This article leads you through the process of integrating Jamf EDR with Red Canary. Follow the procedure from beginning to end.

Estimated procedure time: 15 Minutes

Prerequisites

Before you connect Jamf to Red Canary, make sure the following configuration requirements are met:

• Red Canary Managed Detection & Response (MDR) requires Jamf Pro and Jamf Protect.
• Jamf Pro and Jamf Protect must be deployed, configured, and enabled within your security environment.
• The minimum supported macOS version is Catalina (version 10.15).
• Red Canary requires API access on Jamf Protect products and a service account on Jamf Pro to manage the integration.
• Jamf Protect: API access is required to manage the Red Canary analytic which exports, grooms, and controls telemetry data flows from Jamf Protect.
• Jamf Pro:  A service account enables endpoint correlation and response actions.

Step 1: Jamf–Create a Jamf Protect API client ID 

Create a Jamf Protect API client ID to begin the Jamf integration process with Red Canary.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click API Clients.
   
   
2. Click Create API Client.
   1. Include Red Canary in the API client name to make tracking and troubleshooting easier.
3. Copy and save the API client password.
   Note: This is the only time the password will be available in clear text.
4. Copy and save the Client ID.
5. With your API client ID copied, log in to Red Canary.

Step 2: Jamf–Create a Jamf Pro Service Account

Red Canary requires a service account with the following access within Jamf Pro.

1. Create a Jamf Pro user account.
2. Under Jamf Pro Server Objects, enable the following:
   1. Computers: Read
   2. Static Computer Groups: Read and Update
      

Step 3: Red Canary–Provision Red Canary with Jamf

Reach out to a Red Canary representative to use the Red Canary provisioning portal to create an Amazon Web Service (AWS) role and configure the Jamf Protect Action configuration so Jamf can send telemetry to Red Canary. Learn more about provisioning Red Canary with Jamf EDR. 

Step 4: Jamf–Configure Jamf endpoint analytic

Create a Red Canary analytic that will be used with Red Canary-configured Jamf plans. Due to the large telemetry requirements, Jamf plans must be specially configured to enable proper telemetry flow, and analytics will not be effective outside of the Red Canary managed Jamf plan.

1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Analytics. An analytic is a configuration that tells an endpoint which events to log.
   
   
2. Click Create Analytic.
   
   
3. Create a new Process Event Analytic by filling in the required fields.
   

   Field	What you'll fill out
   Analytic Name	Red Canary: Process
   Log Level	0 (Default)
   Categories	Red Canary Create a new category if Red Canary does not already exist.
   Severity	Informational (Default)
   Sensory Type	Process Event
   Filter Text View	(( $event.type  IN { 0, 1, 2 } ))

   
   
   
4. Click Save.

Step 5: Jamf–Assign analytics to the Red Canary Managed plan 

Assign analytics within Jamf Protect to your Red Canary Managed plan. This process configures the Jamf endpoint software to send telemetry to Red Canary. These analytics will follow the custom action configuration created by Red Canary to properly groom your telemetry before exporting.

1. From your Jamf Protect dashboard, click the Configuration dropdown, and then click Plans.
   
   
2. Click Red Canary Plan. This plan will be created automatically during the provisioning process to streamline telemetry flow into Red Canary.
3. Add Red Canary Analytic to the plan.
   1. This is the same analytic created in Configure Jamf endpoint analytics.
   2. The remaining analytics can be configured at your discretion. It may be beneficial to enable the Alert actions analytics.
   3. The Red Canary Plan is the only Jamf Plan for which Red Canary Analytics are to be used. This plan has been pre-configured with specific parameters to enable Red Canary telemetry flow. Using Red Canary Analytics with other plans isn’t supported.
4. Click Save Plan Analytics.

Step 6: Jamf–Configure your Jamf Protect data forwarding

Configure Jamf Protect to forward telemetry from your endpoints to the Red Canary collection facilities hosted by Amazon S3. This data forwarding allows Red Canary to analyze endpoint activity and enable threat detection. Endpoint telemetry will be created and managed by the Red Canary plan and Red Canary analytics created within Jamf in the prior steps.

1. From your Jamf Protect dashboard, click the Administrative dropdown, and then click Data.
   
   
2. Enable Amazon S3 Forwarding.
3. Enable Encrypt Forwarded Data.
4. Fill in the following fields:
   

   Field	What you'll fill out
   Amazon S3 Bucket Name	rc-jamf-protect-native-us-east-2
   Prefix	cust_name=subdomain_name Description: The Prefix has match the user’s subdomain name.
   IAM Role	arn:aws:iam::498172931776:role/<iam role> Description: IAM Details will be provided to you in an email. The finalized role featured above will be made up of the following elements which will be contained in the email. These must all be lowercase: iam role: id=<subdomain>-jamf-protect-role bucket s3: id=rc-jamf-protect-native-us-east-2 iam policy: id=arn:aws:iam::498172931776:policy/<subdomain>-jamf-data-input-role-policy

   
   
5. Click Save.
6. JAMF will immediately attempt to verify the S3 bucket access. If it saves successfully that means it’s working, otherwise it’ll provide an error message
   1. If an error message is encountered first verify the Prefix field is properly configured with cust_name=subdomain_name.
   2. If the error persists, contact engineering to verify the IAM role was properly provisioned.

Step 7: Jamf–Synchronize or upload the plan from Jamf Protect to Jamf Pro

After configuring data forwarding, you’ll want to apply your Jamf Protect configurations onto endpoints. First, we’ll need to update Jamf Pro by synchronizing the Jamf Protect configured Jamf Plan into Jamf Pro. Learn more about synchronizing or uploading the plan from Jamf Protect to Jamf Pro.

Step 8: Jamf–Assign computers to the Jamf plan in Jamf Pro.

Apply the Jamf Plan managed by Jamf Pro to the endpoints you want to monitor by assigning computers to this Jamf Plan. Learn more about assigning computers to the plan in Jamf Pro.