Introduction: Why Compliance Matters

If you manage Apple devices in a business or enterprise, you’ve probably heard the word “compliance” thrown around a lot. But what does it actually mean for the people using those devices? With Jamf Pro 11.16 introducing new compliance features, now’s a great time to break it down.

What’s New in Jamf Pro 11.16?

The latest release of Jamf Pro brings a dedicated Compliance section, featuring two new benchmarks: CIS Level 1 and CIS Level 2. These benchmarks are designed to help organizations meet industry standards for security—but what do they really involve?

Understanding CIS Benchmarks

What is CIS?

CIS stands for the Center for Internet Security, a nonprofit dedicated to improving cybersecurity worldwide. They publish detailed “benchmarks”—essentially checklists of best practices—for securing everything from operating systems to cloud platforms.

Why use CIS Benchmarks?

• Reduced attack surface: Minimizes the ways attackers can compromise a device.
• Stronger security: Provides a well-researched foundation for security settings.
• Standardization: Offers a common language for IT and security teams.
• Vendor neutrality: As a nonprofit, CIS isn’t pushing a particular product or agenda.

Where to find them:
You can download the CIS benchmarks for your platform of choice (registration required—pro tip: use a “Hide My Email” address!). Be warned: these are hefty PDFs.

Tools to Make Compliance Easier

With the release of Jamf Pro 11.16 you can now easily apply the compliance to your devices. But what if you want a report in PDF form for your security department or another security standard not yet in Jamf Pro like NIST or CNSSI.

There are tools to help:

• macOS Security Compliance Project: An open-source project that translates CIS benchmarks into actionable guidance for macOS.
• Jamf Compliance Editor: A user-friendly app that helps you review and apply CIS settings on Macs.

Balancing Security and Usability

It’s tempting to enable every security setting in the name of compliance—but remember, the people using these devices need to get their work done, too.

Potential Pitfalls:

• Some benchmarks can frustrate users and hurt productivity.
• Overly strict settings may lead users to find workarounds, undermining your security efforts.

Best Practices:

• Collaborate with users: Before enforcing new policies, talk to the people who will be affected. Gather feedback and test settings in a pilot group.
• Be the test monkey: Have your device be the first to run the compliance baselines, see how your day-to-day goes and make note on anything that irks you. Remember that you have context, knowing the why these are in place, image the people you work with that have no context. What rhymes with irate?
• Customize your baseline: Not every CIS recommendation is right for every organization. Choose the settings that make sense for your environment.
• RTFM - Read the Fantastic Manual: The CIS PDFs are long, but they explain the rationale behind each recommendation—don’t skip them!

Don't make it hard to work

• Compliance is about balance: Security is essential, but so is usability. Find the sweet spot that protects your organization without making life miserable for users.
• Use the right tools: Jamf Pro 11.16 and the CIS benchmarks give you a solid starting point, but tailor them to your needs.
• Communication is key: Keep users informed about changes and involve them in the process.

In Closing

1. Review the new Compliance section in Jamf Pro 11.16.
2. Setup the relevant CIS benchmarks for your environment.
3. Test compliance settings on yourself and maybe with a small group of users before a full rollout.
4. Document your decisions and communicate them clearly to your team.