Portnox and Jamf: Working together against BYOD anarchy

Share me

Month: January 2023

Author: January 19, 2023 by Kate Assaf

Source: https://www.jamf.com/blog/jamf-portnox-nac-integration/

The coming BYOD storm

I remember it like it was yesterday — June 30th, 2007, I trotted into work proudly holding the very first iPhone (4GB!). I was the first person in my small company to get one, having waited in line for six hours the previous day in the hot Texas sun at my local AT&T store. I predicted the line would be shorter there because it was outside, versus the Apple Store which was in the mall — because after all, who would be crazy enough to willingly sit in the Texas sun? I was right, but man…it was hot. After showing it off to my co-workers, I went to our two-person IT department and asked them to give me the Wi-Fi password. They said no. I asked if they would just type it in for me, and reluctantly they took my phone and entered it in.

Android was released later that year, and as smartphones became ubiquitous, that two-person IT department was quickly overwhelmed and put their collective foot down — no more coming to them for Wi-Fi access. No new smartphones on the corporate network. Unfortunately for them, one of the existing smartphone users was able to decrypt the password and handed it out freely — and then it was network anarchy. Phones, personal laptops— one support rep even brought in a PlayStation 3.

If only MDM had existed…

BYOD (Bring Your Own Device) has come a long, long way since then, and now users have the expectation that they will be able to join the Wi-Fi network at work, even if it’s just a guest network. More and more, people have come to rely on their corporate network connections on their smartphones and tablets. As illustrated above, users are persistent: if you give out a blanket “no” it becomes their mission to find a workaround. My guess is that you probably have better things to do than track down rogue devices all day.

The explosion in remote work further complicates the matter. Companies are incentivized to let staff access network resources from anywhere on just about anything. It just makes operational sense. So a much better, less stressful strategy is to implement a BYOD policy that gives you some control over the devices people are using to get on the network while still letting the user choose what devices to use.

Enter MDM, or Mobile Device Management — something I’m sure our beleaguered two-person IT team would have welcomed all those years ago. MDM makes corralling all those BYOD devices (tablets, phones, laptops, etc.) and safely allowing them onto the network a breeze.

Some key features of a good MDM include:

  • Ensuring devices are configured to adhere to a standard set of supported applications, functions, and/or policies
  • Maintaining a minimum OS version
  • Location tracking
  • Remote troubleshooting

Apple, Jamf and Portnox: covering all the bases

As the gold standard for managing Apple devices, Jamf goes beyond your standard MDM. The Jamf platform offers solutions including:

  • Zero-touch deployment
  • Customized App Store
  • Behavior detection
  • Threat hunting
  • Same-day Apple OS support for every macOS, iOS, iPadOS and tvOS release

Jamf has dedicated solutions for every need – business, education, healthcare and more. Whether you have a few iPhones or an army of iUsers, Jamf has a solution that can help you keep your mobile users happy and your network safe. And not to brag, but we think one of the best things about Jamf is that it seamlessly integrates with Portnox’s cloud-native zero trust access control platform to bring your network security to a whole new level.

If you’re using certificate-based authentication (and you should be) you can use Jamf to deploy your certificate to all your devices, which makes certificate enrollment approximately 10,000% easier (that’s an exact figure.) You can also use Jamf to deploy AgentP, which extends your Portnox NAC-as-a-Service capabilities to enable risk posture assessment of all connected Apple devices, as well as automated remediation of any Apple devices that fall out of compliance.

Anarchy, controlled

The multitude of devices that exist to connect to a network can overwhelm even the most stalwart IT team. Combining Jamf and Portnox NAC-as-a-Service keeps everyone happy — and most importantly, your network safe and secure.

Learn more about the power of Portnox and Jamf!

Learn More

by Clayton Campbell

Zero Trust Network Architecture best practices

Share me

Month: January 2023

Author: January 23, 2023 by Hannah Hamilton

Source: https://www.jamf.com/blog/discover-ztna-best-practises-from-scratch/

The evolving and complex landscape of cybersecurity demands that we never trust, always verify when it comes to guarding our company resources. Zero Trust Network Access (ZTNA) keeps your data under lock and key by granting approved users and devices access to resources they need—not your entire network.

A central pillar of ZTNA is the principle of least privilege. Users should only be able to access exactly what they need, nothing more. To achieve this, user identity needs to be established and resources need to be carefully provisioned. Beyond this, ZTNA has specific demands about the identity and authorization users and devices have when trying to access company resources.

