles:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Open \"PKI Certificates\".\n4. Select \"Management Certificate Template\" tab.\n5. Select \"External CA\" tab.\n6. Select \"Edit\".\n7. Select to use SCEP-enabled external CA for computer and mobile device enrollment.\n8. Enter all the applicable settings to connect this server to SCEP/Entrust enabled CA.\n9. Select \"Save\".\n10. At the bottom of the External CA screen, select \"Change Signing and CA Certificates\".\n11. Follow onscreen instructions to upload the signing and CA certificates for Jamf Pro to use.\n\nJamf Pro is now set to use an External CA for signing all communication to mobile devices."},{"id":"8cf44470-51ae-454d-90e1-e0aaa2713dce","vulnId":"V-241793","severity":"medium","ruleTitle":"The Jamf Pro EMM server must be configured to transfer Jamf Pro EMM server logs to another server for storage, analysis, and reporting.\n\nNote: Jamf Pro EMM server logs include logs of MDM events and logs transferred to the Jamf Pro EMM server by MDM agents of managed devices.","description":"Audit logs enable monitoring of security-relevant events and subsequent forensics when breaches occur. Since the Jamf Pro EMM server has limited capability to store mobile device log files and perform analysis and reporting of mobile device log files, the Jamf Pro EMM server must have the capability to transfer log files to an audit log management server.\n\nSFR ID: FMT_SMF.1.1(2) i, FAU_STG_EXT.1.1(1)","checkContent":"Verify the Jamf Pro EMM server is enabled to push syslog:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Change Management\".\n4. Verify the settings for Syslog Server (log file transfer to the syslog server).\n\nIf the Jamf Pro EMM server is not configured to enable syslog, this is a finding.","fixText":"Configure the Jamf Pro EMM server to enable syslog:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Change Management\".\n4. Click \"Edit\".\n5. Configure the settings for Syslog Server.\n6. Click \"Save\"."},{"id":"43090161-909c-4ecb-876c-e2c5fc117c39","vulnId":"V-241794","severity":"low","ruleTitle":"The Jamf Pro EMM server must be configured to display the required DoD warning banner upon administrator logon.\n\nNote: This requirement is not applicable if the TOE platform is selected in FTA_TAB.1.1 in the Security Target (ST).","description":"$24","checkContent":"Verify the Jamf Pro EMM server for customized login page:\n\nGo to /path/to/JSS/Tomcat/webapps/ROOT/WEB-INF/frontend folder.\n\nFind the login.jsp.\n\nLocate new content related to customized text for DoD classification.\n\nVerify the DoD warning banner text is correct.\n\nIf the Jamf Pro EMM server is not configured to display DoD warning banner when the system administrator logs on to the server, this is a finding.","fixText":"Configure the Jamf Pro EMM server for customized login page:\n\nGo to /path/to/JSS/Tomcat/webapps/ROOT/WEB-INF/frontend>>Open the login.jsp with a text editor application.\n\nScroll to the bottom of the page by the line \"\"\nUnder the create a new line and paste the following:\n\nNOTE: Anything under \"style\" and \"body\" can be customized to fit your environments needs.\n \n\n\n

\"\"Place DoD warning banner first line here\"\"

\"\"place second (or next) line here\"\"

\n\n\nRestart Tomcat for changes to take effect."},{"id":"e1e760e3-6f94-42e9-8d5a-d3d6b75b0ac2","vulnId":"V-241795","severity":"medium","ruleTitle":"The Jamf Pro EMM server must be configured to have at least one user in the following Administrator roles: Server primary administrator, security configuration administrator, device user group administrator, auditor.","description":"$25","checkContent":"Administrator and Audit level permission groups are configured by default within Jamf Pro server. \n\nVerify the additional group permissions by:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Jamf Pro User Accounts and Groups\".\n4. View the necessary information for each group has been created with appropriate privilege sets.\n\nJamf Pro EMM server will have the appropriate group level permissions available for applying to individual user accounts or AD groups.