Compliance Configuration and Extension Attribute
Compliance features are enabled globally for the following ISO-mandated OS hardening configurations. By default, all devices opt-in to receiving the following:
AUP Banner (Changing on Tues)
15-minute screen saver
Install standard firewall
Block UT Guest Wifi
Default Scan schedule for Microsoft Defender
Install Nessus Agent
Receive OS patches when published by EPM Service
Receive Application patches by default (method of patching carries)
Be prompted by Nudge to install OS patches
Additional compliance applications:
The ISO and EPM encourage using MDE as the preferred method of Antivirus for macOS. However, since the University is migrating from Amp to Defender, ITSOs are in charge of scoping Defender as it aligns with their migrations schedule. Secondarily, Defender is configured with department codes as a part of the payload so that devices can be reported on accurately. Therefore, Defender can't be scoped Globally. When EPM onboards each site, we set up the Defender configurations at the site level. Units simply have to scope their devices.
Extension Attributes for Exceptions
ISO is the office managing EPM exceptions – If you need an exception, contact ISO via the exception request process.
An exception for opting out of all patching is needed; examples are excluding Nessus and other ISO requirements.
Change in configuration – There are EAs for opting out and setting your configuration terms. If EPM isn't managing your patches or other compliance requirements, you assume responsibility for these items as a Site Admin.
EAs aren't an exception process. EAs are a workflow to manage exceptions.
How to leverage an extension attribute to except a hardening checklist item:
If a machine needs to be excluded from one of the Global policies mentioned above, you can use an Extension Attribute to remove the device from scope.
The EPM team has build in scoping logic that will add a machine to a smart group, which is used for exception frameworks. To use one of these Extension attributes, open the inventory record of the machine in question, and navigate to the “extension attribute” tab on the left column. Here you will find different boolean options for each standard payload. A null value is treated the same as “No”. Once the option is toggled to “yes” the exception will now occur.
- Application and Global Settings
- Deploying Microsoft Defender to macOS devices
- Compliance Configuration and Extension Attribute
- EPM Core team audit of Jamf Pro server
- Global Configuration Policies
- Global Security & Compliance policies
- MAC Address Randomization: How it works and What IT needs to know
- macOS Packet Firewall
- Nessus Agent deployment to campus Jamf instances
- Application Usage Logs
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Automatic install of Code42 in Campus JAMF
- Upgrade to future macOS major releases
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Jamf - Server Maintenance and Update Process
- Jamf Connect
- Welcome to Jamf - Service Overview
- Common Configuration Profiles for Site Administrators
- Test and pilot
- Self Service Plus
- Jamf Connect changes