Jamf Blog has maintained a series of posts for the past few years titled “Reinstall a clean macOS with one button”. The idea for reinstalling a clean operating system was born out of an axiom administrators have followed which is to always erase and reinstall computer drives before repurposing them, preparing to retire them, or when troubleshooting has failed.

Apple is practically eliminating this need to erase and reinstall everything and replacing it with just needing to erase the data — leaving the operating system behind. If that makes administrators or security professionals a little queasy, that’s understandable. They’ve been following this erase/reinstall practice since the computer started taking a permanent place on the desktop in the 1990s.

However, “because that’s the way it’s always been done” isn’t a reason to avoid this new feature that only came to macOS last year with Monterey. Let’s review:

• How Erase All Content and Settings works
• The road to Erase All Content and Settings on macOS
• The security of Erase All Content and Settings
• Running Erase All Content and Settings
• When we may still need to completely erase and install

Our goal should be to move the practice of erasing the entire Mac disk to its own little isolated island in the middle of the Dead Sea.

How Erase All Content and Settings works

For more than a dozen years — at least since the iPhone 3 — iOS has supported Erase All Content and Settings. Apple designed this feature from the ground up to be a secure method for resetting an iPhone without having to reinstall iOS. Remember, the iPhone was a consumer product first, and Apple needed to make this process consumer friendly.

They did two things.

First, the data storage on iPhone has always been encrypted. Adding a PIN code gave the consumer a means to decrypt the device for use and a way to protect their data when not in use. But Apple never gave the consumer direct access to the iOS operating system itself. It couldn’t be altered.

Next, the iPhone storage was partitioned into a read-only operating system partition and a writeable data partition. The operating system partition only changed when applying an update. It remained read-only and unchangeable during normal use.

When the consumer was ready to sell their iPhone or maybe hand it over to a family member to use, the Erase All Content and Settings feature simply deleted the encryption key to the data partition and left the operating system partition alone. The benefit was speed and convenience. The operating system was always there and didn’t need reinstalling, and it was as up-to-date as the last update applied.

The road to Erase All Content and Settings on macOS

The Mac, though, didn’t have this speedy and convenient option until very recently. That’s because it had to go through a series of major changes over time to match the level of security built into iOS from the start.

The line where the transition began is blurry, but a good place to start is with OS X El Capitan 10.11, which is when Apple introduced System Integrity Protection (SIP). SIP was the beginning of protecting the Mac operating system from external threats like malware, or even administrators, by removing their ability to modify it directly. Doing so required them to now boot to the Recovery HD to disable SIP first. And this could only be done by a human sitting in front of the computer.

Over the next several major releases, more and more of the operating system fell under SIP. To further increase security, Apple introduced its Apple File System (APFS) with macOS High Sierra 10.13, setting the stage for some major under-the-hood changes with how it could handle data on the drive. And it tied the operating system to specific hardware models by requiring firmware. That installation process required an Internet connection to download the machine-specific firmware version.

Apple introduced another new security feature starting in 2017 that was specific to the hardware not the operating system — the T2 security chip. This chip along with the Apple Silicon chip introduced in late 2020 became important for securing macOS installs. Just like iOS devices were encrypted out-of-the-box, these chips enabled Mac disks to be encrypted out-of-the-box.

In March 2018, Apple introduced the startosinstall command in its macOS High Sierra 10.13.4 installer. It included an --eraseinstall option for completely erasing the operating system on a disk (plus its user data ) and then installing a clean macOS. Because startosinstall was a command line tool, it was easy to remotely invoke on Macs. No longer did a technician need to sit in front of the computer and boot it to an external drive to prepare it for something else.

MacOS Catalina 10.15 started the process of dividing the computer’s disk into the read-only operating system and writeable user data partition. This was the first obvious sign that Erase All Content and Settings was coming. It also laid the groundwork for macOS Big Sur 11.0 to introduce signing for the system volume, which goes through a rigorous checksum validation process at both installation and each boot to ensure its integrity.