\n\nIf required administrator roles have not been set up on the server, this is a finding.","fixText":"Administrator and Audit level permission groups are configured by default within Jamf Pro server. \n\nConfigure the additional group permissions by:\n\n1. Open Jamf Pro server.\n2. Open \"Settings\".\n3. Select \"Jamf Pro User Accounts and Groups\".\n4. Select \"New\".\n5. Select \"Create Standard Group\", click \"Next\".\n6. Fill out all the necessary information for creating the group including the privilege set.\n7. Click \"Save\".\n8. Repeat for each group of permissions that are needed.\n\nOnce completed, Jamf Pro EMM server will have the appropriate group level permissions available for applying to individual user accounts or AD groups."},{"id":"cd352fc1-dc47-4a8e-a8d8-fd29a2c272fe","vulnId":"V-241796","severity":"medium","ruleTitle":"The Jamf Pro EMM server must be configured to leverage the MDM platform user accounts and groups for Jamf Pro EMM server user identification and CAC authentication.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA","checkContent":"$26","fixText":"Implement one of the following options:\n\nOption #1. Connect Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. Note: Jamf requires AGS to support SAML.\n\n- Set up AGS / IdAM environment.\n- Connect the Jamf pro EMM to the AGS:\n1. Open \"Settings\".\n2. Select \"SSO\" (Single Sign-on).\n3. Select \"Edit\".\n4. Enable Single Sign-on Authentication.\n5. Complete the appropriate settings to connect Jamf Pro EMM to the AGS using SAML-based protocol.\n6. Click \"Save\".\n\nNote: If Option #1 is used, requirements JAMF-10-100700 to JAMF-10-10820 are Not Applicable and requirement JAMF-10-200040 is Applicable - Configurable.\n\nOption #2. Implement strong password policy for admin local accounts. Configure the server password policy (JAMF-10-100700 to JAMF-10-10820).\n\nNote: If Option #2 is used, requirement JAMF-10-200040 is Not Applicable."},{"id":"94f8043e-c351-4614-9c97-d3bf8b36b715","vulnId":"V-241797","severity":"medium","ruleTitle":"Authentication of Jamf Pro EMM server accounts must be configured so they are implemented either via an Authentication Gateway Service (AGS) which connects to the site DoD Identity Access Management (IdAM) environment that utilizes CAC authentication or via strong password controls for the administrator local accounts.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FIA","checkContent":"Interview the site ISSM. \n\nDetermine if the site has connected Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. \n\n- If YES, verify the AGS implementation has been reviewed using the Application Layer Gateway SRG. Verify the Jamf Pro EMM server is configured to connect to the AGS:\n1. Go to the server console.\n2. Open \"Settings\".\n3. Select \"SSO\" (Single Sign-on).\n4. Verify Single Sign-on Authentication is enabled and connection to the AGS using SAML-based protocol is set up.\n\n- If NO, verify strong password controls for the administrator local accounts are in place. (Verified by JAMF-10-100700 to JAMF-10-100820.)\n\nIf Jamf Pro EMM is not connected to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication or has not been configured to use strong password controls for the administrator local accounts, this is a finding.","fixText":"Implement one of the following options:\n\nOption #1. Connect Jamf Pro EMM to an Authentication Gateway Service (AGS) which connects to the DoD Identity Access Management (IdAM) environment that uses CAC authentication. Note: Jamf requires AGS to support SAML.\n\n- Set up AGS/IdAM environment.\n- Connect the Jamf pro EMM to the AGS:\n1. Open \"Settings\".\n2. Select \"SSO\" (Single Sign-on).\n3. Select \"Edit\".\n4. Enable Single Sign-on Authentication.\n5. Complete the appropriate settings to connect Jamf Pro EMM to the AGS using SAML-based protocol.\n6. Click \"Save\".\n\nNote: If Option #1 is used, requirements JAMF-10-100700 to JAMF-10-10820 are Not Applicable and requirement JAMF-10-200040 is Applicable - Configurable.\n\nOption #2. Implement strong password policy for admin local accounts. Configure the server password policy (JAMF-10-100700 to JAMF-10-10820).\n\nNote: If Option #2 is used, requirement JAMF-10-200040 is Not Applicable."