Mitigating social engineering attacks
Month: October 2023
Author: October 16, 2023 by Braden Newell
Source: https://www.jamf.com/blog/mitigating-social-engineering-attacks/
Protecting user devices against malware is one of the first endpoint hardening tasks an IT administrator or Information Security (InfoSec) team will likely implement. When securing a fleet of devices, regardless of the operating system, ensuring that users cannot install malicious software like ransomware, spyware and rootkits is a basic level one CIS requirement. Jamf Protect’s macOS endpoint security and malware prevention capabilities have long made preventing known malware from launching on corporate and education Macs easy.
It’s great that organizations place a tremendous focus on stopping malware from entering their environments. However, another threat is often overlooked — social engineering. Social engineering is the practice where attackers manipulate and trick individuals into providing sensitive data or access credentials. Social engineering is challenging to defend against because many of us have a trusting nature and have so much to do on the go that we sometimes overlook the out-of-place.
Social engineering continues to be a serious threat, and the risks it poses are only growing. According to the IBM 2023 Cost of a Data Breach Report, social engineering is involved in ~8% of attacks, costing on average $4.55 million. And this statistic doesn’t even include phishing — responsible for 16% of breaches and costing $4.76 million on average. In other words, it’s nothing to sneeze at.
Attackers are attempting to masquerade as corporate executives, and there seems to be more spam than ever hitting our inboxes. Fortunately, there are several tactics your organization can put in place to help mitigate the risk social engineering poses, and, of course, Jamf has a solution or two to create another layer of defense against those digital threats.
Learn how to recognize phishing attacks and how to defend against them.
Strong passwords and two-factor authentication
Strong, unique passwords are the first line of defense when strengthening your organization’s security posture. Sufficiently long and complex passwords mitigate the risk of shoulder surfing by making them tricky for someone to glance at a user’s keyboard or touch screen and remember what they typed. Jamf’s management products, Jamf Pro, Jamf Now and Jamf School, all offer the ability to implement and enforce password policies on users’ Macs, iPhones and iPads.
However, a complex and/or long password isn’t enough to prevent social engineering. If a bad actor executes a successful phishing attack, for example, the user has provided the password outright, regardless of its complexity. This is why ideally passwords should also be unique for every application and never reused. If a particular application has a data breach and that specific password is compromised, it won’t give the attacker access to other systems. The first thing an attacker tries once they have a user’s application username and password is to try it against other applications.
A way to achieve this is by using a password manager and/or SSO solution. Jamf integrates with directory services and cloud identity providers (IdP) like Okta and Microsoft Entra ID to support SSO. And Jamf Connect keeps users’ Mac passwords synced with their single sign-on (SSO) password, which likely can have its own enforced password policy. This way, users only have to remember one password, reducing password fatigue.
For SSO to be secure, two-factor authentication (2FA) or multi-factor authentication (MFA) should be implemented; otherwise bad actors have access to everything if they obtain a user’s master password. In two-factor or multi-factor authentication, not only does a user need their password, they also need either a randomly generated six-digit code or another form of authorization, biometric technology such as Face ID or Touch ID, or something physical like a Yubico YukiKey to access the requested application. 2FA and MFA help reduce the risk that attackers can access systems — especially when biometrics are used — since they may not be able to confirm the authentication prompt.
If your organization doesn’t already have a password policy and password training or resources, champion their development to create formal and consistent messaging around passwords and two-factor authentication.
User training
Never underestimate the power of user training. Social engineering attacks often follow a consistent playbook. Spelling errors, strange icon placement, email spoofing and a sense of urgency are all strong indicators that an email or phone call is a social engineering attack.
However, bad actors are improving, making spoofe emails or websites look nearly flawless. AI is even helping attackers enhance their attacks. Users need to know what a convincing attack can look like, and how to proceed if they suspect a social engineering attack.
Therefore, one of the best ways to prevent social engineering attacks is to train users regularly on the common indicators of social engineering. Most organizations deliver this sort of training once or twice per year to account for changes in tactics and to keep employees vigilant. It’s essential to have a blame-free culture to encourage users to report attacks as soon as they happen. Suppose a user does fall for a social engineering attack. In that case, it’s better for the user to feel comfortable reporting it to IT early rather than further damage caused by a delay in reporting.
Some organizations leverage spam tests and training simulations to test their users’ susceptibility to social engineering attempts. However, organizations have to be careful with this sort of testing. While data can be valuable, users may grow distrustful of their organization. Instead, organizations may want to consider incentive or reward programs for users reporting spam and phishing attempts. Work to create a culture of support, education and prevention around social engineering.
Principle of least privilege
The “principle of least privilege” is an InfoSec concept where users should only be granted access to the specific applications and functionalities required to do their job. For organizations that use applications with user access levels, consider implementing and reviewing them regularly. In a situation where a user’s credentials are compromised, the attacker’s access can be limited to the user’s specific access level. This ensures that the attack has a restricted scope of access and, ideally, is limited from accessing critical or sensitive data.
After gaining initial access, attackers will attempt to move laterally through the network until they reach their final target. The “principle of least privilege” helps limit and mitigate the spread of social engineering attacks but is not a complete solution. Training users on being vigilant and cautious when receiving an odd request from a team member is a great additional step.
Zero trust network access
Even with strong password policies, least privilege access to applications and user training, social engineering attacks can still succeed. Zero trust network access (ZTNA) adds to your defense, taking the principle of least privilege further by segmenting network access beyond role-based access to applications.
With ZTNA, applications and other resources are accessed via micro-tunnels that are continuously reevaluated even after a user signs in successfully. This is done independent of user or device location. In other words, ZTNA connects users to company resources only after they have strictly verified their identity, continuously checks that the user and the device meet identity and security requirements, and totally prevents access to resources the user is not allowed to access (as the user can’t even reach the part of the network those resources exist on).
ZTNA is a helpful addition to a security stack. If the identity of a user or the security status of a device comes into question, ZTNA can restrict network access to all or some of the network. This prevents and/or reduces the spread of a bad actor in the corporate network, regardless of whether the device is compromised.
How Jamf can help
Jamf Pro
Policies in Jamf Pro help manage and secure devices by configuring devices to meet security requirements. Jamf Pro helps keep devices and software up to date with the latest security patches, helping to keep devices compliant with CIS benchmarks.
Jamf Pro supports Self Service — an enterprise, IT-approved app store where users can download and update apps as they need, without a help desk ticket. This reduces the risk of shadow IT and the download of malicious apps.
Jamf Connect
Jamf Connect helps with access control. With cloud IdPs, users can unbox their device and connect to their corporate applications using a single password. Jamf Connect enables ZTNA connectivity, keeping networks safe and users productive with effortless but secure authentication.
Jamf Protect
Jamf Protect has long been a powerful endpoint security solution preventing known malware from launching on macOS. Recently, Jamf Protect’s capabilities expanded with the addition of web threat prevention, formally known as network threat protection.
Web threat prevention is a network security capability that, among other things, prevents users from accessing known spam, phishing and malicious websites. Web threat prevention is available not only on macOS but on iOS, iPadOS, Windows and Android.
Jamf takes care of domain recognition and threat filtering; all organizations must do is deploy Jamf Protect’s web threat prevention capability to their operating systems of choice. Once deployed, even if a user clicks a known malicious link, they are prevented from accessing it and redirected to an informative block page.
Adding network security capabilities to Jamf Protect is a significant win for organizations looking for solutions to help reduce the risks of social engineering and other network-related threats. Plus, with Jamf Protect’s web threat prevention capability available for both Apple and non-Apple operating systems, all of your organization’s devices can be secured with the help of a partner you know and trust.