Finally, when all the pieces were in place, macOS Monterey introduced Erase All Content and Settings to the Mac. The new process was a speedy 4-5 minutes compared to using the startosinstall command with the --eraseinstall option, which could take 20 minutes on a fast Mac or longer depending on the model.

The security of Erase All Content and Settings

A local computer admin can invoke Erase All Content and Settings. It does several things:

• Signs the end user out of all Apple services, such as iCloud
• Removes fingerprints from Touch ID
• Unpairs Bluetooth accessories
• Turns off Find My Mac and Activation Lock
• Erases apps, data, and user settings
• Erases all other volumes including system volumes using BOOTCAMP

Similarly, sending the EraseDevice command from a Mobile Device Management (MDM) server like Jamf Now, Jamf Pro or Jamf School, will invoke Erase All Content and Settings on macOS Monterey and Ventura computers instead of wiping the entire drive.

The first thing Erase All Content and Settings will do is verify the operating system hasn’t been modified or corrupted. How does it know?

This is where the T2 or Apple Silicon chip becomes important. Each chip contains an area called the Secure Enclave. The Secure Enclave stores a cryptographic key that’s specific to each Mac. That cryptographic key is what allows the computer to unlock the signed system volume. (Remember, the system volume is encrypted out-of-the-box.)

If the cryptographic key doesn’t match the signed system volume, Erase All Content and Settings will display an alert indicating the macOS needs reinstalling. It won’t allow a modified or “corrupt” macOS system to remain on the computer. And the only way to get a new operating system is from Apple.

But what stops an admin from installing their own modified operating system? It’s still possible, but only when the security of the Mac has been lowered from Full Security to Permissive Security (Apple Silicon) or No Security (Intel). This type of security is intended for developers who need to test low-level software.

Erase All Content and Settings then does one more very important task. If the security level of a Mac was lowered from Full Security to a lower security setting, it’ll reset the level to Full Security, restoring all the security mechanisms from the Secure Enclave and the cryptographically signed system volume.

To verify the security level of any Intel or Apple Silicon Mac using Jamf Pro, navigate to the computer record and select Inventory > Security. Alternatively, create an advanced computer search or smart computer group with the Secure Boot Level criterion to create a list.

Just know that even if Jamf Pro reports reduced security, simply running Erase All Content and Settings or the EraseDevice command successfully will restore the Mac to its most secure settings prior to preparing it for another purpose.

Running Erase All Content and Settings

An end user can run Erase All Content and Settings directly from the computer itself or an MDM administrator can send the EraseDevice command to one or more computers. Both have the same requirements:

• Intel computers must have a T2 security chip
• All Apple Silicon computers support Erase All Content and Settings
• The computer must be running macOS Monterey 12.0 or newer
• If running the command from the computer itself, the current login account must be an admin and have the necessary credentials to sign out of iCloud

To run the command on macOS Ventura, open System Settings (formerly System Preferences) > General > Transfer or Reset and click Erase All Content and Settings. The Erase Assistant first prompts for administrator credentials to continue.

The Erase Assistant will then provide a summary of what’s about to happen.

If the computer is connected to iCloud, the administrator is prompted for the password of the account’s Apple ID.

After authenticating, the end user is given one last warning that all data, settings, and apps will be erased and that it cannot be undone.

The computer will restart temporarily into the Recovery Assistant to Activate the Mac. It’ll restart again in about 60 seconds if the end user takes no action. Again, during this process, the Mac is using the cryptographic key stored in the Secure Enclave to verify the integrity of the installed macOS and, if necessary, returning its security level to Full Security.

If the end user sees “Hello” appear in multiple languages after about 4-5 minutes, the computer has effectively been restored to out-of-the-box settings with Full Security enabled. If instead they see a message that macOS must be reinstalled, the current system was found corrupt. They can proceed through the Recovery Assistant to download and install a pristine macOS system.

But what happens if an MDM administrator sends an EraseDevice command while the computer is signed in with an iCloud account?

First, to send the EraseDevice command to just one computer from Jamf Pro, navigate to the computer record and click Management > Management Commands > Wipe Computer. If the computer supports Erase All Content and Settings (see the criteria listed earlier), it’ll proceed with erasing just user data and settings. But be careful. The same button will erase everything (operating system, user data and settings) on computers that don’t support Erase All Content and Settings.