},{"id":"109399ca-5c19-41ca-8492-c9593b01fe95","vulnId":"V-241798","severity":"high","ruleTitle":"Jamf Pro EMM must be maintained at a supported version.","description":"The MDM/EMM vendor maintains specific product versions for a specific period of time. MDM/EMM server versions no longer supported by the vendor will not receive security updates for new vulnerabilities which leaves them subject to exploitation.\n\nSFR ID: FPT_TUD_EXT.1.1, FPT_TUD_EXT.1.2","checkContent":"Verify the installed version of Jamf Pro EMM is currently supported.\n\nOn the Jamf Pro console do the following to determine the version number of the server:\n1. Log in to the console.\n2. View the version number listed in the upper left corner.\n\nList of current supported versions:\nv10.18 (End of Support Date: TBD\nv10.17 (TBD)\nv10.16 (TBD)\nv10.15 (TBD)\nv10.14 (TBD)\nv10.13.1 (TBD)\n\nIf the displayed Jamf Pro server version is not currently supported or is not a newer version than on the list above, this is a finding.","fixText":"Update the Jamf Pro EMM to a supported version (see list below) or newer version.\nv10.18 (End of Support Date: TBD\nv10.17 (TBD)\nv10.16 (TBD)\nv10.15 (TBD)\nv10.14 (TBD)\nv10.13.1 (TBD)"},{"id":"60677525-794b-473e-b9aa-a2ee65fcc684","vulnId":"V-241799","severity":"medium","ruleTitle":"The default mysql_secure_installation must be installed.","description":"The mysql_secure_installation configuration of MySQL adds several important configuration settings that block several attack vectors. The My SQL application could be exploited by an adversary without mysql_secure_installation.\n\nSFR ID: FMT_SMF.1(2)b. / CM-7(1)(b)\n\nSatisfies: SRG-APP-000383","checkContent":"Verify the mysql_secure_installation has been installed on the Jamf host server. \n\n1. Log in to MySQL. Execute the \"show databases;\" command.\n- Verify that the database named \"Test\" is not shown in output of the command.\n\n2. Verify the root account has a string representing the password and not a blank value.\n- select * from mysql.user;\n\n3. Verify the anonymous users have been removed and verify the user field contains a user name.\n- select * from mysql.user;\n\nAll three steps must be correct to indicate mysql_secure_installation has been executed.\n\nIf the mysql_secure_installation has not been installed on the Jamf host server, this is a finding.","fixText":"Install the mysql_secure_installation. \n\n1. Install MySQL.\n2. Using the Jamf Pro Security Recommendations document, go to the path based on the host operating system and execute the appropriate mysql_secure_installation script."},{"id":"c13a3d16-8a7a-4636-89ab-e8a644ad3407","vulnId":"V-241800","severity":"medium","ruleTitle":"A unique database name and a unique MySQL user with a secure password must be created for use in Jamf Pro EMM.","description":"If the default MySQL database name and password are not changed an adversary could gain unauthorized access to the application which could lead to the compromise of sensitive DOD data.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5(1)(c)\n\nSatisfies: SRG-APP-000171","checkContent":"Verify a unique database name and a unique MySQL user with a secure password have been created for use in Jamf Pro EMM.\n\n1. Execute the show databases command.\n- Ensure at least one database name other than the default databases exits. The default databases are:\ninfomation_schema\nmysql\nperformance_schema\nsys\n\n2. Verify there is a unique MySQL user.\n- In MySQL, run select * mysql.user;\n- Look for a user that is not Root or one of the other MySQL service accounts.\n\nBoth of these steps must be correct.\n\nIf a unique database name and a unique MySQL user with a secure password have not been created, this is a finding.","fixText":"Create a unique database name and a unique MySQL user with a secure password. The procedure is found in the following Jamf Knowledge Base article:\n\nhttps://www.jamf.com/jamf-nation/articles/542/title"},{"id":"5d99a226-c174-4b39-bbb3-7ccc86b7e098","vulnId":"V-241801","severity":"medium","ruleTitle":"Separate MySQL user accounts with limited privileges must be created within Jamf Pro EMM.","description":"If separate MySQL accounts with limited privileges are not created an adversary could gain unauthorized access to the application or gain access unauthorized features which could lead to the compromise of sensitive DoD data.