Zero Touch Setup with DEPNotify

DEPNotify is an application that will guide end-users through the process of enrolling a computer with Automated Device Enrollment. 

An organization can choose to install critical applications after enrollment with MDM, but without a tool such as DEPNotify, end users may not be aware of the process. This application can also ask the end users for information that can be input and then used by administrators for future management.

Two Major components we need to configure for DEPNotify: 

1. the application 
2. the starter script

Note: While deploying the Application package and any other resources related to it should designed with an Apple Developer certificate (if deployed via Jamf, a Jamf Pro Built-in CA certificate can be used).

Download DEPNotify: https://gitlab.com/Mactroll/DEPNotify 

DEPNotify supports a wide range of configurations. These include:

• Customisable text
• Images
• User input fields which can be used for extension attributes
• EULAs
• The ability to open webpages or play a YouTube video
• Full-screen or windowed display
• Progress bars
  

DEPNotify is completely controlled via echoing text to its control file. By default, this is:

“  /var/tmp/depnotify.log “ but can be changed with the -path flag

To Learn about Application flags:  https://gitlab.com/Mactroll/DEPNotify#application-flags

Commands:

You can customise the DEPNotify window with Commands for user Interaction, notification and completion information.

Main Window Setup: https://gitlab.com/Mactroll/DEPNotify#main-window-configuration

Interaction: https://gitlab.com/Mactroll/DEPNotify#interaction

Notification: https://gitlab.com/Mactroll/DEPNotify#interaction

Completion: https://gitlab.com/Mactroll/DEPNotify#completion

If you would like to add advanced workflow, we can write a plist “  menu.nomad.DEPNotify.plist “With this file you can configure various things like the EULA window, registration window, status text alignment and help bubbles.

Ref: https://gitlab.com/Mactroll/DEPNotify#depnotify-plist

DEPNotify starter Script:

The DEPNotify Starter Script is very lengthy but is heavily commented on to help you understand the available settings and how to configure them.

DEPNotify-Starter Github repo contains both starter script and reset script for DEPNotify:

 https://github.com/jamf/DEPNotify-Starter

you can also use the application DEPNotify Set-up Helper to configure the script for you. 

https://github.com/BIG-RAT/DEPNotify-Set-up-Helper 

 

EULAs and images for DEPNotify should not be included in the DEPNotify package but instead can be placed in a package of their own. 

Any package installed during Automated Device Enrollment must be signed with a certificate that can be trusted by the Mac

Deployment Plan with Jamf:

Assuming the Apple Business Manager is well-integrated

Prestage Enrollment: 

You can go computers: Prestage Enrollments create a setting of prestage.

General > apply setting as per your requirement

Configuration Profile add your DEPNotify Configuration

Enrollment Packages add DEPNotify and any EULA or images package (Note both packages should be signed).

when creating a Prestage enrollment, it is best to use the minimum critical settings

Smart Computer Group:

Create a Smart computer Group with Criteria Enrollment Method: Prestage enrollment operator (is) and value Zero Touch

Configuration Profiles:

If any configuration Profile is you would like to deploy during the Zerotouch scope it with the smart Computer Group you created.

Policies:

Create a policy for the DEPNotify starter script and any packages you need to deploy during the DEPprocess set the as “Ongoing” and with a custom trigger with unique to each policy and scope to this smart Group you created before.

Testing on a Local Enrolled Mac:

Before deploying to production you can test the DEPNotify setting function on you enrolled Mac computer.

To Test open terminal and run the command :

sudo jamf policy -event enrollmentComplete

If all has been configured correctly, you should see the DEPNotify application open and a simulation of your workflow. With the testing flag set to "true", your policies and registration information will not execute.

For more information please contact us at https://brilyant.com/contact/

Configuring Account-Driven Enrollment and Enrolling a Personal Device in Jamf Pro

 In today's mobile-driven world, organisations need efficient and secure ways to manage employee devices. Apple's Account-Driven Enrollment (ADE) offers a streamlined solution, allowing users to enroll their personal devices in mobile device management (MDM) using their existing Managed Apple IDs. This article explores the benefits of ADE and guides you through the steps of configuring it with Azure Active Directory (AD) and Jamf Pro.

Benefits of Account-Driven Enrollment:

• Simplified User Experience: Users can enroll their devices using familiar credentials, eliminating the need for dedicated enrollment profiles.
• Reduced IT Overhead: Organisations no longer need to create and manage individual enrollment profiles for each user.
• Enhanced Security: Federated authentication provides an additional layer of security, leveraging existing user credentials.
• Improved BYOD Support: ADE facilitates BYOD programs by allowing users to enroll their personal devices for work purposes.