Sending the command may require two things: enabling the Clear Activation Lock instruction and providing a Remote Wipe Passcode.

Clearing Activation Lock effectively disconnects the computer from an iCloud account and providing a Remote Wipe Passcode is only effective if the computer has Remote Lock enabled. If Remote Lock isn’t enabled, any arbitrary six-digit number will work. After clicking Wipe Computer, the administrator must confirm one more time they wish to proceed.

Note that if a computer isn’t connected to iCloud, or it was enrolled using a Jamf Pro PreStage Enrollment that prevented Activation Lock, then the option to disable Activation Lock doesn’t apply. The administrator may receive a message that Activation Lock couldn’t be cleared. They can just proceed anyway by clicking OK.

Sending the EraseDevice command to multiple computers is only possible today using the Jamf Pro Classic API. It’s not supported using the Action button at the bottom of an advanced computer search or smart computer group. It’s also not supported yet using the newer Jamf Pro API.

The basic script syntax for sending the EraseDevice command to a computer using the Classic API looks something like:

/usr/bin/curl \
--header "Authorization: Bearer tokenStringHere \
--header "Content-Type: text/xml" \
--request POST \
--silent \
--url "https://talkingmoose.jamfcloud.com/JSSResource/computercommands/command/EraseDevice/passcode/123456/id/1,5,18,24"

The “123456” string in the last line represents the six-digit passcode required to remove the computer from Device Lock and the “1,5,18,24” string represents a list of computers by their Jamf IDs. The Classic API only supports identifying computers by their IDs.

For a more complete script, see this GitHub gist.

Using the Classic API to send the EraseDevice command to multiple Macs is especially beneficial to administrators of school lab Macs that need refreshing between quarters or semesters. This along with the PreStage Enrollment option to automatically advance through the Setup Assistant has the potential to make the entire refresh hands-free.

When we may still need to completely erase and install

Is the startosinstall command with the --eraseinstall option dead?

Not quite yet. The two macOS systems that support Erase All Content and Settings, Monterey and Ventura, still run on a handful of older computer models that don’t have T2 security chips. Until Apple ships an operating system that only runs on computers with T2 or Apple Silicon chips, the startosinstall command still has its place in the administrator’s toolbox.

We can foresee a time a few years from now when Apple releases a macOS version that requires a Secure Enclave. Like iOS and iPadOS today, the need to reinstall a clean macOS will likely be limited to certain developers who work at low levels of the operating system between the kernel and the hardware. The average and not-so-average device administrator will likely never work at that level.

Then what? Erase All Content and Settings is just one feature in a long journey of Apple development that will likely drive both macOS and iOS closer and closer until one day there’s just one OS for all devices. It’s a slow process, but it’s also easy to see Apple has been aggressive in making it happen.

For now, take away that Erase All Content and Settings is the replacement for startosinstall. And it’s a secure method for deleting user data as well as restoring a computer to out-of-the-box settings.

When you think of identity and access, usually, the first example that pops into many an IT admin’s minds is authentication. Digging a little deeper down the rabbit hole, we come to provisioning user accounts. This leads us to the ever-present 800lbs gorilla in the room – passwords.

It’s a simple workflow and one that has served as the cornerstone of securing access to resources from unauthorized users. A combination of eight to twelve characters and numbers – maybe a few more if your organization wants to make the password a bit tougher to crack – is all that stands between a bad actor and critical organizational data or sensitive personal and user privacy data.

But…is that enough? Before you answer that, ponder the following statistic and continue to read on why exactly IAM matters when establishing identity and access workflows within your organization.

“One-third (29%) of organizations had at least one user fall for a phishing attack in 2021.” – Jamf Threat Labs

Why IAM matters

Effectively protecting resources from the modern-day threat landscape means more than just a strong password. While that’s still important no doubt, as the statistic above points out nearly a third of organizations will experience at least one authorized user falling victim to a phishing attack. This means that regardless of the relative strength of the affected user’s password or which password policies are implemented to limit password weakness – neither of these practices will do anything to prevent unauthorized access if the user simply hands over their credentials.