\n\nSFR ID: FMT_SMF.1(2)b. / CM-6 b\n\nSatisfies: SRG-APP-000516","checkContent":"Verify separate MySQL user accounts with limited privileges have been created within Jamf Pro EMM.\n\nIn MySQL, execute the following command: \nshow grants for username@localhost;\n\nVerify the privileges match what is in the Jamf Knowledge Base article.\n\nIf separate MySQL user accounts with limited privileges have not been created within Jamf Pro EMM, this is a finding.","fixText":"Create separate MySQL user accounts with limited privileges within Jamf Pro EMM.\n\nThe procedures for creating user accounts and assigning account privileges are found in the following Jamf Knowledge Base articles:\n\nMySQL 8.0: https://dev.mysql.com/doc/refman/8.0/en/creating-accounts.html\nMySQL 5.7: https://dev.mysql.com/doc/refman/5.7/en/creating-accounts.html\n\nFollowing is a list MySQL privileges that are required for different types of environments:\n- For a standalone web application or the master node in clustered environments:\nINSERT, SELECT, UPDATE, DELETE, CREATE, DROP, ALTER, INDEX, LOCK TABLES\n\n- For a child node in clustered environments: \nINSERT, SELECT, UPDATE, DELETE, DROP, LOCK TABLES\n\n- To view connections from cluster nodes with different MySQL users:\nPROCESS\n\nNote: The \"PROCESS\" privilege requires the use of \"*.*\"."},{"id":"e6d091b4-9d71-45bd-bd71-c4b32fcae719","vulnId":"V-241802","severity":"medium","ruleTitle":"MySQL database backups must be scheduled in Jamf Pro EMM.","description":"Database backups are a recognized best practice to protect against key data loss and possible adverse impacts to the mission of the organization.\n\nSFR ID: FMT_SMF.1(2)b. / CM-6 b\n\nSatisfies: SRG-APP-000516","checkContent":"Verify MySQL of database backups have been scheduled in Jamf Pro EMM.\n\n1. Open \"Jamf Server Tools\".\n2. Click \"Scheduled Backups\" in the sidebar.\n3. Verify backups are scheduled.\n\n If MySQL of database backups have not been scheduled in Jamf Pro EMM, this is a finding.","fixText":"Schedule MySQL of database backups in Jamf Pro EMM. \n\nThe procedure is found in the following Jamf Knowledge Base article:\n\nhttps://www.jamf.com/jamf-nation/articles/579/title"},{"id":"9907a8e7-be1c-4286-b8e2-48438f562198","vulnId":"V-241803","severity":"medium","ruleTitle":"The MySQL DatabasePassword key must be removed or set to a blank value in the database configuration file in Jamf Pro EMM.","description":"If the database password is not removed or set to a blank value in the configuration file, the user is not forced to enter the password, which would allow an adversary to access to access the database.\n\nSFR ID: FMT_SMF.1(2)b. / CM-5(10)\n\nSatisfies: SRG-APP-000380","checkContent":"Verify the MySQL key has been removed or set to a blank value in Jamf Pro EMM.\n\n1. On the Jamf Pro server, navigate to the JSS/Tomcat/webapps/ROOT/WEB-INF/xml.\n2. Find the \"Database.xml\" file and open it in a text editor.\n3. Find the .\n4. Verify that there is no password.\n\nIf the MySQL key has not been removed or not set to a blank value, this is a finding.","fixText":"Remove the MySQL key or set to a blank value in Jamf Pro EMM.\n\nIf the database password is removed from the configuration file, the database password must be entered manually for the Jamf Pro EMM server web app during startup. In a clustered environment, the database password must be entered manually for each individual node.\n\nNote: Default values are included below for reference only. Use unique values in production environments.\n\n\n...\njamfsoftware\njamfsoftware\n\n...\n"},{"id":"b1b7c1ad-061c-4623-82f3-60c62fc7b19f","vulnId":"V-241804","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts password must be configured with length of 15 characters.","description":"The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised.\n\nPassword complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password length is one factor of several that helps to determine strength and how long it takes to crack a password. The shorter the password, the lower the number of possible combinations that need to be tested before the password is compromised. \n\nUse of more characters in a password helps to exponentially increase the time and/or resources required to compromise the password.