Jamf Protect also has built-in compliance with CIS benchmarks for macOS. Depending on an organization’s needs, CIS has two levels of profiles with different security recommendations. Level one profiles contain practical security practices that have little to no impact on the user experience. Some examples are:
- Ensuring automatic software updates are enabled
- Automatically setting the date and time
- Basic password management controls like minimum length and character diversity
Level two profiles may restrict a user’s experience in favor of tighter security. Some examples are:
- Disabling media sharing
- Disabling the sending of diagnostic information to Apple
- Restricting iCloud Drive document and desktop sync
Organizations can implement profiles from either level based on their security needs. CIS benchmarks are extensive, which is why they’re conveniently built into Jamf Protect where admins can verify if their fleet is in compliance with chosen benchmarks. With this information, admins can use Jamf Protect and Jamf Pro to maintain adherence to these benchmarks.
Jamf Safe Internet
Educational institutions can reap the same network protection offered in Jamf Protect with Jamf Safe Internet’s content filtering and network security. Jamf Safe Internet is built specifically for the education market with a price point and feature set catered to educational institutions.
Jamf Safe Internet focuses on helping schools meet their regional online child safety regulations while maintaining student privacy, supporting macOS, iOS, Chromebooks, and most recently, Windows. Jamf Safe Internet is straightforward to configure and deploy, and once again, Jamf handles all of the domain identification and network filtering for you.
Adding Jamf to your security stack helps defend against social engineering attacks.
Back to security basics: phishing
Month: October 2023
Author: October 13, 2023 by Liarna La Porta
Source: https://www.jamf.com/blog/signs-youve-been-fished/
Chances are, your mobile device doesn’t have the same security defenses as your work laptop or desktop computer. That’s why it’s important that you, the end user, do all you can to protect yourself from cyber threats. This article will focus on phishing — how to recognize if you’ve been phished, how it happens and what to do about it.
How does phishing work?
Phishing is a type of social engineering attack hackers use to steal user data, including login credentials and credit card numbers. It occurs when an attacker masquerades as a trusted entity to dupe a victim into opening a message and clicking on a link. Once the link has directed the victim to a fraudulent website, the victim is then duped into entering their login credentials or financial information, which is funneled through to the hacker.
Phishing is a simple yet effective attack technique, which can provide the perpetrators with a wealth of personal, financial and corporate information. The aim and precise mechanics of the attack can vary, but they are usually centered around soliciting personal data from the victim or getting them to install malicious software that can inflict damage upon their device.
Phishing is not only very common — it’s also one of the most damaging and high profile cybersecurity threat facing enterprises today. According to the IBM 2023 Cost of a Data BreachReport, phishing tops the chart at 15% of all data breaches, costing organizations $4.76 million on average.
Phishing usually begins with a form of communication to an unsuspecting victim: a text, an email, in-app communication and more. The message is engineered to encourage user interaction with an enticing call to action. Perhaps the chance to win a new iPhone, a voucher for a free holiday or, more simply, the opportunity to gain access to a service like social media, bank accounts or work email.
In order to solicit personal information from the victim, the attacker will often lull them into a false sense of security by sending them to a legitimate looking webpage to fill in their details. This intel could either be used immediately to gain access to the service via the official site or the data could be harvested and sold on to others on the dark web.
Types of phishing attacks
If you’ve been phished, chances are the attack was delivered in one of these ways:
- Text messages: Also known as “smishing”, bad actors send users an SMS message containing a link to a phishing site, often with the intent to steal user credentials.
- Whatsapp: Also known as “whishing” and similar to smishing, bad actors send malicious messages in Whatsapp.
- Email: Email phishing can be to personal or corporate emails, and may an organization or website the user is familiar with. These emails may ask the user to log in to software they use, ultimately sending the user to a malicious but legitimate-looking site.
- Voice phishing: Voice phishing, or “vishing,” can involve spoofed numbers that appear as legitimate institutions. These attacks may use a text-to-speech program or a real voice, and are often used to obtain financial information from their victims.
- Spear phishing: These attacks are sent to a specific target and may be through email, text or other means. Bad actors may impersonate an individual the user knows, possibly asking for assistance or their personal information.
- Whaling: Whaling attacks target high-profile targets like CEOs or other executives. Bad actors may impersonate other executives to appear legitimate, eventually sending their victims to a spoofed site to harvest credentials.
- Social media posts and direct messages: Bad actors may use social media to reach their victims. Like other methods, this usually involves sending the user to a spoofed site to gather their information.
How to recognize a phishing attack
Hopefully, you’ll spot some signs you’re being targeted by phishing before you get to the point of handing over your valuable information. Look for:
- Unsolicited and suspicious messages, emails and social posts containing shortened links
- Web pages that ask for login credentials or other sensitive information
- Suspicious emails with uncharacteristic language
- Web pages with suspicious or copycat URLs
- Misspellings, special characters or grammar mistakes (though note that AI is helping bad actors improve in this regard and some sites and messages may look totally legitimate)
In the example phishing attempt below, the message includes a shortened link and a demand for action (as users would want to dispute a purchase they didn’t make). The shortened link makes it difficult to vet its legitimacy, while the lack of obvious errors makes the attack less obvious. The best course of action would be to ignore the link and manually log into any banking or payment card accounts, checking to see if the purchase did indeed happen.
If you’ve been phished and handed over your information, there are some telltale signs that can help you figure out if you’ve taken the bait. Phishing attacks vary and because they are often packaged up with other threats, like as a way of delivering malware for example, the symptoms can be very broad. Here are some signs that a basic phishing attack has been successful:
- Identity theft
- Unfamiliar transactions
- Locked accounts
- Unprompted password reset requests
- Spam email coming from your account
What to do if you think you’ve been phished
So you’ve been phished, what now?
- Change all your passwords for the accounts that have been compromised as well as the accounts that use the same or similar passwords to those that have been captured by the hacker.
- If you entered your credit card information in the phishing page, cancel your card.
- Take your computer offline or delete your email account to avoid spreading phishing links to your contact lists.
- Contact the company or person that the phishing attack impersonated, if any — it might be your CEO, it might be a friend or it could be a major company or bank.
- Scan your device for viruses; clicking malicious links can instigate silent downloads of malware that corrupt devices without your knowledge.
- Watch out for warnings of identity theft and put a fraud alert on your credit account.
Proactive steps you can take to protect yourself
Mobile devices are particularly vulnerable to phishing attacks. Their smaller screen and on-the-go use makes it more difficult to closely inspect links for legitimacy, and users are often in too much of a hurry to do so regardless. Additionally, while many users download threat protection to their computers, less do so on their phones. This is why careful scrutiny is required.
The best remedy is prevention. Stay safe from phishing by following this guidance:
- Don’t click on suspicious links
- Don’t enter your credit card information into unknown or untrusted services
- If a link directs you to your banking website, open up your banking site in a separate window by typing the name in manually
- Don’t fall for more obvious scams that claim you’ve won a prize
- Check the address bar for suspicious or copycat URLs like my.apple.pay.com
Organizations can takes steps to prevent phishing on their corporate or BYOD devices, including:
- Training employees on phishing attacks and how to avoid them
- Implementing anti-spam filters so attacks don’t reach employee inboxes
- Using MFA to prevent stolen credentials from being used
- Deploying threat prevention software to block access to phishing sites even if they are clicked on
- Using password managers that auto-fill based on site domain (therefore not working on illegitimate sites)
- Keeping devices and software up to date
Request a free trial to learn more about our security products.
Top 10 reasons to use Jamf in your school
Month: October 2023
Author: October 12, 2023 by Mat Pullen
Source: https://www.jamf.com/blog/top10-reasons-to-use-jamf-at-school/
amf helps schools deliver a secure, active learning environment to everyone with iPad, Mac and Apple TV devices.
We work with schools worldwide to help students succeed with Apple. Jamf’s solutions are used in 40,000 institutions globally, empowering over 42 million students via 1:1 or shared Apple devices.