With ZTNA architecture, device and user identity is rigorously verified—users must provide successful credentials to their cloud identity provider while devices must be associated with the user and enrolled in your device management solution. Devices also must be up to date and in compliance with your security policies.

Implementing ZTNA can be complicated—Jamf can help. Stay tuned for our e-book about ZTNA best practices.

We’re here to help you get started with ZTNA.

Learn More

by Clayton Campbell

Top security priorities: end-user security awareness

Share me

Month: January 2023

Author: January 17, 2023 by Hannah Hamilton

Source: https://www.jamf.com/blog/migrating-to-jamf-cloud-the-not-so-scary-reality/

In the summer of 2022, bad actors launched a sophisticated smishing campaign against Twilio, a communications platform. This campaign targeted former and current employees by mimicking messages sent by identity provider Okta with links to update passwords or complete other familiar actions. The threat actors were even able to match employee names with their phone numbers.

Indeed, even with strong security measures, your organization isn’t immune to phishing attacks like this one. Phishing is the most common attack vector, with 41% of attacks recorded by IBM in 2021 resulting from phishing. And the number of attacks keeps increasing: APWG recorded almost 1.1 million attempts in the second quarter of 2022 alone.

It makes sense after all—social engineering attacks like phishing don’t necessarily require complex technical knowledge like this attack did. As an IT professional, you know this. But do your end users?

Developing a strategy to improve user awareness

Let’s talk strategy. Bad actors are getting more clever, and new ways of gaining access to your organization are developed daily, which is why it’s critical to develop a holistic strategy to defend users from social engineering attacks.

Hiring and onboarding

This strategy starts at the very beginning of an employee’s tenure at your company. When hiring a candidate, it could be beneficial to look beyond a standard background check and do a social media analysis to check that the prospective employee has values that align with the company.

Upon hiring, it’s important to deliver your organization’s technology-related expectations during the onboarding process. This includes the organizations policies and attitudes around IT security and personnel management. These policies could regard:

  • Standard operating procedures: What are your organization’s best practices for IT? This can include how to file an IT ticket, how to login to their accounts, how to handle lost or stolen equipment and more. Employees should be informed of acceptable use policies (AUPs) and general security policies—for example, what company information should employees avoid sending in an email or on social media. They should also be told how AUPs will be enforced and their acknowledgement of the policies should be recorded with a signature.
  • Job rotation: While not necessarily applicable to all organizations, it can be helpful in some to switch people to different positions periodically. This helps organizations ensure all staff know how to perform multiple roles and prevents people from getting so comfortable in their role that they perform actions beyond their authorization level. This can also make it easier to detect suspicious activities and mitigate collusion.
  • Separation of duties: Separating duties by role ensures that not one single individual can perform all critical actions that can damage a system. For example, perhaps a developer cannot send their own changes to production, but instead have to send it to be reviewed. Similarly, there are some responsibilities where multi-person controls can be implemented, such as requiring two signatures on a large check before it can be deposited.

Understanding user behavior

Part of informing users effectively is understanding their habits and behaviors. After all, this understanding is what fuels successful phishing attacks.

  • Passwords: Passwords should be complex and not include common words or names of the user. They should never be shared or written down, and should be changed often. Ideally, a password policy should be established to enforce these rules.
  • Social engineering attacks: Users should be well informed about the concept and methods of social engineering. They should know about the risks of tailgaters, unauthorized hardware in the building, common phishing and smishing tactics and more.
  • Personal devices: Users should understand the risk of using personally-owned devices at work. Security risks can be mitigated here by using mobile device management and forcing users to enroll their devices to access company resources. (Check out the first post in this series for more information about BYOD programs).

Training end users

Training during onboarding is important, but onboarding can be an overwhelming time for new employees. It’s likely that some information will fall through the cracks as they learn about their new company and responsibilities. That’s why training should be ongoing throughout the employee’s tenure.

Training should cover IT policies, including those mentioned in onboarding, and address how user habits can impact cybersecurity. It should also be periodic and relevant to each user’s role. For example, a standard user should understand how to use their device and how to recognize common issues like malware. A privileged user with elevated permission should receive more in-depth training.