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)\n\nSatisfies: SRG-APP-000164","checkContent":"To verify the length of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Minimum Password Length\" is set to \"15\".\n\nIf the \"Minimum Password Length\" is not set to \"15\", this is a finding.","fixText":"To configure the length of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Set \"Minimum Password Length\" to \"15\"."},{"id":"3126bcb7-5b8b-41cd-9f28-f15df39792e2","vulnId":"V-241805","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with at least one lowercase character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)\n\nSatisfies: SRG-APP-000167","checkContent":"To verify the \"Require lowercase character\" of the local accounts password is selected, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Require lowercase character\" is selected.\n\nIf \"Require lowercase character\" is not selected, this is a finding.","fixText":"To configure the \"Require lowercase character\" of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Select \"Require lowercase character\"."},{"id":"8e86fb5f-e9dc-49d0-825f-9446a953f4c9","vulnId":"V-241806","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with at least one uppercase character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password is, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)\n\nSatisfies: SRG-APP-000166","checkContent":"To verify the \"Require uppercase character\" of the local accounts password is selected, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Require uppercase character\" is selected.\n\nIf \"Require uppercase character\" is not selected, this is a finding.","fixText":"To configure the \"Require uppercase character\" of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Select \"Require uppercase character\"."},{"id":"74d7600c-1395-4cf5-830a-86b51ba9f2af","vulnId":"V-241807","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with at least one number.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor of several that determine how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)\n\nSatisfies: SRG-APP-000168","checkContent":"To verify the \"Require number\" of the local accounts password is selected, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Require number\" is selected.\n\nIf \"Require number\" is not selected, this is a finding.","fixText":"To configure the \"Require number\" of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Select \"Require number\"."},{"id":"1c6018a7-9162-4812-8302-55f6cf0aa590","vulnId":"V-241808","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with at least one special character.","description":"Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nPassword complexity is one factor in determining how long it takes to crack a password. The more complex the password, the greater the number of possible combinations that need to be tested before the password is compromised. \n\nSpecial characters are those characters that are not alphanumeric. Examples include: ~ ! @ # $ % ^ *.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (a)\n\nSatisfies: SRG-APP-000169","checkContent":"To verify the \"Require special character\" of the local accounts password is selected, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Require special character\" is selected.\n\nIf \"Require special character\" is not selected, this is a finding.","fixText":"To configure the \"Require special character\" of the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Select \"Require special character\"."},{"id":"8e1c8c6b-3d4f-4dc8-a8fd-da60aeb59164","vulnId":"V-241809","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with password minimum lifetime of 24 hours.","description":"Enforcing a minimum password lifetime helps prevent repeated password changes to defeat the password reuse or history enforcement requirement.\n\nRestricting this setting limits the user's ability to change their password. Passwords need to be changed at specific policy based intervals; however, if the application allows the user to immediately and continually change their password, then the password could be repeatedly changed in a short period of time to defeat the organization's policy regarding password reuse.