Jamf Pro v10.x EMM STIG Version Comparison

There are 1 differences between versions v1 r1 (Feb. 3, 2020) (the "left" version) and v3 r1 (July 24, 2024) (the "right" version).

Check JAMF-10-000440 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Title

The Jamf Pro EMM server must configure the MDM Agent/platform to enable the DOD required device enrollment restrictions allowed for enrollment [specific device model].

Check Content

Verify device enrollment restrictions are set up to limit enrollment by iOS device. 1. Open Jamf Pro admin interface. 2. Select "Devices". 3. Select "Smart Device Groups". 4. Select desired device group. 5. Verify approved model numbers are listed. If device enrollment restrictions are not set up, this is a finding.

Discussion

Good configuration management of a mobile device is a key capability for maintaining the mobile device’s security baseline. Restricting network access to only authorized devices is a key configuration management attribute. Device type is a key way to specify mobile devices that can be adequately secured. SFR ID: FMT_SMF.1.1(2) b, FIA_ENR_EXT.1.2

Fix

Build Smart Device Group that matches DOD requirements and said groups are within exclusions of Configuration Profiles, Mobile Device Apps, etc. 1. Open Jamf Pro admin interface. 2. Select "Devices". 3. Select "Smart Device Groups". 4. Select "New". 5. Enter a name for the group. 6. Select "Criteria". 7. Select "Add" to add new Model, Model Identifier, or Model Number. 8. Continue to add all models that satisfy this requirement. 9. Select "Save". Add this Smart Device Group to any Configuration Profile, Mobile Device Apps as an Exception Scope.