Most of us have sat through long, tedious training, whether cybersecurity related or not. How much information do we all gain from these trainings? Successful training programs need to be informative while being entertaining. Here are a few training techniques to consider:

  • Phishing campaigns: Phishing campaigns send simulated phishing emails to employees. This helps your organization by seeing which employees click on the links and need additional training.
  • Capture the flag: More for security personnel, this technique challenges employees to apply their security skills to perform attacks. This can help new employees spot attacks and know how to prevent them.
  • Gamification: Just like it sounds, this technique strives to make training fun by turning in into a game. It could include competing with other users or by playing a mini-game on the training platform.

Offboarding

Lastly, you should establish an offboarding policy that sets everyone up for success. It’s critical to receive all company equipment back, including computers, phones, ID cards and any other issued items. The employee’s account should be disabled to ensure they don’t have access to any internal systems or applications. Ideally, there aren’t any systems or accounts that rely on credentials known by the exiting employee; if this happens to be the case, ensure that this information is given to current staff and credentials are changed.

An ounce of prevention…

Increasing user awareness of cybersecurity risks is critical for enhancing your organization’s security posture. But on it’s own, it isn’t enough. Reinforce your security by making the chance of user mistakes less costly or more difficult. For example:

  • Enforce password policies for complex passwords that frequently change
  • Use SSO and identity providers to reduce the need to remember multiple passwords
  • Create a BYOD program to prevent granting users uncontrolled access to company resources
  • Zero Trust Network Access (ZTNA) seamlessly gives employees access to the tools they need, wherever they need it, while strictly verifying the user’s identity

Key takeaways

  • Your organization’s security is dependant on your employees, so it’s crucial to start security training at onboarding and continue through their tenure.
  • Understanding and responding to user behavior aids in developing successful training programs.
  • Training programs should be engaging and informative to be effective.
  • Using ZTNA network architecture, SSO with cloud identity providers and mobile device management mitigates risks despite user intervention.

Jamf Pro protects your users and company data.

Learn More

by Clayton Campbell

Jamf releases Jamf Pro 10.43

Share me

Month: January 2023

A new version of Jamf Pro is now available. Highlights of this release include:

Conditional Access Registration Improvements

The process for registering computers with Microsoft Intune has been improved in the following ways:

  • The process name of the agent on client computers with Conditional Access has been renamed from “JamfAAD” to “Jamf Conditional Access”. This change helps promote familiarity and confidence for end users when their computers prompt them to sign in with their Microsoft Azure account credentials.
  • When configured to use WKWebview, Jamf Conditional Access no longer displays the sign in window over the top of the information window, creating a clearer experience for end users.
  • When configured to use the WebAuth view, Jamf Conditional Access now includes instructions for end users to click OK on the browser’s Select a Certificate prompt.

Device Compliance Enhancements

The Jamf Pro Device Compliance integration with Microsoft Intune now includes the following enhancements:

  • Both macOS and iOS devices are now available from a single Settings pane and offer the same functionality.
  • The latest Microsoft Partner Compliance Management API is used to communicate compliance.
  • Compliance calculations only happen in Jamf Pro.
  • The Device Compliance integration is less likely to go through the re-integration flow when editing and saving.

Retrieve FileVault Information via the Jamf Pro API

You can now retrieve FileVault information for computers using two new endpoints via the Jamf Pro API. This improvement allows the endpoint to return the same FileVault information that is available in the Jamf Pro user interface.

For additional information on what’s included in this release, review the release notes here.

Ready to manage your Apple Devices with Jamf Pro?

Start Trial

by Clayton Campbell

What is Apple Business Manager?

Share me

Month: January 2023

Author: January 23, 2023 by Jonathan Locast

Source: https://www.jamf.com/blog/what-is-apple-business-manager/

What is Apple Business Manager?

Whether you are an IT professional or maintain your office’s technology, you know that the ability to enroll devices and purchase applications in volume can feel like a life saver.

Apple Business Manager, combined with Mobile Device Management (MDM), allows IT to manage content, devices and roles from one portal. IT teams and businesses can automate their device deployment, app deployment and purchasing, and content management and deployment.

Apple Business manager combines what were formerly known as Apple’s Volume Purchasing Program (VPP) and its Automated Device Enrollment program into one consolidated service. This allows you to automatically deploy Mac, iPad, iPhone and Apple TV devices directly to users — configured with settings, security controls, apps and books.

Automated device enrollment, volume purchasing, and Apple Business Manager in a nutshell

  • Automated device enrollment: automates Mobile Device Management (MDM) enrollment and simplifies initial device setup. You can supervise devices during activation without touching them, and start MDM enrollment for ongoing management.
  • Volume purchasing allows you to buy content, configure automatic device enrollment in your mobile device management (MDM) solution.
  • Apple Business Manager incorporates both of these former programs together and also allows you to create Managed Apple IDs, a special account type that allows you to share your Apple Business Manager account with others in your organization— eliminating dependence on personal Apple IDs for work purposes.