To address this in addition to other security challenges affecting access management and user authentication, IAM solutions must work with security. After all, it makes sense that management and security workflows – both working toward keeping organizational resources secured – should draft off the same infrastructure, doesn’t it?

Jamf Connect is a perfect example of how this interconnectivity between IAM and security works to not only secure authentication, but also continually access resources securely by ensuring that workflows are consistent and in alignment with everything else a user interacts with, regardless of the device.

Modern authentication

Identity is firmly engrained in securing everything from devices and user accounts to organizational resources, it is already something organizations are investing in and relying upon to drive the employee experience. By pairing this with cloud identity providers, such as Google, Microsoft and Okta, alongside many others, IT can enable zero-touch deployment and streamline account provisioning based on user cloud identity attributes and management that extend far beyond the physical walls of the office.

This not only ensures that a user-friendly IAM solution authenticates corporate apps on all devices, including mobile, but extends to all organizational resources – on-premises and cloud-based – securely managing access regardless of device type, ownership level or where the user may be working from.

Policy enforcement

Access policies built-in to IAM solutions help fortify security in a number of ways. One such way is by incorporating policy-based device risk assessments, IT and Security teams ensure that the device’s risk posture is considered. Let’s revisit the example above where a user’s password was provided to a bad actor during a phishing attack. A policy that is tied to conditional access, by integrating with Microsoft or Google, would result in a workflow that automatically limits user access permissions tied to the compromised credentials, effectively restricting access to organizational resources.

Another example leverages Zero Trust Network Access or ZTNA which we’ll cover a bit later. By utilizing ZTNA – a central component of Jamf Private Access – an authorized user is required to allow access to critical business apps. Additionally, an authorized device policy restricts access only to devices in your fleet that are allowed by IT and Security teams.

Modern threat landscape

Just as the modern computing landscape has vastly changed work environments through the adoption of mobile devices and organizations migrating to remote/hybrid work environments, the modern threat landscape has evolved much to our chagrin, challenging bad actors to develop clever, yet novel ways to continue targeting your devices and users in their quest to obtain organizational data.

Effective IAM solutions require adaptive and flexible security controls that extend far beyond the office’s network perimeter. One such practice continuously evaluates a device’s risk posture as we mentioned previously but continues to do so throughout the duration of the session. After all, making sure a device isn’t compromised before permitting access is one thing, but what happens if drops out of compliance during the session? The end result would still be the same – unauthorized access.

To mitigate this risk, continuous risk assessment through ZTNA or conditional access leverage context-aware policies that grant or deny access to sensitive data, apps and resources while the cloud-based nature offers IT effective, scalable network protections to meet the demands of their unique needs. All without needing to manage security appliances, complex software configurations or expensive support contracts.

More than just connecting users to resources

We keep stressing the word modern because it’s important to discern from merely providing an authentication mechanism and the myriad protections afforded beyond authentications that are provided by a true identity and access management solution.

Think of IAM as a puzzle piece. While it is a solution in its own right, capable of operating independently, it’s far more potent when paired with other solutions as part of a larger defense-in-depth strategy. Not unlike the puzzle piece that is an image unto itself, the entire picture isn’t revealed unless all the pieces fall into the correct placement.

Some of the security benefits are inherent while others are made possible by integrating with first- and third-party solutions, such as:

One password to rule them all

Unifying identity management across all enterprise apps and organizational resources is something we touched upon earlier. Standardizing protections across your entire infrastructure, particularly the various managed and unmanaged devices that access it made possible by enabling Single Sign-On (SSO). Not only does this streamline access management for IT, but the simplified workflow sees users needing to remember only one password – not juggling multiple credentials that may (or may not) be out of compliance with company policies.

Furthermore, SSO eases the burden of managing multiple services, each with its own set of credentials by synchronizing passwords between corporate resources and your Mac endpoints in the background, delivering IdP that works for all stakeholders.