Central to our mission: empowering student success through an educational ecosystem that supports teachers, parents and school leaders. Read on for the top reasons why Jamf School and Jamf Pro are the Mobile Device Management (MDM) solutions of choice for today’s digital classrooms.
Top 10 reasons Jamf is best-in-class
1. It’s a total solution purpose-built to manage and secure Apple devices and to optimize learning.
We help education institutions of all sizes use Apple technology to deliver transformational teaching and learning anywhere. Because Jamf offers both management and security, you get everything you need to maximize your investment in Apple. Our framework offers endpoint protection, network threat prevention, content filtering and identity and access solutions focused on Apple. With these features, you can rest assured that students, teachers, and staff can focus on learning while staying safe online.
2. Jamf Safe Internet keeps students safe and their information private.
Centered around privacy for students, Jamf Safe Internet helps schools keep students safe by blocking harmful or adult content using a vast content filtering database. Google Safe Search and YouTube restricted modes are available to limit content within those apps and search engines.
New this year: Jamf Safe Internet is also available for Microsoft Windows. Another ever-increasing issue facing educational institutions is cybercrime— including phishing, malware and ransomware. Jamf protects both your network and end users from lost learning time as well as damages to school systems, including potential costs of rebuilding or ransomware.
3. Jamf’s Google alliance partnership helps students and staff stay productive.
Jamf has a dedicated team that works closely with Google to develop meaningful integrations across Google Classroom and Google Cloud Identity. Jamf Safe Internet’s support for Google Chromebook can your district or campus stay safe online, no matter which devices they use.
4. Jamf’s Microsoft alliance partnership enhances learning with Microsoft tools on iPad.
Numerous schools and institutions continue to use Microsoft tools and services to elevate their educational experience. Jamf goes beyond merely supporting these tools. We support the integration of Microsoft Office 365 through Apple School Manager and federated IDs to provide access and identity to student devices. This enables iPads to use the Microsoft tools that schools have access to while ensuring that devices are deployed and configured to be most effective in the classroom.
5. Jamf apps enable teachers and parents to keep students focused and safe online.
The Jamf Teacher app enables teachers to not only prepare lessons with specific apps and web pages but also prevent distractions by limiting both apps as well as select device functions— such as the camera. During class, for immediate attention, teachers can use the attention screen to lock students out with a custom message. Jamf Teacher also allows educators to send direct messages to individuals or groups of students.
When school is over, the Jamf Parent app allows parents to disable notifications for students on the way home to prevent distractions for children who should look both ways while crossing the street. Parents can also enable location notifications to alert them when students arrive at school or home. Jamf Parent also helps parents keep students focused on homework by modifying access to games and limiting social media use.
6. Jamf Student encourages students to communicate their needs and help themselves.
The Jamf Student app neatly organizes assignments so students can easily find apps, books and documents in their library. When they have questions, learners can easily message their teachers. For times they need a little more help, they can virtually raise their hands to ask the teacher to come to their desks.
7. App Installers and Patch Management monitoring manage your entire application lifecycle.
Beyond offering Self Service with automated workflows for deploying and updating apps, Jamf also provides tools to help you deploy any type of software and keep them updated in the most secure way. The Jamf App Catalog features over 1100 app titles and versions, with 127 apps available via App Installers. We streamline the app lifecycle process so that IT admins don’t have to manually monitor, package, and update apps. We also offer patch reporting natively within the Jamf Pro console, which IT can customize to get the needed data for their environments. For any apps outside of the Jamf App Catalog, we also offer Jamf Title Editor, which extends the power of Patch Management monitoring to the apps you use.
8. Jamf Assessment easily delivers proctored exams on iPad.
With features like screenshot detection, camera enablement and custom exam URLs, Jamf Assessment allows you to easily proctor a remote exam on any modern video conferencing platform. Here’s how it works: a teacher starts a video conference session on their iPad and invites the student to begin the exam. To meet exam security requirements, proctors can see the iPad screen, as well as see and hear the student.
9. Smart Groups and extension attributes turn device inventory data into actionable automation.
Inventory is often defined by key data points like model, serial number, operating system, and capacity. Jamf Pro takes inventory collection further by including data points about packages installed, running services, certificates, available software updates and even fonts.
What if the inventory data you’re looking for isn’t automatically collected?
No sweat. Jamf offers extension attributes to help you create the picture you’re looking for about your Apple devices. You can set up policies to collect the inventory data or even create custom data points via extension attributes like Lease End Date – and keep track of it all with advanced searches to save your inventory views. Once you have all the data, our patented Smart Groups create dynamic groupings across your Apple fleet that depend on multiple inventory attributes so you can pin down exactly which devices need what. When a device attribute changes, Jamf Pro does the work for you by dynamically shifting Smart Group membership.
10. Jamf Setup and Jamf Reset allow seamless and secure device sharing.
When you use Jamf Setup and Reset with Jamf Pro, you can provide seamless shared device experiences for students and staff. Uses range from libraries to computer labs, loaner devices to the campus police force, residential hall check-ins to on-campus retail stores or sports stadium purchases. Securely provision and share devices with a single tap to select the configuration/role. When finished, tap on Jamf Reset to wipe and reset the device so it’s ready for the next user. Return Device to Service is also available in both Jamf Pro and Jamf School to simplify the reset process.
Beyond the top 10: the evolution of modern education
This top 10 list is just a brief introduction to the ever-evolving ways Jamf can support you as you integrate technology into the learning process to empower student success.
Request a free trial to learn more about how you can make the most of digital tools and transform your learning environment with Jamf School or Jamf Pro.
What is an enterprise app catalog and why do you need one?
Month: October 2023
Author: October 9, 2023 by Sean Smith
Source: https://www.jamf.com/blog/what-is-an-enterprise-app-catalog/
Software applications offer tools that not only help employees do their jobs better but also keep them more engaged and productive.
As an employer, it’s crucial to help your employees make the most of their time, but you also need to effectively manage your resources and be mindful of security.
So how can you strike a balance between providing the apps your employees want with the oversight your company needs?
Get the best of both worlds with an enterprise app catalog.
What is an enterprise app catalog?
An enterprise app catalog is a private, online store for authorized users to access internal resources such as web- or native-based applications. Like public app stores such as the Apple App Store or Google Play, an enterprise app catalog provides a private one-stop shop for your employees to be able to discover, request and install the applications they need for their job.
While an enterprise app store typically offers in-house, third-party or Apple App Store apps, it can also provide access to other internal resources such as e-books, guides, videos, printers and drivers— and other configurations.
How does an app catalog work and why use one?
An enterprise app catalog serves as a curated marketplace to connect users with the apps they want while giving organizations the control they need over enterprise app management.
Benefits to implementing an app catalog include:
- Security: control over the apps that employees can access and use, as well as oversight on app installations and updates.
- Customization: ability to offer custom-built apps tailored to the organization’s needs.
- Ease of distribution: simplified process of distributing apps to employees, regardless of location.
- Centralized management: a centralized platform for managing all enterprise apps.
- Cost savings: reduction in costs associated with app distribution and management. IT productivity is increased when access to resources doesn’t require IT tickets.
When your organization uses Jamf as your Mobile Device Management (MDM) solution, it’s easy to set up your own enterprise app catalog with Jamf Self Service for Mac and mobile devices.
Jamf Self Service: resources on demand
Jamf Self Service is a curated app catalog that gives users on-demand access to organizationally- approved apps, settings and other resources without having to submit an IT help desk ticket.
Resources commonly offered through Self Service include:
- Access to Apple App Store apps, in-house apps, third-party apps
- E-books, guides and videos
- Printer mapping and drivers, email, VPN and more configurations
The Jamf Self Service catalog allows IT admins to personalize content by:
- Department, language, user role or location
- Changing the look of Self Service by changing the name, icon and image to match your brand
Employees can use Self Service to:
- Resolve common IT issues like software updates
- Receive real-time notifications for security enhancements and app updates
- Bookmark HR tools or internal resources for easy access
There are versions of Jamf Self Service available for both macOS and mobile devices.