How do I upgrade to Apple Business Manager?

You have a few options as you consider how to approach Apple Business Manager. First, if your organization is already enrolled in Apple’s deployment programs (formerly called VPP and DEP), you are able to use your existing tokens until they expire.

Apple has made it clear that Apple Business Manager is the best platform for businesses using their products going forward. The migration to Apple Business Manager is free, fast and easy. Once complete, your new Apple Business Manager account will show your server tokens and other associated content. Begin your upgrade now.

Note: Once you make the upgrade to Apple Business Manager, you will no longer have access to the Apple deployment program website.

How do I get started with Apple Business Manager?

If you are starting from scratch, enrolling into Apple Business Manager is relatively quick and easy. Any business is eligible to enroll in Apple Business Manager at business.apple.com.

To get started, you will need to complete the online enrollment process by providing information including name, phone number and a valid D-U-N-S number for your company.

How do I connect Apple Business Manager to Jamf?

Once you are a part of the program and have downloaded your Apple Business Manager tokens, you are able to upload these tokens into your Jamf Pro or Jamf Now account by following the onscreen instructions.

Help your employees perform at their best. Fast.

The ability to enroll devices and manage the content that you have bought in volume from one portal gets employees up and running faster and saves IT time.

For the full trifecta —faster and better service in less time, a great user experience and a more secure network, consider one of our plans for business.

by Clayton Campbell

Migrating to Jamf Cloud – the not-so-scary reality

Share me

Month: January 2023

Author: January 17, 2023 by Hannah Hamilton

Source: https://www.jamf.com/blog/migrating-to-jamf-cloud-the-not-so-scary-reality/

Should I migrate to Jamf Cloud?

Jamf Cloud offers you a sustainable and scalable implementation of Jamf Pro and your integrations. Gone are the long, after-hours workdays to upgrade or maintain your servers. Jamf maintains the security, stability and availability of the servers for you so you can focus on other priorities, whether it’s enjoying more free time with family and friends or spending your time at work enhancing your end users’ experience.

You also gain these features by moving to the Jamf Cloud:

As great as getting more features and server maintenance off your plate is, migrating to the cloud isn’t always the best option for your implementation. For instance, if you cannot afford a loss of direct access to your database in your custom setup or you require a FedRAMP accreditation, it might not be the time for migration—your Jamf representative is here to help.

But for many Jamf Pro instances, migration can be a simple process with the adequate preparation. Let’s take a look at what this looks like.

The journey to migration

There are three options for migration: standard, custom DNS and fresh start. A standard migrationclones your current instance to the cloud and changes the URL of your instance, requiring all devices to re-enroll. The most popular option, custom DNS, allows you to redirect your Jamf URL behind the scenes without having to re-enroll your devices. This option requires you to have access to your DNS source. In some instances, a fresh start is the best option. This option has no prerequisites and involves no database migration. All devices are re-enrolled.

If you’re ready to take flight, migration happens in four stages.

Onboarding

In this stage, you’ll correspond with Jamf’s Services Program Manager to communicate your migration deadline and schedule a pre-migration call.

Pre-migration call

A Migration Specialist will work with you to understand your Jamf Pro environment and determine the next steps. You’ll likely discuss your current integrations with directory services, workflows, enrolled devices and migration options, your desired URL and more.

Migration scheduling

Next, you’ll talk with a Jamf Services Program Manager to schedule a remote session.

Migration

During your previously scheduled remote session, a Migration Specialist will complete your migration into Jamf Cloud! This session includes, among other aspects, coordination of database transfer and import, instance activation and configuration, verification of device enrollment and software distribution, and consultation on how to reconnect LDAP and SMTP integrations.

The next steps

Still not sure? Check out our list of considerations to see the technical aspects that affect your migration or one of our videos on the cloud:

Our specialists are experts on the migration process, and are ready to help you with your environment’s unique demands and configurations.

Ready to move to cloud?

Learn More

by Clayton Campbell

What is Apple School Manager?

What is Apple School Manager?

Find out what Apple School Manager does and how it can help schools to simplify device management workflows.