Two’s better than one

Passwords are a mixed bag when it comes to security. While it is an accepted aspect of securing access to resources, it isn’t without its headaches – both from an administrator’s perspective and the user’s. Add to that what we stated previously about password security and how, despite best efforts, a phishing attack can rather easily side-step all but the strongest of controls and we find ourselves wishing for something better, and more effective when protecting resources.

Multi-Factor Authentication (MFA) provides just that by requiring users to attest that they are whom they claim to be using a combination of factors:

• Something you know
• Something you have
• Something you are

Enabling this functionality within Jamf Connect and your IDP ensures that it’s the right user on the right device requesting access to organizational resources, minimizing the risk of sensitive data getting into the wrong hands.

Never trust – always verify

We mentioned ZTNA earlier and in this section, we’re going to discuss a few of the benefits to security that organizations can gain by extending IAM with ZTNA.

First, microtunnels. The concept of tunneling data is not new in the security world. VPN has been doing so for decades, after all. But remember, we’re discussing modern solutions – not legacy ones – and legacy VPN certainly has several security challenges that only ZTNA can and does resolvewhen set against the backdrop of the modern threat landscape.

Microtunnels are one of these solutions, with each protected resource requiring its own unique microtunnel when users request access. Instead of granting access to the entire network like legacy VPNs, ZTNA utilizes independent microtunnels to secure access to each resource. This is done to ensure traffic is segmented from one another to prevent lateral network attacks, but also ensures that if an app becomes compromised, access need only be denied to the affected app – leaving users to remain productive on unaffected apps/resources while IT resolves the issue.

Another challenge ZTNA addresses are network bandwidth utilization issues since it operates each microtunnel on-device and in-network without requiring traffic to be backhauled through VPN hardware. An additional benefit to performing so efficiently is the use of split-tunneling technology that automatically identifies business traffic, securing it through a microtunnel while non-business traffic is routed directly to the internet —both preserving user privacy and securing organizational data without compromising either.

The best of all worlds

Expanding capabilities to take advantage of first- and third-party solutions is a powerful ability in a modern IAM. One that should not be overlooked when considering that security, much like technology evolves at such an incredible pace. Perhaps in the past, your organization only required an on-premises IdP and MDM solution to holistically manage your Apple fleet. But today, the organization relies on its employees working remotely and as such, today’s needs require cloud-based IdP, MFA and MDM solutions just to get the device and identity management portion of your infrastructure operating.

Fast forward and perhaps that requirement expands to include mobile threat defense and greater access management capability, such as ZTNA. A flexible IAM solution will make all the difference in the world when addressing the current and future needs of your organization.

Consider passwords once again. What if we told you there is a way to implement an MFA solution to provide an additional layer of security to access requests while eliminating passwords altogether? Is passwordless Mac authentication even possible or secure?

Yes, and absolutely yes! (Dare we say, even more secure.)

Enter Jamf Unlock, the passwordless workflow made possible when integrating Jamf Connect + Jamf Pro and an iOS-based device running version 14.0 or later. Because passwords themselves can create security holes, including those stemming from exposure due to data breaches, loss from phishing attacks or merely being too weak or easy to guess, a passwordless authentication workflow can bypass these security issues entirely. All while keeping your workforce secure and data protected while providing a seamless end-user experience.

Key Takeaways:

• Identity and Access Management is a critical step to meet the needs of the modern “work anywhere” workplace
• An integral component in an effective defense-in-depth strategy of layered security solutions that work together to mitigate threats
• Enable zero-touch deployments and streamline account provisioning workflows leveraging cloud IdP
• Policy-based IAM aligns account management with organizational policies, standardizing and extending them across all devices in the infrastructure
• Enable simplified authentication workflows that leverage SSO and MFA to both enhance and secure the user experience
• Expand capabilities by integrating with first- and third-party solutions to meet your needs today – while providing the foundation to meet future needs
• Bypass password-based security issues entirely by seamlessly implementing a passwordless authentication workflow with Jamf Unlock

Jamf completed its acquisition of ZecOps, and many are wondering what this means for our solutions— and how to take advantage of these exciting new mobile detection and response features.

