(GRC) Joshua Harvey Senior Principal Systems Administrator NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot
(GSFC) Mike Nestor Principal Systems Admin NASA (GSFC) In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. 275x275 head shot 275x275 head shot
High Level Overview PIV-Mandatory Value Add In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
KACE Apple Remote Desktop (yes really) BigFix Even Jamf Pro In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
apply NASA security baselines Dispersed patching methodologies (sometimes none) No offsite user support Led to higher count of admin users In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
Gather requirements 200+ system administrators In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
offering, low overhead freebies Patching support, internal script sharing Role-based access control The opposite of restricting access In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
Full integration with existing identity providers Smartcard support PIV & CAC Compliant admins = happy agency In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
150+ sites Project isolation requirements Different security plans Different leadership structures In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
presenting will be placed here. Please don’t put anything especially important in this area. AWS Zone 1 (Primary) ARC GSFC GSFC ARC Other Agency Other Agency ARC AWS Zone 2 (Load Balancing & Failover) ARC GSFC GSFC Other Agency Other Agency macOS End Users Admin Workstation GSFC Primary Distribution Point ARC Sub Distribution Point NASA IP Space AWS Load Balancer AWS RDS MySQL Primary AWS RDS MySQL Secondary Replication Replication Admin Interfaces Device Communication Admin Interfaces Device Communication
Political reasons Multiple centers Multiple sites within What we learned In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
so many sites SAML + ADFS + internal IdP provisioning Active Directory groups More than we’d like to share All provisioned automagically In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
FISMA CIO metrics In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
gone bad Stopped binding to Active Directory macOS 10.12 deficiencies macOS 10.13 and meeting a deadline In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
accounts Glory of APNS Low failure rate User satisfaction increased In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
of you presenting will be placed here. Please don’t put anything especially important in this area. Overview Jamf Upload Page Security Baselines Admin Mapping LAPS for Mac Smartcard Exemption Page
were going to “buy in” to using Jamf Pro, it had to meet two core needs. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Simplicity Mimic Jamf Pro’s ease of use Set category for packages Simple interface Drag and drop
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Upload to Jamf Pro HTTPS distribution points Will work with S3 distribution points Can download any package uploaded Edit scripts after uploaded Audit logs
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Role/Site-Based Access Site selection drop down Center admins have full access Site admins have access to their site Jamf access grants read-only
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Smartcard Government requirement Jamf Pro lacks SSO Integrated with our IdP
Jamf Upload Page In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
and testing macOS and application specs, but they were rarely applied. In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
of you presenting will be placed here. Please don’t put anything especially important in this area. History XCCDF and CIS-CAT No universal checks and remediations Wild West approach to meeting compliancy
of you presenting will be placed here. Please don’t put anything especially important in this area. Where are we now? Modification of Jamf Pro’s CIS Scripts Configuration profiles wherever possible Sites can make risk-based decisions Higher acceptance and deployment AsciiDoc guides
PIV Mandatory, so what happens when an admin needs to log in locally? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
of you presenting will be placed here. Please don’t put anything especially important in this area. Solution Attribute mapping Ability to set multiple admins Can also be used for non-admins Shared accounts
of you presenting will be placed here. Please don’t put anything especially important in this area. /usr/bin/dscl . read /Users/localadmin AltSecurityIdentities AltSecurityIdentities: Kerberos:[email protected] Kerberos:[email protected] Kerberos:[email protected]
of you presenting will be placed here. Please don’t put anything especially important in this area. Which led to… Login keychain prompt Preference panes requiring password Didn’t want a shared admin password
of you presenting will be placed here. Please don’t put anything especially important in this area. LAPS for Mac Local admin password script Does not rely on Active Directory Random password stored as extension attribute Optional Self Service policy
a user can’t login with their smartcard and can’t reach their admins? In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. Stopgap User could only call system admin Admin not always available Flipping an extension attribute manually Didn’t fully meet smartcard compliance
Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area. And Now User can now call Help Desk 24/7 Help Desk doesn’t need access to Jamf API call to flip the extension attribute 48 hour expiration Doesn’t have to be for smartcard exemption
be hands-off • Self Service reduced calls • Allows more time for testing • There is always more work • Mike likes something! In session recording, Picture-in-Picture of you presenting will be placed here. Please don’t put anything especially important in this area.
Your Podcast. Everywhere. Effortlessly.
jamf
tenderlove
andyhume
rasagy
eileencodes
baasie
cassininazir
jonoalderson
quramy
jnunemaker
axbom
rasmusluckow
cromwellryan