If you’ve worked to set up a device fleet for a school or educational institution, you likely know what a headache it can be to enroll new devices and purchase apps and books in volume. With Apple School Manager, you can take advantage of a tool that radically simplifies these processes and works well alongside your mobile device management (MDM) solution. But do you understand what exactly Apple School Manager is and what all you can use it for?

What is the origin of Apple School Manager?

IT admins in education used to have recourse to Apple’s Device Enrollment Program (DEP) and Volume Purchasing Program (VPP) for the purposes of enrolling and provisioning devices. Apple eventually consolidated the functionality of DEP and VPP, along with other classroom management tools such as the Classroom app, into a single portal known as Apple School Manager. Admins can use this web-based portal as a unified hub in which to oversee users, devices and content. In addition to MDM, Apple School Manager is designed to integrate with a school’s student information system (SIS).

For business organizations, Apple Business Manager comes from the same roots and offers similar functionality:

What can you do with Apple School Manager?

One of the key functions of Apple School Manager is the ability to generated Managed Apple IDs, a unique type of Apple ID for members of an organization – in the educational context, this means students, teachers and staff. These do not require parental permission, and admins can create them in the Apple School Manager portal and dynamically update user information. Managed Apple IDs can sync with Classroom data as well as the school’s SIS, so they can be used to organize classes.

Apple School Manager allows for the use of the Shared iPad feature, which offers students a personalized learning experience and extends the value of each purchased iPad. Each student assigned to a given iPad signs in with their Managed Apple ID and resumes working where they left off, with all their apps and content ready to use. When they sign out and another user takes control of the shared device, all their work remains intact for their next session.

Educators can also use Apple School Manager to tap into Apple’s Classroom app and direct students to the desired learning resource or website, share work to an Apple TV and perform basic management functions such as resetting device passcodes.

And of course, Apple School Manager works for enrolling devices and purchasing apps and books in volume, but by itself it doesn’t provide the opportunity for remote management of devices. In combination with an MDM solution, however, it can use automation to radically simplify workflows and allow admins to perform effective zero-touch deployments of new devices.

Why use Apple School Manager with MDM?

Apple School Manager and MDM are a match made in heaven. When admins purchase devices through an authorized Apple channel, their macOS, iOS and iPadOS devices are automatically enrolled in Apple School Manager. They can then set it to automatically enroll devices into their MDM solution, providing remote management capabilities over all school-owned assets. In addition to the automatic, zero-touch device enrollment, using Apple School Manager prevents the MDM from being removed by an end user, which contributes an additional layer of security.

The process for all this is simple:

  1. Sign up online for Apple School Manager and add your MDM server to the portal.
  2. Purchase devices and link them to your account. You can ship them directly to end users for zero-touch enrollment.
  3. When the user turns on the device for the first time, enrollment proceeds automatically with no further intervention from IT required.
  4. The device receives the desired configurations and apps, and the device is now managed and configured without IT’s touch.

When paired with an MDM solution like Jamf Pro or Jamf School, Apple School Manager offers a seamless experience for IT while preserving the Apple experience that end users expect. It also helps to ensure that education institutions maintain a robust security posture.

 

by Pieter Beckmann

Jamf School or Jamf Pro: which is right for you?

Jamf School or Jamf Pro: which is right for you?

Not all schools or educators have the same technical needs. That’s why we offer two solutions to manage Apple education technology: Jamf Pro and Jamf School. Which is right for your school?

Jamf, the standard for Apple device management and security, knows education. We know educators. And we know that not all schools or educators have the same needs.

That’s why we offer two ways for schools to manage their Apple devices: Jamf School and Jamf Pro.

Some schools or districts need a simple, intuitive web-based interface that simplifies device management: deploying, conducting inventory and securing Apple devices.

Some IT departments manage multiple schools and districts or a very large or complex grouping of devices and need more robust and in-depth, more granular management tools.

Both Jamf School and Jamf Pro offer tools specific to teachers, schools, and students. Both offer zero-touch deployment. Both integrate seamlessly with Apple Classroom, endpoint security and content filtering. Both will always support Apple releases and features on day one.

So how do you decide which is right for your school?

Who needs Jamf School?

Jamf School is a purpose-built educational tool known for its simple, fast setup and teacher-specific workflows as well as its teacher, parent and student apps.

Jamf School is best for schools with one IT professional or in which computers are managed by teachers and administrators rather than a full IT department.

Jamf School Apps:

Jamf School Teacher
Combined with Apple Classroom, the Jamf School Teacher app empowers teachers to restrict websites, apps and cameras. Teachers can also communicate directly with students and distribute lessons through their devices.