This acquisition helps IT and security teams strengthen their organization’s mobile security posture and accelerate mobile security investigations from weeks to minutes. It also uses known indicators of compromise (IOC) to detect intrusion attempts or other malicious activities at scale and helps identify sophisticated 0- or 1-click attacks on a much deeper level.

And this added security arsenal for any organization couldn’t have come at a better time. Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of surveyed companies have suffered a compromise involving a mobile device in the past 12 months.

Jamf already offers robust management and mobile security capabilities for iOS devices. However, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device— difficult in a remote work environment. The ZecOps acquisition will provide a deeper layer of insight and assurance for security-conscious customers who must protect company data as well as mobile users with access to sensitive information.

ZecOps will offer customers unprecedented detection capabilities to identify mobile exploits similar to the rich telemetry offered by Jamf Protect for Mac.

Picture it: Earth, 1999. While its global citizens awaited the turn of a new century, there were many that were fearful of this new millennium. Scared that, at the stroke of midnight, society’s computing systems would break, fail, turn on humankind or worse, take over as our robot overlords.

Ok, maybe not that last part so much, but suffice it to say many were worried that the “Y2K bug” was going to be far worse than what actually occurred.

TL;DR the world ushered in the year 2000 while listening to Prince’s 1999 with nary a hiccup. The next business day, it was business as usual. IT admins and users updated the antivirus software on their computers and continued working like it was just another Monday morning. That was not only the extent of the infamous Y2K problem but the solution – patch your computers and keep your antivirus updated – was the endpoint security of the time.

A little over two decades later and the modern threat landscape has changed to meet the changes to modern computing. One that sees companies migrating to remote and hybrid work environments, adopting Apple in the enterprise and varying device ownership levels. All in service to permit users to work:

• Where they feel most comfortable
• On their preferred device
• From anywhere and at any time

The days of merely installing antivirus on your computer are both wholly inadequate and asking for trouble, as threat actors have an entire arsenal at their disposal to compromise your fleet of devices, target all users and access critical or sensitive organizational data for their own nefarious purposes.

Protect against new and evolving threats

Alas, it’s a brave new world and that includes a whole slew of threats and attacks that impact the security of your endpoint– regardless of whether users are at the office or home, connected to any network, or on macOS, iOS, Android or Windows.

While malicious code is still very much a thing to be wary of. Here are some of the security challenges that have evolved that Jamf endpoint security solutions protect against in the modern threat landscape:

• In-network attacks
  • Man in the Middle (MitM)
  • Zero-day phishing attacks
    • SMS
    • Email
    • Social media
    • Messaging
  • Lateral movement attacks
• On-device attacks
  • Living off the land (LotL)
  • Malware
    • Spyware
    • Trojans
    • Ransomware
    • Cryptojacker
    • Potentially unwanted programs (PuP)
  • Unauthorized data exfiltration

And while some of these threats carry identifiable fingerprints that can tip IT and Security admins off to their whereabouts, an increasing number of bad actors are combining threats, employing the latest tactics to remain unknown, and therefore able to carry out attacks stealthily over time.

Jamf Threat Labs

You may be thinking, how can you possibly stop that which you cannot see? With Jamf Threat Labs, that’s how. Jamf’s team of cybersecurity experts and data scientists works tirelessly to assess macOS and iOS-based endpoints, performing threat hunting to successfully identify and prevent both novel and unknown threats from affecting your Apple fleet. Not only are they great at what they do, but their research feeds the threat intelligence engines that drive Jamf’s endpoint security solutions. By incorporating their findings, detecting unknown threats through advanced behavioral analytics and frequently updated YARA rules work in tandem to mitigate security threats that may be lurking within your fleet before they have a chance to escalate to something worse, like a data breach.

Monitor

In addition to the Jamf Threat Labs team constantly monitoring macOS and iOS-based operating systems across the expanding threat landscape to identify and thwart the latest threats facing organizations, Jamf’s endpoint security solutions actively surveil endpoints for known, unknown and suspected threats.