Give your employees the apps they need with Self Service
If your organization uses Mac computers, Self Service is a crucial tool for IT to distribute apps to end users. Many common apps used on the job or in schools are not available from the Apple App Store.
The Jamf App Catalog —not to be confused with Self Service, which is an enterprise app catalog— offers many popular third-party macOS software titles. IT admins can also use a patch management workflow or App Installers to manage third-party macOS software updates.
App Installers is a curated collection of Jamf-managed and Jamf-provided installer packages that automate and streamline updating and deploying third-party apps.
With App Installers, an admin can deploy those third-party non-Mac App-Store apps directly to Self Service: available for end users to install when they are ready.
After installation, apps automatically update when a new version is available in the Jamf App Catalog without users having to lift a finger.
App Installers saves admins time, ensures end users have the most up-to-date version of apps, and increases security by keeping apps updated. It’s important to understand that out-of-date software is less secure software. Being able to provide app updates automatically helps keep the ecosystem of devices and users secure.
Why is app management important?
App management is an essential business process, and it’s vital for an organization to have healthy app management.
Application management covers the entire lifecycle of apps used in an enterprise or educational setting from purchase to deployment, updates and patch management to sunsetting, if necessary.
When you choose Jamf for your MDM solution, you can simplify your application management to make your IT admin’s life easier, your end users happier, and your organization secure.
Learn how an app catalog can help your employees and organization be more productive today.
A holistic approach to security: endpoint protection
Month: October 2023
Author: October 9, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/endpoint-protection-apple-devices/
The modern threat landscape continues to evolve to meet the changes in modern computing. One that sees companies migrating to remote and hybrid work environments, adopting Apple in the enterprise and varying device ownership levels. All in service to permit users to work:
- Where they feel most comfortable
- On their preferred device
- From anywhere and at any time
What is endpoint protection?
To best answer this question, we must first know what we need protection from. Armed with an entire arsenal at their disposal, threat actors actively target all endpoints in a concerted effort to compromise your device fleet, as well as your users to gain access to critical and sensitive organizational data for their own nefarious purposes.
The days of merely installing antivirus on your computer are both wholly inadequate and asking for trouble given the array of threats that exist across the threat landscape that impact modern devices — not just computers but mobile devices across multiple platforms too.
To that end, endpoint protection is the umbrella term that describes a group of security solutions that work in synergy to keep endpoints (devices), users and data safe and secure against the current and evolving modern threat landscape.
What is the primary purpose of endpoint protection?
Protect against new and evolving threats
Alas, it’s a brave new world and that includes a whole slew of threats and attacks that impact the security of your endpoint— regardless of whether users are at the office or home, connected to any network, or on macOS, iOS, Android or Windows.
How does it differ from antivirus software?
While malicious code is still very much a thing to be wary of. Historically, antivirus software only provided protection against malware and possible variants but that was it! As you can tell from the list of threats below, challenges to a device’s security posture — and to a greater degree, the organization’s security posture — have evolved to encompass a variety of threat types. Ones that merely protecting against malware cannot address. A few examples of modern threat types are:
- In-network attacks
- Man in the Middle (MitM)
- Zero-day phishing attacks
- SMS
- Social media
- Messaging
- Lateral movement attacks
- On-device attacks
- Living off the land (LotL)
- Malware
- Spyware
- Trojans
- Ransomware
- Cryptojacker
- Potentially unwanted programs (PuP)
- Unauthorized data exfiltration
Layered security protections to combat convergence
And while some of the threats above carry identifiable fingerprints that can tip IT and Security admins off to their whereabouts, an increasing number of bad actors are combining threats (referred to also as convergence), employing the latest tactics to remain unknown, and therefore able to carry out attacks stealthily over time.
Hence a need for comprehensive security solutions to protect against modernized and converged threats that place devices and users at risk by blending attacks that target multiple vectors. By implementing a defense-in-depth strategy, IT and Security teams gain the features necessary to keep endpoints safe while users get the support they need to stay secure while upholding organizational and privacy data security.
Minimizes costs associated with security risk
Risk from security incidents doesn’t just refer to a device’s vulnerability to threats. The cost(s) that stem from risk that — when left unchecked — leads to a data breach have been increasing steadily year-over-year. In fact, below are a few statistics that further underscore the real-world need organizations have for an enterprise-wide endpoint security solution that comprehensively protects company- and personally-owned endpoints used to access business resources:
- The global average cost of a data breach in 2023 was USD 4.45 million, a 15% increase over 3 years
- Nearly 60% of companies affected by a data breach are likely to go out of business due to reputational damage
- 41% of respondents report a regulatory violation in the past two years
- 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or Social Engineering
- For the second year in a row, manufacturing was the top-attacked industry. With finance and insurance in second place again by a margin of nearly 6%
- 64% of vulnerable devices accessed collaboration tools while 34% accessed enterprise email
Features of robust endpoint protection
Jamf Threat Labs (JTL)
You may be thinking, how can you possibly stop that which you cannot see? With Jamf Threat Labs, that’s how. Jamf’s team of cybersecurity experts and data scientists works tirelessly to assess macOS and iOS-based endpoints, performing threat hunting to successfully identify and prevent both novel and unknown threats from affecting your Apple fleet. Not only are they great at what they do, but their research feeds the threat intelligence engines that drive Jamf’s endpoint security solutions. By incorporating their findings, detecting unknown threats through advanced behavioral analytics and frequently updated YARA rules work in tandem to mitigate security threats that may be lurking within your fleet before they have a chance to escalate to something worse, like a data breach.
The work performed by the JTL has a direct impact on Jamf Protect, which cascades and causes a ripple effect that reaches our users in the form of security benefits: From identifying new Mac-based and mobile threats to developing analytics for detecting them to stopping the sophisticated malicious actions of applications, scripts and even risky user behaviors. Keeping administrators alerted to detected threats, logging findings, and informing both administrators and users during each step of the way.
Speaking of logging threat data, the telemetry gathered by Jamf Protect is not only used by JTL to hunt for the latest threats — both unknown and known threats that have evolved in an attempt to evade detection — but this very same telemetry data can be used to aid your organization’s IT and Security (or authorized third-parties) in hunting for malicious threats that may be embedded within your device fleet, quietly gathering intel on your business processes, awaiting the right time to perform a data breach. By having access to your device’s health status through rich telemetry data, organizations can be better equipped to identify potentially malicious threats and risky behaviors, subsequently containing incidents before they have a chance to occur, ensuring compliance is maintained (but more on how Jamf Protect can help you with achieving your compliance goals a little later).
Key takeaways:
- Supported by Jamf Threat Labs team of cybersecurity experts and data scientists to research, identify and prevent novel threats
- Advanced threat intelligence engine and machine learning (ML) aid in threat hunting to identify potential attacks before they can happen
- Protect endpoints from new and existing, known and unknown threats, risky apps and suspicious behaviors
- Active hunting of threats — both unknown and in the wild — leading directly to the patching of vulnerabilities that impact macOS and iOS-based devices
- Constant incorporation of threat intelligence data, research and findings into Jamf Protect by a dedicated team of cybersecurity experts to enhance security protections
Monitor
In addition to the Jamf Threat Labs team constantly monitoring macOS and iOS-based operating systems across the expanding threat landscape to identify and thwart the latest threats facing organizations, Jamf’s endpoint security solutions actively surveil endpoints for known, unknown and suspected threats across all supported platforms, including Windows and Android.