Jamf School Parent
Parents can restrict device use for specific times throughout the day with Jamf School Parent, as well as receive a notification when a child gets to school or arrives at home.

Jamf School Student
This app empowers students to set up their own devices, communicate with teachers and store documents.

Jamf Assessment
The Jamf Assessment app provides schools with a simple method to administer remote proctoring for high-stakes exams.

Jamf School also offers:

  • Drag-and-drop classroom management
  • All device information on one dashboard
  • Automatic student access to subject-specific materials
  • Damaged device tracking

Who needs Jamf Pro?

Jamf Pro is the market leader for schools. It’s known for its ability to scale, robust Mac management capabilities and customization, and unmatched customer support.

If you’re an IT manager, administrator or director: Jamf Pro is ideal for you. Jamf Pro can easily handle multiple schools or an entire district. It’s also a good idea to use Jamf Pro if you have multiple administrators who want to customize workflows or packages.

Jamf Pro offers:

  • Unmanaged Mac identification to quickly scan the network and identify any unmanaged Macsand enroll them in to management.
  • More detailed device management that goes beyond basic configuration to truly customize devices, including account permissions, custom scripts and full Apple TV support.
  • App management and self-service with in-house or outside apps, allowing for a custom app catalog for on-demand user access.
  • Security with secure VPN configurations, granular management privileges and automatic patch management functionality.
  • Support that is truly robust; available via chat, email or phone during business hours, with Premium Support also available for round-the-clock support.

Let’s study them side-by-side:

Pro School
In the classroomOffers specific teacher workflows and classroom management tools. Yes Yes
ReleasesImmediate Apple release support. Yes Yes
Apple ClassroomSeamless integration with and enhancement of Apple Classroom. Yes Yes
DeploymentsZero-touch Apple device deployment. Yes Yes
Hands-on tech supportSupport through chat, phone or email with the ability to buy premium round-the-clock support. Yes No
Digital tech supportSupport via chat and email with the ability to buy higher levels of assistance. No Yes
Built for ITBest for an IT administrator or team: some tech skills are required. Yes No
Built for teachers and administratorsBest for teachers and administrators: advanced or dedicated tech skills are not required. No Yes
Best for complex environmentsHandles a complex environment with an IT department. Yes No
Best for simple environmentsMade for simpler requirements and no IT department. No Yes
CustomizationsYour school is unique, and your Mac management can be, too: customizations are available. Yes No
Out-of-the-box ready Just plug in and go! No Yes
Jamf Teacher appFor teachers who manage student devices in the classroom. No Yes
Jamf Student appStudent access to assigned apps, profiles, and documents. Yes Yes
Jamf Parent appParent-controlled management of school-issued devices. Yes Yes
Jamf Safe InternetComprehensive content filtering optimized for education. Yes Yes

Package plans for K-12 education

Jamf offers combination plans for education, including:

  • Jamf Education Enhanced: Simple management and security: Jamf School (MDM), Jamf Safe Internet (threat prevention and content filtering). Includes enhanced support.
  • Jamf Education Ultimate: Complete package: Jamf School, Jamf Safe Internet, Jamf Protect (Mac endpoint protection), Jamf Connect (identity and authentication management). Enhanced support.

Jamf also offers education pricing for Jamf Pro, and of course any organization or school can take advantage of our Business plan.

Still can’t decide?

Take each for a free test drive! It’s hard to go wrong — regardless of the chosen tool, 96% of Jamf customers renew their contracts every year.

Let us help you get the most out of your Apple devices, and help your students get the most out of their educations.

by Pieter Beckmann

Top security priorities: upgrading IT and data security

Share me

Month: January 2023

Author: January 12, 2023 by Hannah Hamilton

Source: https://www.jamf.com/blog/upgrade-your-data-security/

Dealing with cybersecurity threats can feel like navigating the wild west. Knowing how to arm your IT and security teams with the right personnel, policies and tools can be an overwhelming burden. In our series of five blogs, we’ll walk through some top security priorities for your organization to consider, starting with upgrading your IT and data security.

Protecting your organization’s data isn’t a one-size-fits-all task. Your IT and security teams’ size and budgets affect which practices and tools can be successfully implemented. Let’s walk through a few you can add to your arsenal that can make a big impact.