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (d)\n\nSatisfies: SRG-APP-000173","checkContent":"To verify the \"Minimum password Age\" of \"1\" day for the local accounts password is set, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Minimum Password Age\" is set to \"1\" day.\n\nIf the \"Minimum Password Age\" is not set to \"1\" day, this is a finding.","fixText":"To configure the \"Minimum Password Age\" to \"1\" day for the local accounts password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Set the \"Minimum Password Age\" to \"1\" day."},{"id":"1402ad45-70fa-470b-a139-3fe6cb9d019e","vulnId":"V-241810","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must be configured with password maximum lifetime of 3 months.","description":"Any password, no matter how complex, can eventually be cracked. Therefore, passwords need to be changed at specific intervals. \n\nOne method of minimizing this risk is to use complex passwords and periodically change them. If the application does not limit the lifetime of passwords and force users to change their passwords, there is the risk that the system and/or application passwords could be compromised. \n\nThis requirement does not include emergency administration accounts which are meant for access to the application in case of failure. These accounts are not required to have maximum password lifetime restrictions.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (d)\n\nSatisfies: SRG-APP-000174","checkContent":"To verify the \"password maximum lifetime\" of \"3\" months for the local account's password is set, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"password maximum lifetime\" of \"3\" months.\n\nIf the \"password maximum lifetime\" for local account's password is not set to \"3\" months, this is a finding.","fixText":"To configure the \"password maximum lifetime\" of \"3\" months for the local account's password, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Click \"Edit\".\n7. Set the \"password maximum lifetime\" of \"3\" months."},{"id":"8df430f3-f95a-4658-b4af-78ba155f7995","vulnId":"V-241811","severity":"medium","ruleTitle":"The Jamf Pro EMM local accounts must prohibit password reuse for a minimum of five generations.","description":"Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. \n\nTo meet password policy requirements, passwords need to be changed at specific policy-based intervals. \n\nIf the information system or application allows the user to consecutively reuse their password when that password has exceeded its defined lifetime, the end result is a password that is not changed as per policy requirements.\n\nSFR ID: FMT_SMF.1(2)b. / IA-5 (1) (e)\n\nSatisfies: SRG-APP-000165","checkContent":"To verify the local accounts \"Password History\" is set to a minimum of \"5\" generations, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Verify \"Password History\" to \"5\" or more.\n\nIf \"Password History\" is not set to \"5\" or more, this is a finding.","fixText":"Note: This requirement is NA if Option #1 is selected in requirement JAMF-10-000685.\n\nTo configure the \"Password History\" of the local accounts password to a minimum of \"5\" generations, do the following:\n\n1. Open the Jamf Pro EMM console.\n2. Click \"Settings\".\n3. Click \"System Settings\".\n4. Click \"Jamf Pro System User Accounts & Groups\".\n5. Click \"Password Policy\".\n6. Set the \"Password History\" to \"5\" or more."},{"id":"3242990b-160b-450a-8b82-81558bde2f2c","vulnId":"V-241812","severity":"medium","ruleTitle":"The Jamf Pro EMM must automatically disable accounts after a 35 day period of account inactivity (local accounts).","description":"$27","checkContent":"Interview the site Jamf Pro EMM system administrator. Confirm a script is used to periodically check when each local account was last accessed by the user and disable the account if there is a 35-day or more period of account inactivity.\n\nIf a script is not used to periodically check when each local account was last accessed by the user and disable the account or if there is a 35-day or more period of account inactivity, this is a finding.","fixText":"Note: There is no setting on the Jamf Pro EMM console to implement this requirement. \n\nA script should be used to periodically check when each local account was last accessed by the user and disable the account if there is a 35-day or more period of account inactivity. The script should be developed by the site or provided by Jamf."