This minimizes risk from various Apple-focused and mobile device security threats while serving as one of the foundational components in the comprehensive, multi-prong endpoint security protections. Jamf solutions keeps a watchful eye over your organizational devices and users by:
- Consistently and actively monitoring endpoints 24x7x365
- Gathering rich telemetry logging and reporting data
- Providing insight into device health, aiding compliance auditing
Key takeaways:
- Active monitoring of managed endpoints — regardless of the ownership model (BYOD/CYOD/COPE) — logging device health status
- Obtain detailed logging and rich telemetry data through deep visibility and insight into endpoints and threat trends
- Stream logging of gathered data to your preferred SIEM solution for centralized management of threat intelligence
- Leverage MI:RIAM and machine learning to find (and stop) new, advanced threats, like zero-day phishing and Cryptojacking attacks
- Maintain careful watch over managed endpoints, locking down unwanted software and limiting the execution of suspicious file types
Detect
Keeping vigil over endpoints is just one aspect of protection, the next is identifying threats. Whether known, unknown or suspected – IT and Security administrators will have visibility into device health, including real-time alerts that inform stakeholders of detected threats that affect their devices.
Further, logging data is gathered for each endpoint, providing in-depth information about the security of your entire fleet. The rich telemetry data collected serves administrators well in not only quickly identifying what risks impact their endpoints but also allows them to:
- Perform threat hunting to identify potential threats
- Leverage granular information to refine protections
- Mitigate risky behaviors to mitigate potential attack vectors
Key takeaways:
- Speed up incident response, resolution and remediation times with MI:RIAM and automated workflows
- Isolate affected devices and perform a clean-up of endpoints under attack using secure, managed processes
- Prevent malware, potentially unwanted apps and risky behaviors performed by end-users from impacting device performance or productivity with lean resource utilization
- Alert IT and Security teams, and critical stakeholders of security incidents in real-time with deep visibility into each endpoint
- Extend security protections across your Apple fleet — including personally- and company-owned devices so that business data is accessed securely from any supported device type
Prevent
Every threat, like malware, is a potential risk to exposing user and/or company data, so it’s important that organizations choose an endpoint protection solution that specializes in detecting the unique and evolving threats that target users on Mac and mobile devices – inside and out.
The on-device and in-network protections provided by Jamf endpoint security solutions mean faster detection, notification and threat response to known and unknown threats thanks to our:
- Advanced machine learning (ML) and threat intelligence engine – MI:RIAM
- Customizable behavioral analytics mapped to the MITRE ATT&CK Framework
- Data policy enforcement ensures data remains only on secured, compliant storage
- Blocking of network threats, such as phishing, malicious downloads and command and control (C2) traffic, including risky domains
Key takeaways:
- Stops threats that occur on-device, like malware while also preventing in-network attacks, like zero-day phishing and lateral movement
- DNS-based content filtering, purpose-built for Apple, prevents access to websites hosting malicious code, used in attacks or simply to block inappropriate content on managed devices
- Limit data exfiltration by enabling removable storage controls to enforce encryption of removable media, manage permissions or disable external storing of protected data altogether
- Implement ML for enhanced threat intelligence gathering to prevent advanced, novel threats from compromising endpoints, users and/or data
- Utilize rich telemetry data and MI:RIAM to perform both manual and automated threat hunting to detect unknown threats that may be lurking in your devices and stop them before a data breach can occur
Remediate
Even with increased visibility and compliance, granular reporting, real-time alerts, advanced threat intelligence and protection against novel threats, the modern threat landscape evolves so frenetically that endpoints may be impacted or drop out of compliance. What then?
Once again, Jamf endpoint security solutions – with their multiple layers of protection – facilitate powerful remediation workflows to correct deviations from your OS hardening configurations, quickly bringing endpoints back into compliance.
Jamf solutions flexibly provision manual and automated workflows to respond to and remediate incidents in real-time.
Key takeaways:
- In-depth visibility into all macOS security tooling activity and system processes in real-time
- Eradication of malicious, unwanted and potentially risky files, apps and downloads
- Isolating devices found to be out of compliance or that pose a risk to data security
- Aligning with CIS Benchmarks to develop, enforce and monitor secure device baselines
- Prevention of potentially unwanted apps and risky behaviors to ensure data remains secure while devices are free from end-user-introduced risk
Compliance
For some, compliance is nothing more than a term in a sea of other words. However, for others, particularly those tasked with ensuring that systems, data and processes are aligned with local, state, national and/or regional laws in highly regulated industries, compliance represents a potential nightmare. One that if left unchecked could lead to disastrous consequences for the regulated organization as well as its stakeholders — perhaps even impacting the customers that depend on the organization to protect and safeguard sensitive data types.
Thankfully, Jamf Protect users can sleep a little easier at night knowing that the endpoint security solution goes beyond just malware prevention. In fact, it goes well beyond with tight-knit integration (discussed in more detail below) by mapping analytics to the MITRE ATT&CK Framework to prevent known threats while remaining flexible and allowing administrators to customize existing analytics (or create entirely new ones) to meet the demands of your regulated environment.
Taking it further, Jamf Protect’s rich telemetry data combined with behavioral analytics — and enforced via Jamf Pro — form a covalent bond by securely sharing this data between solutions. The result? Jamf Protect establishes the requirements necessary for managed endpoints to be compliant. At the same time, integration with Jamf Pro enables the use of policy-based management to enforce compliance. Should a device, say miss a critical security update, have a vulnerable app installed or perhaps a curious user is performing risky behaviors, Jamf Protect’s logging system will share this data with Jamf Pro. In turn, this triggers a policy contained within the MDM that executes an automated workflow to remediate the issue, bringing the endpoint back into compliance…all without IT or Security teams having to lift a finger and without impacting end-user productivity.
But how does it actually help administrators meet compliance standards? That’s a great question and one that we’ll answer right now. As mentioned above, Jamf Protect can be configured to align with regulatory governance. By doing so, endpoints are actively monitored and report back on any changes to device health that would otherwise impact compliance status. Threat prevention works to limit the impact of threats on endpoints, mitigating the risk in one fell swoop. And when Jamf Protect is integrated with Jamf Pro, compliance is enforced through policy-based management, ensuring devices remain compliant and remediating any deviations from regulatory compliance through both manual and automated workflows.
Below is a sampling of the security frameworks supported by Jamf to help organizations realize their compliance goals:
- Center for Internet Security (CIS)
- National Institute of Standards and Technology (NIST)
- Defense Information Systems Agency (DISA)
- International Organization for Standardization (ISO)
- macOS Security Compliance Project (mSCP)
Key takeaways:
- Behavioral analytics mapped to MITRE ATT&CK Framework for powerful, customizable prevention of threats, tailored to the unique needs of your organization
- Automated incident response and remediation workflows eradicate malicious, risky and unwanted files while isolating devices that pose a risk to data security
- Develop, enforce and monitor secure device baselines aligned with CIS Benchmarks to drive compliance and aid in auditing compliance tasks
- Adapt secure configurations and device hardening profiles to Apple-based endpoints in accordance with NIST, DISA and mSCP guidelines for secure computing
- Jamf cloud operations are certified for compliance with ISO 27001/27701, SOC 2 and FBI Infraguard, among many others for data security and corporate governance practices
Multiple layers of security – one solution
Look at the fingers on your hand. They work independently to accomplish certain tasks, yet work in tandem when needed to perform larger-scale functions, do they not? A single, yet powerful security solution similarly relies on many individual layers that – while capable of performing independently in their own right – also work together to form a holistic, multithreaded net to monitor, detect, prevent and remediate against attacks from bad actors and the various security threats they employ to target your device, users and critical data.
Defense-in-depth
“…loved by good, feared by evil.” – Voltron
In the show by the same name as the quote above, the first season saw a team of five pilots, each of whom commands a robot lion with unique strengths and abilities. In their quest to maintain peace and protect Earth from evil, the team of five would combine to form a larger, more powerful robot named Voltron, Defender of the Universe, to further aid them with their task.