Artificial intelligence and machine learning

If you’re on social media, you’ve likely caught wind of the fear AI art and AI chatbots have given people. While the results of these AI are interesting, they also incite questions surrounding how AI will influence the value of human creativity in the future. One thing is for certain: AI is here and here to stay.

Thankfully, AI doesn’t have to cause career-related existential crises. Using machine learning, AI enhances your cybersecurity posture by digesting enormous datasets and log files, predicting how bad actors will structure future threats and proactively defending your systems beyond the capabilities of human staff. And AI’s ability to speedily handle and analyze large datasets means it’s an excellent tool for anomaly detection and threat hunting, even beyond the abilities of seasoned security professionals. This means IT and security staff can spend their valuable time on other priorities—a relief, especially for small teams.

How can security teams leverage AI and machine learning?

According to a 2022 IBM study on AI and automation for cybersecurity, AI adopters gain the most benefit in these areas:

  • Triage of Tier 1 threats
  • Detection of zero-day attacks and threats
  • Prediction of future threats
  • Reduction of false positives and noise
  • Correlation of user behavior with threat indicators

In other words, integrating tools that use AI into your cybersecurity workflow, such as SIEM software or endpoint protection not only help with active threat detection, but prevent threats that have yet to be developed from exploiting your system. Not to mention AI and automation can save your organization money and time—companies with a fully deployed program identify and contain data breaches 28 days faster than those who don’t.

Mobile device management (and beyond)

The AICPA, the governing body for industry-standard SOC security audits, published a cybersecurity checklist in 2022 that includes these security recommendations:

  • Set computers to automatically update the operating system and key applications
  • Use enhanced password controls and enforce password policies
  • Ensure only trusted, validated users and equipment can connect to IT resources
  • Document all firm-owned equipment

What all of these have in common is that they can be achieved using mobile device management(MDM) or enterprise mobility management (EMM) tools. Unified endpoint management (UEM) combines the two in a solution that can secure and control the IT environment and endpoints while keeping company and personal data under lock and key.

What does this mean for IT and security teams?

Device management allows IT to:

  • Push operating system updates and important patches to keep devices in compliance and up to date
  • Enforce password policies, including complexity and expiration
  • Limit access to company data by restricting app usage to approved apps
  • Strictly confirm user identity with zero trust when accessing company resources (more on access control later in this blog series)
  • Keep data-rich inventory of devices used by employees, including BYOD
  • And more!

Management tools give IT personnel transparency into their device fleet so they don’t have to remain in the dark about the security of their devices. Device management solutions can also streamline the onboarding process by allowing for zero-touch implementation—a convenient feature especially with a work-from-home workforce.

Data privacy

Ultimately, using AI for threat prevention and device management for endpoint protection and management helps achieve the goal of data privacy. But these tools alone can’t promise your company data stays away from prying eyes. How your data is stored is important as well: do you have on-premises or cloud servers? Or perhaps a combination of both? Are company devices encrypted? What happens if your data is breached? Do you have backups to restore to during the recovery process? How can we preserve the confidentiality, integrity and availability of our data?

Activity monitoring: AI comes in handy here again as it process information about who accesses data, discovers anomalies and identifies potential risks.

Vulnerability assessments and risk analysis: Performing regular assessments of devices’ security and compliance reduces risk of exploits. If applicable to your organization, penetration testing can reveal weak points in your security posture.

Access controls: Especially important in cloud environments, users should be given “least-privilege access” throughout the entire IT ecosystem. Consider zero trust network access to ensure only trusted users and devices access company resources.

Backups: Regular tested backups should be maintained and subject to the same security controls as any other company systems.

BYOD policies: Personal devices are more popular than ever in the workplace. Making network access contingent on device enrollment into your MDM or EMM tools ensures company data is in the appropriate hands. (More on this below).

User privacy

Data privacy goes beyond securing company data. With an increase in remote work comes user concerns about their personal data privacy. Rumors of varying truthfulness about employee surveillance continue to keep privacy at the front of employees’ minds. Employees find using personal devices at work more familiar, convenient and private, but this comes at the loss of access control and security of company data. And employees wonder if corporate-owned devices are set to watch their every move, hurting the relationship between the company and its workers.