This minimizes risk from various Apple-focused and mobile device security threats while serving as one of the foundational components in the comprehensive, multi-prong endpoint security protections. Jamf solutions keep a watchful eye over your organizational devices and users by:

• Consistently and actively monitoring endpoints 24/7/365
• Gathering rich telemetry logging and reporting data
• Providing insight into device health, aiding compliance auditing

Detect

Keeping vigil over endpoints is just one aspect of protection, the next is identifying threats. Whether known, unknown or suspected – IT and Security administrators will have visibility into device health, including real-time alerts that inform stakeholders of detected threats that affect their devices.

Further still, logging data is gathered for each endpoint, providing in-depth information about the security of your entire fleet. The rich telemetry data collected serves administrators well in not only identifying what risks impact their endpoints but also allows them to:

• Perform threat hunting to identify potential threats
• Leverage granular information to refine protections
• Mitigate risky behaviors to mitigate potential attack vectors

Prevent

Every threat, like malware, is a potential risk to exposing user and/or company data, so it’s important that organizations choose an endpoint protection solution that specializes in detecting the unique and evolving threats that target users on Mac and mobile devices – inside and out.

The on-device and in-network protections provided by Jamf endpoint security solutions mean faster detection, notification and threat response to known and unknown threats thanks to our:

• Advanced machine learning (ML) and threat intelligence engine – MI:RIAM
• Customizable behavioral analytics mapped to the MITRE ATT&CK Framework
• Data policy enforcement ensures data remains only on secured, compliant storage
• Blocking of network threats, such as phishing, malicious downloads and command and control (C2) traffic, including risky domains

Remediate

Even with increased visibility and compliance, granular reporting, real-time alerts, advanced threat intelligence and protection against novel threats, the modern threat landscape evolves so frenetically that endpoints may be impacted or drop out of compliance. What then?

Once again, Jamf endpoint security solutions – with their multiple layers of protection – facilitate powerful remediation workflows to correct deviations from your OS hardening configurations, quickly bringing endpoints back into compliance.

Jamf solutions flexibly provision manual and automated incident response workflows, such as:

• In-depth visibility into all macOS security tooling activity and system processes
• Eradicating malicious, unwanted and potentially risky files, apps and downloads
• Isolating devices found to be out of compliance or that pose a risk to data security
• Aligning with CIS Benchmarks to develop, enforce and monitor secure device baselines

Multiple layers of security – one solution

Look at the fingers on your hand. They work independently to accomplish certain tasks, yet work in tandem when needed to perform larger-scale functions, do they not? A single, yet powerful security solution similarly relies on many individual layers that – while capable of performing independently in their own right – also work together to form a holistic, multithreaded net to monitor, detect, prevent and remediate against attacks from bad actors and the various security threats they employ to target your device, users and critical data.

Defense-in-depth

“…loved by good, feared by evil.” – Voltron

In the show by the same name as the quote above, the first season saw a team of five pilots, each of whom commands a robot lion with unique strengths and abilities. In their quest to maintain peace and protect Earth from evil, the team of five would combine to form a larger, more powerful robot named Voltron, Defender of the Universe, to further aid them with their task.

Though it was a beloved cartoon from 1984, the premise of Voltron shares much with the strategy of defense-in-depth(DiD) to best secure assets, users and resources across the modern threat landscape. Specifically, the belief that a singular, “one size fits all” application will holistically keep organizations protected is a myth a best – and one that often leads to data breaches at worst.

The premise of DiD is simple, yet both efficient and effective. Layer security protections, just the layers of cake, so that they overlap their strengths while minimizing weakness, in the service of identifying, stopping and if it comes to it, remediating against a variety of security challenges that threaten the integrity of your endpoint, safety of your users and confidentiality of your data.

Simply put: should one layer fail, the next one exists to intercept it.

Integration

Jamf’s endpoint protection solutions, much like all of our solutions, are designed to work alongside numerous first- and third-party solutions to extend capabilities and establish features-rich workflows while ensuring data flows securely between solutions.

For example, Jamf Pro, our flagship mobile device management solution, is known for its seamless deployment and management capability. However, when integrated with Jamf Protect, not only is deploying endpoint security to your macOS devices possible with just a couple of clicks but secure endpoint health data is shared in real-time between both solutions.