Though it was a beloved cartoon from 1984, the premise of Voltron shares much with the strategy of defense-in-depth(DiD) to best secure assets, users and resources across the modern threat landscape. Specifically, the belief that a singular, “one size fits all” application will holistically keep organizations protected is a myth a best – and one that often leads to data breaches at worst.
The premise of DiD is simple, yet both efficient and effective. Layer security protections, just like the layers of cake, so that they overlap their strengths while minimizing weakness, in the service of identifying, stopping and if it comes to it, remediating against a variety of security challenges that threaten the integrity of your endpoint, the safety of your users and confidentiality of your data.
Simply put: should one layer fail, the next one exists to intercept it.
Integration
Jamf’s endpoint protection solutions, much like all of our solutions, are designed to work alongside numerous first- and third-party solutions to extend capabilities and enable automation while establishing feature-rich workflows to ensure data flows securely between solutions.
For example, Jamf Pro, our flagship mobile device management solution, is known for its seamless deployment and management capability, which includes installing patches. However, when integrated with Jamf Protect, not only is deploying endpoint security to your endpoints possible with just a couple of clicks but secure endpoint health data is shared in real-time between both solutions.
What does this mean for your organization? We’ll tell you. Event information relating to incidents, such as phishing attacks and other network-based threats are automatically synced to inform the risk status of any individual device. This connection between management and security is critical to taking real-time action to protect your environment. A few examples of the automated workflows that are made possible, thanks to the native, secure integration between Jamf solutions:
- Consider how crucial to endpoint security it is that devices keep up-to-date with patches. As part of a defense-in-depth strategy, organizations using Jamf Protect will receive alerts from endpoints found to be non-compliant with patches. This telemetry data is communicated with Jamf Pro, where IT can implement patch management policies to enforce compliance. Once triggered, Jamf Pro will execute workflows to deploy necessary updates to apps and OSs, bringing them into compliance.
- Organizations can leverage Smart Groups in Jamf Pro to dynamically update and respond when a device’s risk status changes in Jamf Protect. This trigger can automatically update a user’s access permissions via Jamf Pro’s conditional access integrations with Microsoft or Google Cloud BeyondCorp solutions.
- Use the advanced reporting options found in Jamf endpoint security solutions to automatically stream rich telemetry data to your preferred SIEM solution, like Azure Sentinel or Splunk, providing MacAdmins a single pane of glass view into the health of their Apple endpoints while further extending the capability to transform data using visualizations for added depth and granularity.
Key takeaways:
- Develop advanced workflows via integration with Jamf Pro and first- and third-party solutions
- Implement advanced security orchestration, automation and response workflows through integration
- Leverage Jamf’s API to communicate and share data securely between solutions while enhancing your endpoint security capabilities
- Extend features to support greater management and security capabilities across the Apple ecosystem of desktop and mobile devices
- Establish automation to simplify endpoint management while ensuring compliance with organizational policies and industry regulations
Purpose-built endpoint protection for Apple, Windows and Android
Jamf’s purpose-built, Apple-first endpoint security solutions offer IT and Security teams several benefits that firmly establish its solutions as best-of-breed, for example:
- Same-day support allows users to adopt the latest, safest releases from Apple as soon as they’re available – upgrade on your schedule, not ours
- Leverage Apple’s Endpoint Security API to embrace the latest security capabilities available natively for Apple devices
- Low-impact performance means battery life isn’t affected, won’t slow down machines or get in the way of user productivity
- Implement Apple-best security to your Apple fleet while supporting mobile platforms from Windows and Android, providing them with network-based endpoint security protections as well
Speaking of user productivity, being Apple-first (but not Apple-only) means Jamf designs and optimizes each of our endpoint security solutions to take advantage of the OS on which it operates so that protecting your devices does not come at the expense of user experience nor compromise the user’s privacy.
Key takeaways:
- Purpose-built for Apple to address the challenges of the modern threat landscape across macOS and iOS-based devices, but also designed and optimized for Android and Windows mobile devices
- Defense-in-depth strategy layers multiple protections to monitor, identify, prevent and remediate a variety of security challenges – should one layer fail, the next one intercepts it
- Extend services, features and capabilities by leveraging the Jamf Risk API, securely sharing pertinent device health data with first- and third-party solutions
- Update to the latest and safest releases from Apple the day they are released with same-day support across all Jamf solutions — no delaying critical updates until your MDM and/or endpoint security solution gets around to supporting it
- Minimal impact equals better performance, allowing users to utilize resources for productivity — not having to choose between getting work done or the security of their device
This post is one of a series on a holistic approach to security. See a roundup of all of the posts
Do you trust Jamf to help IT manage your Apple fleet efficiently and effectively?
Then you’ll love the way Jamf security solutions keep your endpoints, users and data safe across multiple platforms, securing them across your infrastructure.
OS upgrades 2023: OS upgrades and security
Month: October 2023
Author: October 6, 2023 by Hannah Hamilton
Source: https://www.jamf.com/blog/ios17-ipados17-sonoma-security-privacy-updates/
Upgrading your operating system (OS) is more than getting the latest shiny new features — it’s also about ensuring your device has the latest security updates. While not the most common method of attack, unpatched software with known vulnerabilities can result in data breaches with costs upwards of $4.17 million on average, according to IBM’s 2023 Cost of a Data Breach Report.
Beyond new and improved features and performance enhancements, Apple’s recently released iOS 17, iPadOS 17 and macOS Sonoma include a number of security and privacy updates beyond the inherent OS architecture. In this blog, we’ll explore these features and what they mean for the end user.
Increased privacy and security
Safari and passwords
With the new operating systems, users can use different profiles to keep work and personal browsing separate in Safari. This separates your history, cookies, extensions, Tab Groups and favorites, making it easier to keep your work and personal data where they belong.
Enhancements to Private Browsing locks your private windows when you’re not using them; use your credentials like Face ID or Touch ID to unlock. Private Browsing also removes tracking info from URLs that websites can use to identify you, while known trackers are blocked.
If you’ve ever asked a friend or family member to log into your account for you, you might have given them your password in a not-so-secure way. It’s now easy to share your passwords and passkeys with trusted contacts running iOS 17, iPadOS 17 or macOS Sonoma.
Sensitive content warning and communication safety
Sensitive content warnings can be enabled to warn users when a picture may contain nudity, preventing the view of unwanted explicit images. This feature is available in Messages — for iOS, this is also available in AirDrop, Contact Posters and FaceTime messages.
Similarly, nudity can be detected in photos and videos children may receive or attempt to send in Messages and the system Photo picker in both iOS 17 and macOS Sonoma. This feature is also available in AirDrop, Contact Posters, FaceTime messages and the system Photo picker in iOS 17.
Expanded Lockdown Mode
Lockdown Mode was introduced in iOS 16, iPadOS 16 and macOS Ventura, with support added for Apple Watch in watchOS 10. Lockdown Mode is an extreme security measure intended for at-risk high-profile individuals, such as government officials, executives or journalists.
With the latest operating system, Lockdown Mode restricts or limits certain apps and features, including:
- Messages: Most attachments are blocked, other than certain images, video and audio while links and link previews are disabled.
- Web browsing: Certain web technologies are blocked and web fonts and images may not be displayed.
- FaceTime: Incoming calls are disabled unless you have previously called that person. SharePlay and Live Photos are unavailable.
- Photos: Location information is excluded when photos are shared, shared albums are removed from the Photos app, and shared album invitations are blocked.
- Device connections: iPhones or iPads must be unlocked to connect to an accessory or computer; Mac laptops with Apple silicon additionally require explicit approval from the user.
- Wireless connections: Devices won’t automatically join non-secure Wi-Fi networks.
- Configuration profiles: Configuration profiles cannot be installed and the device cannot be enrolled in Mobile Device Management.