},{"id":"55d96a9b-511e-4fea-818b-28349804822d","vulnId":"V-241813","severity":"medium","ruleTitle":"The Jamf Pro EMM must enforce the limit of three consecutive invalid logon attempts by a user.","description":"By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute forcing, is reduced. Limits are imposed by locking the account.\n\nSFR ID: FMT_SMF.1(2)b. / IA-7-a\n\nSatisfies: SRG-APP-000065","checkContent":"To verify the Jamf Pro EMM enforces a limit of three consecutive invalid logon attempts by a user, do the following:\n\n1. Log in to the Jamf Pro EMM console.\n2. Open \"Settings\".\n3. Select \"Jamf Pro User Accounts & Groups\".\n4. Select \"Password Policy\" in the upper right corner.\n5. Verify that under \"Account Lockout\" the number of failed attempts before lockout is set to \"3\" or less.\n\nIf the Jamf Pro EMM does not limit the number of consecutive invalid logon attempts by a user to \"3\" or less, this is a finding.","fixText":"To configure the Jamf Pro EMM server to lock after three consecutive invalid logon attempts by a user, do the following:\n\n1. Open \"Settings\".\n2. Select \"Jamf Pro User Accounts & Groups\".\n3. Select “Password Policy” in the upper right corner.\n4. Select \"Edit\".\n5. Under “Account Lockout”, select the drop-down menu to change the number of failed attempts before lockout to \"3\".\n6. Select “Save”."},{"id":"1cfabac0-cd4a-4138-a684-d02e01eae43c","vulnId":"V-241814","severity":"medium","ruleTitle":"The Jamf Pro EMM server platform must be protected by a DoD-approved firewall.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services provided by default may not be necessary to support essential organizational operations. Unneeded services and processes provide additional threat vectors and avenues of attack to the information system. The MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality. All others must be expressly disabled or removed. A DoD-approved firewall implements the required network restrictions. A host-based firewall is appropriate where the MDM server runs on a standalone platform. Network firewalls or other architectures may be preferred where the MDM server runs in a cloud or virtualized solution.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142","checkContent":"Review the Jamf Pro EMM server platform configuration to determine whether a DoD-approved firewall is installed or if the platform operating system provides a firewall service that can restrict both inbound and outbound traffic by TCP/UDP port and IP address.\n\nIf there is not a host-based firewall present on the Jamf Pro EMM server platform, this is a finding.","fixText":"Install a DoD-approved firewall on the Jamf Pro EMM server."},{"id":"2af6075d-c946-486f-8565-0192c344386e","vulnId":"V-241815","severity":"medium","ruleTitle":"The firewall protecting the Jamf Pro EMM server platform must be configured to restrict all network traffic to and from all addresses with the exception of ports, protocols, and IP address ranges required to support Jamf Pro EMM server and platform functions.","description":"Most information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations. Since MDM server is a critical component of the mobility architecture and must be configured to enable only those ports, protocols, and services (PPS) necessary to support functionality, all others must be expressly disabled or removed. A firewall installed on the MDM server provides a protection mechanism to ensure unwanted service requests do not reach the MDM server and outbound traffic is limited to only MDM server functionality.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142","checkContent":"Ask the Jamf Pro EMM server administrator for a list of ports, protocols, and IP address ranges necessary to support Jamf Pro EMM server and platform functionality. A list can usually be found in the STIG Supplemental document or Jamf Pro EMM product documentation.\n\nCompare the list against the configuration of the firewall and identify discrepancies.