What does this mean for your organization? We’ll tell you. Event information relating to incidents, such as phishing attacks and other network-based threats are automatically synced to inform the risk status of any individual device. This connection between management and security is critical to taking real-time action to protect your environment.

For example, organizations can leverage Smart Groups in Jamf Pro to dynamically update and respond when a device’s risk status changes in Jamf Protect. This trigger can automatically update a user’s access permissions via Jamf Pro’s conditional access integrations with Microsoft or Google’s solutions

Another example leverages the advanced reporting options found in Jamf endpoint security solutions to stream rich telemetry data to your preferred SIEM solution, like Azure Sentinel or Splunk, providing MacAdmins a single pane of glass view into the health of their Apple endpoints while further extending the capability to transform data using visualizations for added depth and granularity.

Purpose-built for Apple

Jamf’s purpose-built, Apple-first endpoint security solutions offer IT and Security teams several benefits that firmly establish its solutions as best-of-breed, for example:

• Same-day support allows users to adopt the latest apple releases as soon as they’re available – upgrade on your schedule, not ours
• Leverage Apple’s Endpoint Security API to embrace the latest security capabilities available within macOS
• Low-performance impact means battery life isn’t affected, won’t slow down machines or get in the way of user productivity

Speaking of user productivity, being Apple-first (but not Apple-only) means Jamf designs and optimizes each of our endpoint security solutions to take advantage of the OS on which it operates on so that protecting your devices does not come at the expense of user experience nor compromise the user’s privacy.

Key takeaways

• Protect endpoints from new and existing, known and unknown threats, risky apps and suspicious behaviors
• Purpose-built for Apple to address the challenges of the modern threat landscape across macOS and iOS-based devices, but also designed and optimized for Android and Windows mobile devices
• Stops threats that occur on-device, like malware while also preventing in-network attacks, like zero-day phishing and lateral movement
• Supported by the Jamf Threat Labs team of cybersecurity experts and data scientists to research, identify and prevent novel threats
• Advanced threat intelligence engine and machine learning (ML) aids in threat hunting to identify potential attacks before they can happen
• Behavioral analytics mapped to MITRE ATT&CK Framework for powerful, customizable prevention of threats, tailored to the unique needs of your organization
• Automated incident response and remediation workflows eradicate malicious, risky and unwanted files while isolating devices that pose a risk to data security
• Develop, enforce and monitor secure device baselines aligned with CIS Benchmarks to drive compliance and aid in auditing compliance tasks
• Defense-in-depth strategy layers multiple protections to monitor, identify, prevent and remediate a variety of security challenges – should one layer fail, the next one intercepts it
• Extend services, features and capabilities by leveraging the Jamf Risk API, securely sharing pertinent device health data with first- and third-party solutions

What is Rapid Security Response?

Rapid Security Response aims to keep your devices more secure by providing software patches between standard OS updates. If enabled, these responses can happen automatically without requiring permission from the user, though responses that involved the operating system do require system restart and those relevant to Safari require the user to quit the application.

For personal devices, rapid security response can be enabled in System Settings > General > Automatic Updates. Users can remove responses if desired.

So how will Rapid Security Response work for supervised devices? There are a number of ways mobile device management (MDM) solutions can modify settings related to rapid security response:

• The allowRapidSecurityResponseRemoval restriction key can block user removal of responses.
• Setting CriticalUpdateInstall to true enables rapid security response in macOS.
• Device Info and AvailableOSUpdate queries report the status of Rapid Security Response to your MDM.
• The allowRapidSecurityResponseInstallation restriction key allows admins to disable Rapid Security Response, which is enabled by default.

Why are responses important?

A major update to a device’s OS can be disruptive to a user’s experience, leading to update delays. Responses occur between major updates and are based on the device’s minor OS version. These responses provide necessary patches to keep devices up to date and protected from security threats.

Keeping your devices updated with the latest patches is one of the most cost-effective ways to protect your devices. Rapid Security Response makes this simpler and less disruptive for both users and admins, making it easier to ensure vulnerabilities are patched and devices are secured.