STIGQter: STIG Summary: Jamf Pro v10.x EMM Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 03 Feb 2020:

The Jamf Pro EMM server must be configured with an enterprise certificate for signing policies (if function is not automatically implemented during Jamf Pro EMM server install).

DISA Rule

SV-108677r1_rule

Vulnerability Number

V-99573

Group Title

PP-MDM-411051

Rule Version

JAMF-10-000480

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Configure the following settings within the Jamf Pro EMM server for ensuring an authorized DoD certificate is used for signing enrollment and configuration profiles:

1. Open Jamf Pro server.
2. Open "Settings".
3. Open "PKI Certificates".
4. Select "Management Certificate Template" tab.
5. Select "External CA" tab.
6. Select "Edit".
7. Select to use SCEP-enabled external CA for computer and mobile device enrollment.
8. Enter all the applicable settings to connect this server to SCEP/Entrust enabled CA.
9. Select "Save".
10. At the bottom of the External CA screen, select "Change Signing and CA Certificates".
11. Follow onscreen instructions to upload the signing and CA certificates for Jamf Pro to use.

Jamf Pro is now set to use an External CA for signing all communication to mobile devices.

Check Contents

Verify Jamf Pro is utilizing an External CA for signing communication to mobile devices:

1. Open Jamf Pro server.
2. Open "Settings".
3. Select "PKI Certificates".
4. Select "Management Certificate Template".
5. Select "External CA" tab.
6. Verify the "Use a SCEP-enabled external CA for computer and mobile device enrollment" is enabled.
7. Verify that the Signing Certificate is listed at the bottom of the page.

If these settings are confirmed, Jamf Pro is set to use an external CA.

If Jamf Pro is not configured to use an External CA for signing communication to mobile devices, this is a finding.

Vulnerability Number

V-99573

Documentable

False

Rule Version

JAMF-10-000480

Severity Override Guidance

Verify Jamf Pro is utilizing an External CA for signing communication to mobile devices:

1. Open Jamf Pro server.
2. Open "Settings".
3. Select "PKI Certificates".
4. Select "Management Certificate Template".
5. Select "External CA" tab.
6. Verify the "Use a SCEP-enabled external CA for computer and mobile device enrollment" is enabled.
7. Verify that the Signing Certificate is listed at the bottom of the page.

If these settings are confirmed, Jamf Pro is set to use an external CA.

If Jamf Pro is not configured to use an External CA for signing communication to mobile devices, this is a finding.

Check Content Reference

M

Target Key

3593

Comments