← Policies

macOS Configuration Standards

Scope

This policy applies to all Jack Henry macOS devices managed within the Digital Business Unit.

Configuration Baseline

The following listed items are to be considered the minimum required capabilities and related organizational security requirements for macOS devices. The software, service, or configuration item responsible for each requirement is listed in parentheses following the definition.

  • All Macs will be enrolled in a Mobile Device Management (MDM) program. (Jamf Pro)
  • Applications and binaries are subject to an allow-list. We will maintain an updated list of applications and binaries that are allowed to execute. All unknown applications will be denied by default, and subject to an approval process before they may be executed. (North Pole Security Santa)
  • A Data Loss Prevention agent will be utilized to limit data-related threats including the risks of data loss and the exposure of sensitive data. (Netwrix Endpoint Protector)
  • End users will have standard privileges on their company issued Mac by default. Users will be allowed to elevate privileges when needed. (SAP Privileges)
  • Endpoint Security software will be installed and maintained centrally to detect, remediate, and limit the spread of malware. (Crowdstrike Falcon)
  • All computers must be partner-enrolled in Microsoft Endpoint Manager (MEM) and be evaluated against compliance policies in order to access corporate Microsoft resources. (Jamf Pro, MEM, and Microsoft Company Portal)
  • FileVault encryption will be enabled on all endpoints with a personal recovery key stored centrally. (Apple FileVault/Jamf Pro)
  • Required certificates, including a SCEP certificate for accessing the Jack Henry VPN, will be made available for installation and/or renewal as needed. (Jamf Pro)
  • A VPN client will be installed and configured to allow secure access to resources on the company network. (F5 Big IP Edge Client)
  • Network security and web filtering will be enabled to protect against web-based threats. (Netskope or Jamf Protect)
  • Required tools such as Google Chrome, Microsoft Teams, Slack, and Zoom will be automatically installed and configured. (Jamf Pro)

Monitoring and Alerting Configurations

Jamf Pro will be used to monitor and confirm that all devices conform to the configuration baseline. Alerts have been configured for all configuration baseline items. If any device falls out of compliance in one or more categories an alert will be generated in Slack and will be visible in the Jamf Pro dashboard.

Review Process

The Digital Ground Control team reviews all alerts within one business day. In most cases, any misconfiguration will be automatically remediated by Jamf Pro within 24 hours. If automated remediation is not possible, a member of Digital Ground Control will take necessary action to resolve the issue.

Change Management Process

Standard Changes

Any change that is low risk, relatively common, and follows a specified procedure or work instruction will be considered a “Standard Change.” Standard changes require no approval and may be performed at any time. It is expected that whoever performs a standard change informs the rest of the team at the time of the change.

Emergency Changes

A change that must be implemented as soon as possible, for example to resolve a major incident or implement a security patch. This change is of such a high priority that it bypasses group and peer review and is immediately presented to the Ground Control Manager and/or Technical Lead and/or Product Owner for approval. Once approved the change may be performed at any time. It is expected that whoever performs an emergency change informs the rest of the team at the time of the change.

Normal Changes

Any service change that is not a standard change or an emergency change. Normal changes will use the following process before being implemented. These changes require peer or technical approval, a Jira project, and authorization. These requirements are intended to ensure completeness, accuracy, and the least possible disruption to service.

  1. Ground Control team discussion
  2. Create a Jira project to track progress and document changes
  3. Develop implementation plans - add them to project
    • Develop a back out plan - add to project
  4. Approval of plans from Ground Control Manager and/or Technical Lead and/or Product Owner
  5. Execute change in testing environment using implementation plans
  6. Document change for both internal and external audiences as needed
  7. Ensure any necessary scripts or artifacts are pushed to the appropriate GitHub repository. Pull requests should be utilized to ensure that at least one team member review occurs.
  8. Migrate all needed packages/scripts/profiles/policies etc.. from test environment to production environment leaving un-scoped and deactivated
  9. Activate change in production and test internally with only Ground Control
  10. Testing with a subset of volunteers enrolled in a testing or early adopter program (if applicable)
  11. Send communications to associates affected by change
  12. Implement change in production (optionally with phased rollout)
  13. Monitor for successful implementation
  14. Optional talk to socialize change with the team and go over any relevant processes or documentation
  15. Close Jira project

Configuration Reporting

Reporting of configuration baseline compliance is available within the Jamf Pro management console and is accessible to Corp and Digital team members with access.

Roles and Responsibilities

All team members of the Digital Ground Control team are provided a reduced set of administrator privileges within Jamf Pro through Active Directory security group membership. This privilege level allows read access to most of Jamf Pro, as well as administration of most Jamf Pro functions. This privilege level does not provide access to update Jamf Pro Server settings, or the Server Infrastructure sections in Jamf Pro.

Technical leads are provided full administrator privileges within Jamf Pro through Active Directory security group membership.

Active Directory security group membership is audited any time there is a new hire or termination within the Ground Control Team.

Access levels within Jamf Pro are audited any time a new Jamf Pro server version is released (6-8 times/year). Privileges associated with new features in Jamf Pro are disabled by default.

Published DateLast Updated
8-9-2211-5-25