Compatibility
While updating to the latest OS is recommended for security, it can sometimes break your existing workflows if your vendors don’t offer same-day compatibility. iOS 17 and iPadOS 17 have already seen a number of updates — it can be hard to keep up.
Enrolling in beta programs and testing with these betas can help organizations ensure their workflows remain intact. Jamf offered same-day compatibility with Apple’s latest operating systems (and has since 2012); testing your infrastructure with the latest Apple and Jamf betas can ensure seamless updates on the release date without affecting productivity. Join the Apple beta program or the Jamf beta program, available in Jamf Account.
Stay productive and secure on release day with Jamf.
Manage and secure your most vulnerable endpoints: Mobile devices
Month: October 2023
Author: October 6, 2023 by Jesus Vigo
Source: https://www.jamf.com/blog/manage-and-secure-vulnerable-mobile-devices/
In this blog, learn more about how the integration of macOS and mobile devices is the future but also key to holistic, endpoint protection strategies. Also:
- Insight into current mobile security challenges and solutions
- The importance of mobile-specific security measures
- An overview of holistic endpoint protection
- And best practices for mobile security policy implementation
State of mobile security
Advancements in technology are everywhere but nowhere is it as present as in the mobile device space. Due to increased adoption and dependence on mobile devices, security implications like:
- data leaks
- unauthorized access to private user information
- discrepancies in Mac and mobile endpoint security
- difficulty assessing and maintaining compliance
present greater challenges to mobile security – increasing risk to endpoints, users, business and personal data, and the organization’s overall security.
Read our in-depth technical paper, “Manage and secure your most vulnerable endpoints: Mobile devices” to learn about the State of Mobile Security, its evolving risk considerations and how the convergence of desktop and mobile protections is the future of mobile security.
The enterprise landscape
Historically, organizations choose to align business needs with a single platform. This helps to simplify management while addressing the unique needs of the company. While working within a homogenous environment reduces some of the challenges relating to IT and Security processes, mobile devices combined with distributed workforces have placed a spotlight on the often-viewed consumer-oriented devices.
This creates a new management and security challenge for organizations that have relied on maintaining just one platform. Instead, enterprise IT and Security teams now find themselves at odds, with more traditional tools providing limited to no support for mobile OS platforms and introducing security issues that impact everything from user productivity to the organization’s ability to safeguard users from bad actors and evolving threats targeting the security of their sensitive data.
What are some of the contributing factors impacting mobile security?
- Fragmentation among supported versions within each OS
- Disparate levels of support lead to delays in update deployments
- Different ownership models affecting management (e.g., BYOD/CYOD/COPE)
- Supported vs. unsupported feature sets in MDM solutions
- Ability to assess and verify security telemetry regularly
- Limitations to policy-based enforcement for compliance requirements
- Dissonance between implementing and enforcing protections on desktop and mobile OSs
Convergence and compliance
Speaking to compliance, the ability to actively monitor devices, assess their health in real-time and verify any issues while following up in quick form with mitigation workflows is overshadowed by a critical failure that is often witnessed when it comes to mobile security: balance.
More specifically, balance in this instance refers to the concepts of management and security. Incorrectly framed as a tug-of-war between IT and Security teams, the reality is that relying solely on an MDM solution to pull double duty falls short of the mark. Conversely, organizations that rely on user’s personal devices to access business resources, with best practice standards such as:
- Choose a long, complex password
- Never connect to public hotspots
- Follow security hygiene practices for communications (i.e., don’t open unsolicited attachments, never click on a link or share your password)
- Install comprehensive malware protection
- Encrypt data using volume encryption
without the ability to enforce these requirements through policy-based management lack the necessary insight for effective, adaptable mobile security.
In other words, without device management, how can organizations verify that endpoints are secure and therefore compliant? Similarly, without endpoint security, devices simply cannot be secure. Hence, why balance is such a critical concept. It reduces the risk of devices being over-protected (and subsequently unable to be used for work due to a subpar user experience) or under-managed (insufficient or neglected mobile security that jeopardizes value assets and company resources).
For a deeper look at the State of Mobile Security, including:
- Mobility drivers and how they fit into the larger enterprise deployment landscape
- Rising concerns, risk factors and the modern threat landscape
- Holistic approaches that bridge the gaps between desktop and mobile security
- Adhering to compliance requirements for regulated and non-regulated industries
- And the keys to unifying mobile and Mac management + security
We invite you to review our technical paper: Manage and secure your most vulnerable endpoints: mobile devices, to discover a future where every device enjoys uncompromised protection without any need for trade-offs. This vision represents the ultimate goal: enterprise-secure, consumer-simple technology to manage and secure all of your endpoints.
Mobile device balance is the key to unifying management and security for your entire fleet.
OS upgrades 2023: macOS Sonoma
Month: October 2023
Author: October 5, 2023 by Aaron Webb
Source: https://www.jamf.com/blog/mdm-features-powered-by-macos-sonoma/
Apple’s newest operating system macOS Sonoma is here, and Jamf is ready to support you.
With Apple’s release of macOS Sonoma on Sept. 26, the 2023 upgrade season is in full swing, following the release of iPadOS 17, iOS 17 and tvOS17. Once again Jamf offered same-day support, delivering consistent and reliable support for when you’re ready to upgrade your employees’ OS.
macOS Sonoma upgrades
The successor to macOS Ventura, macOS Sonoma brings new capabilities to elevate productivity and creativity. Upgrades include new presentation options for video calls, messaging, keyboard and accessibility updates to improve productivity and even more desktop personalization options.
This snapshot of user updates included in macOS Sonoma offers a glimpse into why Macs are embraced by employees for both work and personal use. Each update offers even more features that enhance productivity and make these powerful tools fun to use.
And when given a choice of device for work – more employees are opting for Apple.
As Fletcher Preven, SVP and CIO at Cisco said at JNUC, when given the choice between Mac or PC, 60% of Cisco employees use Mac today, with 24% switching to Mac from PC at device refresh.
As more employees are allowed to work on their preferred device, they are not only happier, but more productive. Cisco’s internal analysis indicates that 33% fewer IT admins are required to support staff using Mac compared to PC. Not to mention experiencing gains in sales, employee productivity and overall IT satisfaction.
While the individuals using Apple devices have many enhancements to look forward to, the IT and InfoSec teams that handle Mobile Device Management (MDM) and security solutions also need to keep on top of how they can support employees while managing, securing and protecting devices for the organization.
OS upgrades season brings new features to MDM
Jamf is ready to support the adoption of Apple’s most critical workflows and extend the power of Apple-specific technology with purpose-built solutions that enable unique industry-specific workflows.
New MDM features introduced in the macOS Sonoma updates include:
Managed software updates by Declarative Device Management (DDM)
- Managed software updates – powered by Declarative Device Management (DDM) – add more functionality to the existing DDM protocol and empower cloud admins to better schedule and enforce the latest software updates to managed devices. In the past, MDMs (like Jamf Pro) would need to consistently check devices for the latest data. With Apple introducing managed software updates via DDM, admins can specify the data and time of updates. Devices inform MDMs when a change is made, so admins know when updates are starting, installing and completed, and notify end users in a timely fashion.Software updates via DDM are much more reliable, reminding users more frequently as the update deadline approaches and continuing to provide a friendly user experience, particularly on macOS. And if a device can’t update due to an issue such as power, battery life, storage, etc., the OS is resilient and continues to keeps trying until the update is complete.
New macOS restrictions
- New macOS restrictions help organizations to get more options to restrict specific functionality within System Settings, allowing for more granular controls and an improved end-user experience.
Setup Assistant enforcements
- Enabling FileVault during the Setup Assistant allows admins to force end users to be prompted to enable FileVault in the Setup Assistant when running macOS 14.0 and above, increasing the security posture of the device. By enforcing FileVault encryption to protect files from being seen or copied, if the device is lost or stolen, sensitive data stored on the Mac is encoded so it can’t be read unless the login password is entered.