Prerequisites:

• Apple Business Manager
• Microsoft Azure AD subscription
• Jamf Pro MDM solution
• Access to the organization’s web host

Safeguarding Enterprise Data on Mobile Devices on the Go: The Crucial Role of MDM and Jamf Mobile Threat Defense

In today's digital age, the workforce is increasingly mobile, with employees relying on smartphones and tablets to carry out their daily tasks on their own devices. As enterprises embrace this shift towards mobile productivity, the need to secure sensitive company data on these devices becomes paramount. we'll explore how enterprise data resides on mobile devices and delve into the significance of Mobile Device Management (MDM) and Mobile Threat Defense (MTD) solutions, specifically focusing on Jamf Protect for Mobile security.

 Enterprise Data on Mobile Devices:

Mobile devices have become an integral part of the modern workplace, enabling employees to work remotely, collaborate seamlessly, and access critical information on the go. However, this convenience comes with inherent risks, as enterprise data often resides on these devices, making them potential targets for cyber threats and unauthorized access. Whether it's proprietary business information, customer data, or intellectual property, safeguarding this sensitive data is crucial for maintaining trust, compliance, and the overall security posture of an organisation.

What is MDM and Its Key Role in Data Protection:

Mobile Device Management (MDM) is a comprehensive solution designed to manage, monitor, and secure mobile devices within an enterprise. MDM systems empower IT administrators with the tools to enforce policies, configure settings, and ensure compliance across a fleet of mobile devices. Key features of MDM include remote device wiping, app management, and the ability to track device locations, providing a centralized approach to device security.

MDM plays a vital role in data protection by:

1. Policy Enforcement: MDM allows organisations to establish and enforce security policies, ensuring that devices accessing company data adhere to predefined standards.

2. Data Encryption: MDM solutions often include encryption features, protecting data stored on devices from unauthorised access.

3. Remote Management: In case of loss or theft, administrators can remotely wipe sensitive data from the device, preventing it from falling into the wrong hands.

 Introduction to Mobile Threat Defense (MTD) and Jamf Protect for Mobile security:

Mobile Threat Defense (MTD) is a specialized solution focused on identifying and mitigating mobile-specific security threats. With the increasing sophistication of mobile malware and phishing attacks, having a dedicated MTD solution becomes crucial for a comprehensive security strategy.

Jamf Protect for Mobile security is a leading MTD solution designed specifically for Mobile devices, providing advanced threat detection and real-time response capabilities. It offers:

1. Threat Detection: Jamf Mobile Threat Defense employs advanced algorithms to detect and respond to mobile-specific threats, such as malicious apps and network vulnerabilities.

2.  Zero-Day Threat Prevention: The solution proactively identifies and blocks threats, even those that exploit vulnerabilities not yet known to the security community.

3.  Integration with MDM: Jamf Mobile Threat Defense seamlessly integrates with MDM solutions, creating a holistic approach to mobile device security.

Below is a feature table of  Jamf Protect for Mobile security, Mobile Device Management (MDM), and Mobile Application Management (MAM):

Feature	Jamf Protect for Mobile security	Mobile Device Management (MDM)	Mobile Application Management (MAM)
Security	Provides advanced threat detection and remediation for iOS and Android	Focuses on device-level security, enforcing policies, encryption, and compliance.	Concentrates on securing and managing individual applications, ensuring data protection.
Threat Detection	Identifies and mitigates mobile threats, malware, and vulnerabilities in real-time.	Monitors and manages device security, but may not offer advanced threat detection.	Primarily concerned with securing and managing the applications rather than threat detection.
Device Policies	Limited to threat defence policies, ensuring a secure environment.	Enforces a wide range of device-level policies such as passcodes, encryption, and restrictions.	Focuses on application-level policies, controlling how applications interact with data and other apps.
App Deployment	Primarily focused on threat defence; may not handle app  deployment.	Centralized deployment and management of apps on devices.	Manages the distribution, updating, and removal of applications on individual devices.
Device Configuration	Limited device configuration options, mainly related to security settings.	Offers comprehensive device configuration settings for a wide range of parameters.	Primarily concerned with configuring how individual applications operate on devices.
User Authentication	May integrate with existing authentication systems for enhanced security.	Enforces user authentication and access controls to the device.	Focuses on securing access to and within individual applications, often using single sign-on (SSO).
Containerization	May utilise containerisation for isolating and securing apps and data.	Generally focuses on device-level containerization for work and personal data separation.	Leverages containerization to isolate and protect individual applications and their data.
Data Protection	Emphasises threat defence for data protection against malicious activities.	Enforces encryption and policies to protect data on the device.	Concentrates on securing data within individual applications, often through app-specific policies.
Device Inventory	Limited device inventory features; primarily focused on threat-related information.	Provides detailed device inventory, tracking hardware and software details.	Offers basic information on devices, but emphasizes more on app-related details.
Platform Support	Typically focused on iOS, Android, Windows and Mac devices.	Supports a wide range of mobile operating systems, including iOS, Android, and others.	Works across various platforms, ensuring compatibility with different operating systems.