To find the balance to keep IT, security teams and other employees happy, BYOD, CYOD (choose your own device) and COPE (corporate owned, personally enabled) programs give everyone the best of both worlds:

  • IT teams can take inventory of the devices, ensuring that the devices accessing company resources are trusted
  • Employees get easy access to corporate resources
  • IT can manage the devices to keep them secure and updated
  • Employees don’t have to carry personal and corporate devices, and in the case of BYOD and CYOD programs, can use devices that they like using

Since devices can be partitioned into company and user partitions, user data stays with the user, not their employer. Critical for the success of these programs is user-enrollment initiated by the employee. With a few quick steps, users can get their devices enrolled into the company’s management system and access the resources needed for their job.

Key takeaways

  • Artificial intelligence and machine learning save time, money and resources while detecting current threats and preventing future ones.
  • MDM, EMM and UEM tools are key tools to understand, secure and manage your device inventory and ensure company resources are accessed by trusted users.
  • At its most basic, keeping your data private relies on understanding and analyzing the data, mitigating possible risks, enforcing strict access controls, maintaining regular backups and having a clear BYOD policy.
  • BYOD, CYOD and COPE programs secure company and user data by allowing employees to use their preferred devices under the management of IT, without the expense of losing user privacy.

Want to learn more about securing your Apple Devices?

Learn More

by Clayton Campbell

Take your iOS/iPadOS Management to the next level

Share me

Month: January 2023

Author: January 13, 2023 by Laurie Mona

Source: https://www.jamf.com/blog/apple-admin-tips-for-secure-device-management/

Are you ready to step up your Apple Mobile Device Management (MDM) and looking for practical, reliable training to securely manage your fleet of Apple devices?

Do you want to ensure that all security protocols are in place across all areas of the digital environment, including and especially iOS and iPadOS?

Check out The Advanced Guide to iOS/iPad OS Management, Jamf’s 201-level e-book followup to our iPhone and iPad Management for Beginner’s e-book.

Read on for highlights of what you can learn from this new resource.

Modern cybersecurity for a mobile workforce

As more workplaces have enabled remote and hybrid work, the cybersecurity landscape has changed. Traditional firewall-based security and management systems simply were not built with mobile devices in mind, and don’t provide the best protection or experience.

The most critical challenge facing InfoSec and IT admins managing today’s mobile workforce: how to keep workplace devices and data secure while enabling workers to be connected and productive on every device, no matter where they work.

So how can your organization mitigate emerging cyber risks, while still providing the best user experience?

Build the foundation of security for your Apple fleet on proper management.

While it’s not the full picture of the security landscape, secure management is only possible when proper iOS management/iPadOS management is in place.

When developing your management plan, it’s vital to consider the key capabilities, workflows and settings needed to securely manage your iOS and iPad OS fleet.

Encryption, parameters, compliance and more

Moving beyond basic MDM requires a good understanding of Apple mobile device security features and important management tools, settings and workflows.

Read our new guide for detail about important security features including:

  • PKI certificates – encrypted text files with identification data on users and devices to secure all communications.
  • Push certificates – encrypted files generated by Apple that establish trust between a third-party service like Jamf Pro and Apple Push Notification Service (APNs).
  • Conditional access – setting parameters for securing an organization’s data in multiple locations; access requires verification of both trusted device and trusted user.
  • Device compliance – enforcing policies that may not only be required by an organization, but also by industry or government mandates, via a thorough and well-crafted device compliance management program to keep devices, users and data secure.
  • Configuration profiles – MDM commands and settings available to admins to secure control; configuration profiles can enforce and enhance security in their own right by enforcing security protocols in passcodes, behavior and more.

Key workflows discussed include:

  • App management – from sourcing and hosting to updating and deploying, proper app management is critical in securing an Apple fleet while also supporting end-user productivity.
  • Bring Your Own Device (BYOD) – combining profile- or account-driven user enrollment with Jamf mobile device management means that you can secure and manage any employee-owned device.
  • Mass actions – Perform multiple tedious tasks on many devices simultaneously.

Jamf security solutions for iOS and iPadOS

While proper device management is vital to proper security, using security-specific tools on top of that foundation is essential to create a comprehensive security solution. Read Mobile Threat Defense for Beginners for a basic overview.

Jamf security solutions for threat defense and endpoint protection go beyond simple antivirus for malware, including:

  • Identity and access management
  • Threat prevention and remediation
  • Content filtering and safe internet
  • Zero Trust Network Access (ZTNA)

Trusted Access is Jamf’s solution for security beyond management, a unique workflow that brings together device management, authorized users and endpoint security to help organizations create a work experience that users love and a secure workplace that organizations trust.

Download The Advanced Guide to iOS/iPadOS Management.

Read Now

by Clayton Campbell