Passkeys
- Managed Apple IDs now support iCloud Keychain, which means organizations can deploy passkeys at work for employees and make sure passkeys securely sync to all their devices. Using access management functionality, they can also control which devices their employees can access iCloud data on, including passkeys in iCloud Keychain. Declarative Device Management ensures that passkeys for work are created only on managed devices and are synced to the iCloud Keychain associated with a Managed Apple ID.
When you’re ready to upgrade, Jamf is ready for you
For organizations, embracing the latest OS advancements can not only enhance productivity, but also fortify you against potential security vulnerabilities.
Jamf helps organizations embrace the latest Apple operating system advancements with confidence by ensuring compatibility and seamless workflows. Through extensive testing with macOS Sonoma, iOS 17, iPadOS 17 and tvOS 17 betas, Jamf empowers IT teams to upgrade to the most secure OS versions without disrupting critical business processes.
Whether you want to make the new operating system available to your team today or delay OS upgrades to take time to test and validate, Jamf is here to support you.
Check out how Jamf Pro can help you now.
10 must have iOS Apps for Small Business Owners
Month: October 2023
Author: October 3, 2023 by Laurie Mona
Source: https://www.jamf.com/blog/10-must-have-ios-apps-for-small-business-owners/
No matter what your business is, the right tools can help your employees perform tasks faster, be more efficient and ultimately become more productive.
As a small business, it’s likely you have embraced the user-friendliness and convenience of mobile technology such as iPhones or iPads.
A savvy next step: make the most of your devices with the best apps available. With the help of recommendations from our Jamf Nation Community, we’ve curated a list of must-have apps to help you succeed.
Read on for Jamf Nation’s picks for the best iOS apps for business, in categories ranging from communication and collaboration to point-of-sale, accounting, payroll and invoicing.
Communication and collaboration apps
The apps our Jamf Nation members most frequently recommended serve common functions: connecting team members online while simplifying communication and enabling collaboration.
This popular messaging and communication app helps teams stay connected and organized, promoting real-time collaboration. Slack enables team members to communicate via public or private channels. Modes of connection within channels include the ability to share files, participate in group chats, host mobile calls and video conferences and send group notifications. The most oft-cited perk by Jamf Nation: “Essential for daily activities within the organization – communicate while on the run.”
In a similar vein, the successor to Skype for Business, Microsoft Teams allows employees to easily communicate with both peers and customers and to create, share and store files securely in the cloud.
When the pandemic required the relocation of workers outside the office, the Zoom meeting platform became not only one of the most popular video conferencing systems in the world but a virtual necessity for organizations struggling to continue business as usual. Today’s modern hybrid workforce continues to rely on this app to securely connect and collaborate.
Jamf Nation members praised Google Drive as great for easy access to information across many platforms. This cloud service from Google allows users to store and create files in the cloud via their Google account, enabling them to create and share documents, spreadsheets, slideshows and more. It also allows multiple users to be given access to the same document for viewing or editing purposes.
Accounting
QuickBooks Online
QuickBooks is a familiar name in the small business world, as a robust software solution that can handle accounting, payroll operations, sending invoices, billing management, inventory control, and more.
QuickBooks Online is a cloud-based accounting app that helps small businesses manage their finances, track expenses, create invoices, and monitor cash flow. With QuickBooks Online, you can access your accounting platform where you have internet access, as well as on your mobile devices.
Point-of-Sale systems
Square
As the world of retail has moved from cash to digital transactions, it’s crucial to take advantage of the choices for point-of-sale (POS) systems.
Top of the list is Square, a versatile POS app that allows small businesses to accept credit card payments, manage inventory, and generate sales reports.
While you may be more familiar with Venmo as a tool to share payments with friends, it can also be used as a business application. As a bonus, when customers use Venmo for POS checkout, the app can connect the user’s network of friends, who can then view, like, and comment on a purchase – giving companies brand exposure.
One of the most trusted names in online payment processing, PayPal allows merchants to accept all major credit cards, Venmo, pay later options and cryptocurrencies.
Payroll
Gusto
Gusto is an all-in-one platform that provides full-service payroll and HR management software for small and medium-sized businesses. Gusto handles payroll taxes, benefits and other complicated tasks with a simple and easy-to-use interface.
Invoicing
FreshBooks
For an accounting application with a focus on invoicing, look to FreshBooks. Designed exclusively for business, FreshBooks makes things like invoicing, expenses, payments and financial reporting easier, to help you run your business more efficiently and save you time every day.
Bonus apps: social media
When you want to engage with your customers, it may be easier to communicate with them where they already are rather than expecting them to come to you.
When you create an online presence for your organization on apps such as Facebook, Instagramand LinkedIn, it’s an opportunity to create a tangible community feel for your customers, and stay connected with them.
Want to learn more about success with iOS?
For more tips on how to succeed in your business – and to make the most of Apple technology
Jamf joins C2C
Month: October 2023
Author: October 2, 2023 by Sam Weiss
Source: https://www.jamf.com/blog/jamf-joins-c2c/
“I am Groot!”
Translation: “We are Jamf!”
Jamf believes in the power of community. Our own Jamf Nation user community started as an email listserv-type community and our first Jamf Nation User Conference (JNUC) was supported by just two coffee pots.
As time has waxed and waned on, the Jamf and MacAdmin communities have grown. We’ve seen the PSU MacAdminsand MacAdmins Slack continue to grow in content and channels, as well as with size. Additionally, new communities continue to sprout up across the world to provide localized support to administrators tasked with supporting Apple devices while being able to tap into the larger support community surrounding the platform we all know, love and are passionate about: Apple.
The communities surrounding Apple technology are one of the best ways to focus on not just the problems being resolved or the end-user – but the human aspect that lies at the heart of it all. Simply put: speeds and feeds don’t matter as much as customer outcomes and crowdsourced problem-solving. Creating a space where these things can happen, where they can be discovered and archived is not just important, but critical for the future.
Google C2C
The Google Cloud Customer Community (C2C) is an example of a community created for Google customers to interact with each other, learn and grow together. Much like Jamf Nation, C2C is a growing, thriving community that has both in-person, virtual and forum-based interactions at its core.
Jamf + Google
Jamf is proud to be a sponsor of Google C2C this year, and we’re thrilled to bring visibility to the organizations being successful with Apple and Google, as well as the Jamf tools that make it all possible.
If you saw this announcement and thought, “Why is Jamf sponsoring a Google user community?”, you might be pleasantly surprised to hear how Jamf has helped organizations prioritize a delightful Apple device experience, even in Google environments.
Management, identity and security – all made to work for the user’s benefit.
Here are some of the ways you’ll see Jamf interact with Google C2C:
- Forum posts
- Webinar events
- In-person events at Google offices
Comm(you)nity
What’s so exciting about Jamf partnering with Google?
Together, we have an opportunity to bring some of our most vibrant customer advocates along for the ride. Come share your/our success story and showcase the great work we’ve done – and continue to achieve – together.
If you saw this announcement and thought, “That sounds like my kind of organization!”, Jamf would love to hear from you! We’d like to share your story, successes and best practices with the Google community through C2C and other media. Reach out to your Account Manager for your opportunity to become a featured customer success story.
What’s in it for you?
- Network with your peers. The global community is made up of IT or business decision-makers, architects, practitioners, DevOps teams and more.
- Gain valuable industry insights from thought leaders and Google Cloud experts.
- Plan ahead to align your business with the Google Roadmap and get a sneak peek of what’s coming.
- Shape the future of the cloud ecosystem. Recognize gaps and have a voice in what you’d like to see in the future. Make your mark by sharing your feedback with the community.
Get started today!
Unite Google and Apple ecosystems harmoniously with Jamf integrations.