This article leads you through the process of integrating Jamf EDR with Red Canary. Follow the procedure from beginning to end.

Prerequisites

Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:

• Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.
• Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.
• The minimum supported macOS version is Catalina (version 10.15).
• Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.
• Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.
• Jamf Pro: A service account enables endpoint correlation and response actions.

Step 1: Jamf–Create a Jamf Protect API client ID 

Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
   
   
2. Click Create API Client.
   • Include Red Canary in the API client name to make tracking and troubleshooting easier.
   • Confirm that the API Client role is set to Full Admin. 
3. Copy and save the API client password.
   Note: This is the only time the password will be available in clear text.
4. Copy and save the Client ID.
5. With your API client ID copied, log in to Red Canary.

Step 2: Jamf–Create a Jamf Pro Service Account

Red Canary requires a service account with the following access within Jamf Pro.

1. Within the Jamf Pro console click Settings in the top-right corner of the page.
2. In the systems settings section click Jamf Pro User Accounts and Groups. 
3. Click New.
4. Select Create Standard Account and click Next.
5. Select Full Access from the Access Level pop-up menu.
6. Select Custom the Privilege Set pop-up menu.
7. Select the following permissions set.
   
   • Computers: Read
   • Static Computer Groups: Read and Update
     
     
     
8. Click Save.
   Note: The next step (Step 3) is only for Red Canary Consulting Partners. If you are not a Consulting Partner please proceed to Step 4.

Step 3: Red Canary–Provision Red Canary with Jamf

Note: Step 3 is only for Red Canary Consulting Partners. If you are not a Consulting Partner please proceed to Step 4.

Reach out to a Red Canary representative to use the Red Canary provisioning portal to create an Amazon Web Service (AWS) role and configure the Jamf Protect Action configuration so Jamf can send telemetry to Red Canary.

1. Log into the Red Canary provisioning portal.
2. Click Create new request.
3. Under the Request type dropdown, select Provision new environment.
4. Fill in the following fields:
   

   Field	What you'll fill in
   or select…	Four hours from now.
   Engagement type	Select the appropriate engagement type.
   Number of endpoints	The number of endpoints we expect to monitor in the environment. This number can be an estimate.
   Customer contact email	The email address for a user contact who will be responsible for following setup instructions. The configuration instructions, if any, will be sent to this email address for the user to follow.
   Organization name	The legal business name of the organization.
   Desired subdomain name	The subdomain identifier that needs to be provisioned. Subdomain names are two or more lowercase alphanumeric characters.
   Desired telemetry collection platform	Jam Pro/Protect
   Customer website	The end user website, which Jamf will provision as the organization name.
   Pro UI URL	The URL to access the Jamf Pro console (example: https://customer.jamfcloud.com).
   Pro Username	The username Red Canary will use to access the Jamf Pro console and API.  Requirements: Account requires the following access: Computers: Read Static Computer Groups: Read, Update
   Pro Password	The password Red Canary will use to access the Jamf Pro API
   Protect UI URL	The URL to access the Jamf Protect console (example: ​​https://customer.protect.jamfcloud.com).
   Protect Username	The username/Client ID Red Canary will use to access the Jamf Protect console and API. Requirements: You must create a Jamf Protect API Client ID Your account requires administrative access
   Protect Password	The API Client Password Red Canary will use to access the Jamf Protect console and API. Note: when copy and pasting this key from the Jamf Protect console, white space or new line characters may be inserted. Please verify key before closing the window as this key will not be shown again.

5. Click Save. Once the request is submitted, the Red Canary engineering team will create an Amazon Web Service (AWS) role so Jamf can write telemetry to a Red Canary Amazon Simple Storage Service (S3) bucket.
   When the role is created, you will receive an email with the AWS role and prefix field (subdomain name).

Step 4: Jamf–Configure Jamf endpoint analytic

Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.

1. From your Jamf Protect dashboard, click Analytics. 
2. Click the All Analytics tab.
   Note: An analytic is a configuration that tells an endpoint which events to log.
   
3. Click Create custom analytic.
   
   
4. Create a new Process Event Analytic by filling in the required fields.
   

   Field	What you'll fill in
   Analytic Name	Red Canary: Process
   Log Level	0 (Default)
   Categories	Red Canary Create a new category if Red Canary does not already exist.
   Severity	Informational (Default)
   Sensory Type	Process Event
   Filter Text View	(( $event.type  IN { 0, 1, 2 } ))

   
   
5. Click Save.

Step 5: Jamf–Create the Red Canary analytic set

Create the group of analytics to determine what telemetry gets sent to Red Canary.

1. From your Jamf Protect dashboard, click Analytics.
2. Click the Analytic Sets tab.
3. Click +Create Analytic Set.
   
   
4. Enter a name for your Analytic Set.
5. From the Analytics in this set section, click the Custom tab.
6. Select the Red Canary: Process analytic set from Step 4.3.
   
   
7. Click Save.

Step 6: Jamf–Create the Red Canary Managed plan

Create the plan that will be deployed on your endpoints to start sending telemetry to Red Canary.

1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.
2. Click Create Plan. 
3. Enter a name for your Plan.
4. From the Analytic Sets dropdown, select the analytic set from Step 5.3.

Step 7: Jamf–Configure your Jamf Protect data forwarding

Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
   
   
2. Enable Amazon S3 Forwarding.
3. Enable Encrypt Forwarded Data.
4. Fill in the following fields:
   

   Field	What you'll fill in
   Amazon S3 Bucket Name	rc-jamf-protect-native-us-east-2
   Prefix	cust_name=<red canary namespace> Description: The Prefix has match the user’s external service namespace. This will be sent via email.
   IAM Role	arn:aws:iam::498172931776:role/<red canary namespace>-jamf-protect-role Description: IAM Details will be provided to you in an email and will be of similar form as above with carrots removed and the user's namespace filled in.

   
   
5. Click Save.
6. JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message
   1. If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.
   2. If the error persists, contact engineering to verify the IAM role was properly provisioned.

Step 8: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro

After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, we’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.

Step 9: Jamf–Assign computers to the Jamf plan in Jamf Pro

Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.

Step 10: Jamf–Assign Policies to Jamf Isolation Groups

To enhance the endpoint isolation functionality follow Isolate Jamf endpoints with SOAR scripts.