Comparing the Cybersecurity Capabilities of MDM, MAM and Jamf Mobile Threat Defense

Cybersecurity Capability	Jamf Protect for Mobile security	MDM (Mobile Device Management)	MAM (Mobile Application Management)
Device Security	Comprehensive protection against known and unknown threats, including malware, phishing, and network attacks.	Device-level control and policy enforcement, ensuring devices comply with security standards.	Focuses on application-level security, limiting access to sensitive data and functionality.
Data Encryption	Strong encryption protocols for data at rest and in transit, safeguarding sensitive information.	Device-centric encryption to protect data stored on devices, reducing the risk of data breaches.	Emphasizes encryption and secure transmission of data within mobile applications, protecting sensitive data.
Access Control	Granular control over device access, user authentication, and authorization, reducing the risk of unauthorized access.	Centralized control over device access, user roles, and permissions to manage access points effectively.	Application-specific access controls to restrict user access based on roles and responsibilities.
App Security	Monitors and secures applications against malicious activities, ensuring only approved and secure apps are allowed.	Controls app installation and updates, preventing the use of unauthorized or outdated applications.	Focuses on securing individual applications, often using containerization to isolate app data and functionality.
Network Security	Proactive threat detection and prevention for network-based attacks, safeguarding device communications.	Manages network configurations and connections to prevent unauthorized access, reducing the risk of network-related threats.	Prioritizes securing data transmitted between mobile apps and corporate servers, minimizing the risk of data interception.
Threat Intelligence	Integration with threat intelligence feeds for real-time updates on emerging threats, enhancing proactive defence mechanisms.	Limited threat intelligence integration, relying on periodic updates and manual security assessments.	Utilizes threat intelligence to assess risks associated with specific mobile applications, focusing on app-level threats.
Compliance Management	Comprehensive compliance tracking and reporting to ensure devices adhere to regulatory and organizational security requirements.	Enforces compliance policies to meet regulatory standards, with centralized reporting for audit purposes.	Focuses on application compliance, ensuring that mobile apps adhere to security policies and regulatory standards.
Security Policy Enforcement	Enforces security policies at the device and application levels, ensuring consistent adherence to security standards.	Centralized enforcement of security policies to maintain a standardized security posture across all devices.	Implements policies specific to application behaviour, enhancing control over app-level security configurations.

Security Gaps:

• Limited Visibility: MDM and MAM solutions often lack comprehensive visibility into app activity, making it difficult to detect malicious behaviour or data breaches.
• Limited Control: MDM and MAM solutions may not have sufficient control over personal devices, making it difficult to enforce security policies and prevent data leakage.
• Limited Protection: MDM and MAM solutions often offer limited protection against sophisticated threats, such as zero-day attacks and advanced malware.

Why Choose MDM and Jamf Mobile Threat Defense:

1. Comprehensive Protection: The combination of MDM and Jamf Protect for Mobile security provides end-to-end security, addressing both device management and threat detection on Mobile devices.

2. User Productivity: By ensuring the security of mobile devices, organisations can foster a productive and collaborative work environment without compromising on data safety.

3. Regulatory Compliance: MDM and  Jamf Protect for Mobile security help organisations meet regulatory requirements for data protection and privacy, reducing the risk of legal consequences.

Mitigation Strategies:

• Implement Mobile Device Management (MDM): MDM solutions provide basic security features, such as device lock/wipe, app blacklisting and password policies.
• Use Mobile Application Management (MAM): MAM solutions offer more granular control over app behaviour and data access.
• Utilize Mobile Threat Defense (MTD): MTD solutions provide advanced threat detection and protection capabilities.
• Implement strong password policies and multi-factor authentication.
• Educate users on mobile security awareness and best practices.
• Utilize encryption at rest and in transit.
• Implement data loss prevention policies.
• Enforce BYOD policies and provide secure alternatives for accessing corporate resources.

Note: The specific capabilities and gaps may vary based on the versions and configurations of the mentioned solutions. It is recommended to refer to the latest documentation and consult with vendors for the most accurate and up-to-date information.

For more information please contact us at https://brilyant.com/contact/