\n\nIf the host-based firewall is not configured to support only those ports, protocols, and IP address ranges necessary for operation, this is a finding.","fixText":"Configure the firewall on the Jamf Pro EMM server to only permit ports, protocols, and IP address ranges necessary for operation."},{"id":"9f574ca7-bbfe-422c-9ec8-86750c562012","vulnId":"V-241816","severity":"medium","ruleTitle":"The firewall protecting the Jamf Pro EMM server platform must be configured so that only DoD-approved ports, protocols, and services are enabled. (See the DoD Ports, Protocols, Services Management [PPSM] Category Assurance Levels [CAL] list for DoD-approved ports, protocols, and services).","description":"All ports, protocols, and services used on DoD networks must be approved and registered via the DoD PPSM process. This is to ensure that a risk assessment has been completed before a new port, protocol, or service is configured on a DoD network and has been approved by proper DoD authorities. Otherwise, the new port, protocol, or service could cause a vulnerability to the DoD network, which could be exploited by an adversary.\n\nSFR ID: FMT_SMF.1.1(2) b / CM-7b\n\nSatisfies: SRG-APP-000142","checkContent":"Ask the Jamf Pro EMM server administrator for a list of ports, protocols, and services that have been configured on the host-based firewall of the Jamf Pro EMM server or generate the list by inspecting the firewall. Verify all allowed ports, protocols, and services are included on the DoD PPSM CAL list.\n\nIf any allowed ports, protocols, and services on the Jamf Pro EMM server host-based firewall are not included on the DoD PPSM CAL list, this is a finding.","fixText":"Turn off any ports, protocols, and services on the Jamf Pro EMM server host-based firewall that are not on the DoD PPSM CAL list."},{"id":"3212abd0-77a4-4ed9-870d-7c0ab3046ddc","vulnId":"V-241817","severity":"medium","ruleTitle":"All Jamf Pro EMM server local accounts created during application installation and configuration must be disabled.","description":"A comprehensive account management process that includes automation helps to ensure the accounts designated as requiring attention are consistently and promptly addressed. If an attacker compromises an account, the entire Jamf Pro EMM server infrastructure is at risk. Providing automated support functions for the management of accounts will ensure only active accounts will be granted access with the proper authorization levels. These objectives are best achieved by configuring the Jamf Pro EMM server to leverage an enterprise authentication mechanism (e.g., Microsoft Active Directory Kerberos).\n\nSFR ID: FMT_SMF.1.1(2) b / IA-5(1)(a)\n\nSatisfies: SRG-APP-000148","checkContent":"Verify all local accounts on the Jamf Pro EMM server have been disabled. Note: the server service account is not disabled.\n\n1. Log in to the Jamf pro EMM console.\n2. Open \"Settings\".\n3. Verify all Jamf Pro User Accounts & Groups have been disabled.\n\nIf all local accounts on the Jamf Pro EMM server have not been disabled, this is a finding.","fixText":"Disable all local accounts on the Jamf Pro EMM server with the following procedure. Note: The server service account should not be disabled.\n\n1. Open \"Settings\".\n2. Select \"Jamf Pro User Accounts & Groups\".\n3. Select the user/accounts that need to be disabled.\n4. Upon selection, click on the \"Edit\" button.\n5. Change the \"Access Status\" to \"Disabled\".\n6. Click \"Save\".\n7. Repeat steps 3-6 for all local accounts."},{"id":"90312212-0e15-40bd-832f-31b75d2ea9ec","vulnId":"V-241818","severity":"high","ruleTitle":"The Jamf Pro EMM server must connect to [Authentication Gateway Service (AGS)] with an authenticated and secure (encrypted) connection to protect the confidentiality and integrity of transmitted information.","description":"$28","checkContent":"Talk to the site Administrator to confirm the AGS has been configured to connect to the Jamf Pro EMM server using the TLS connection or confirm during a review of the AGS.\n\nIf the AGS has not been configured to connect to the Jamf Pro EMM server using a TLS connection, this is a finding.","fixText":"Confirm the Administrator has configured the AGS to connect to the Jamf Pro EMM server using the TLS connection."}]}]]}]

Jamf Pro v10.x EMM Security Technical Implementation Guide

Checks (29)