This article leads you through the process of isolating Jamf endpoints with Security Orchestration, Automation, and Response (SOAR) scripts. By implementing the scripting and recommendations outlined in this document, Jamf endpoints will be properly restricted while using Red Canary isolation functionality.
Follow the procedure from beginning to end.
Step 1: Red Canary–Configure your isolation static group in Jamf Pro
Use this article to set up your static group in Jamf Pro.
Step 2: Github–Access your isolation enforce and isolation revert scripts
Use this article to access the correct isolation enforce and isolation revert scripts.
Step 3: Github–Access your Extension Attribute
Use this article to access the extension attribute from Jamf Protect and add to Jamf Pro.
Step 4: Jamf Pro–Setup your isolation script
- From your Jamf Pro dashboard, click Management Settings.
- Click Computer Management, and then click Scripts.
- To create your isolation script, click +New.
- Name the script and add a description.
- Click Script, and then copy the contents of endpoint_network_isolation_enforce.sh from GitHub into the Jamf Pro editor.
- Click Save.
Step 5: Jamf Pro–Setup your isolation revert script
- From your Jamf Pro dashboard, click Management Settings.
- Click Computer Management, and then click Scripts.
- To create your isolation revert script, click +New.
- Name the script and add a description.
- Click Script, and then copy the contents of endpoint_network_isolation_revert.sh from Github into the Jamf Pro editor.
- Click Save.
Step 6: Jamf Pro–Setup your Extension Attribute
- Get the Extension Attribute from the Jamf Protect repo linked above and add it to Jamf Pro.
- Create a smart computer group that looks for the value return <enforced> of the extension attribute just added.
Step 7: Jamf Pro–Setup your isolation policy
- From your Jamf Pro dashboard, click Policies.
- Click New.
- Name your isolation policy.
- Select Enabled, and then select Recurring Check-in.
- (Optional) Set Execution Frequency to Ongoing. This will increase security by continually running this script to maintain isolation.
- Click Scripts.
- Click Configure, and then click Add and select the isolation script created in Step 4.
- Click Scope.
- Confirm that the Targets section is highlighted, and then click + Add.
- Add the static computer group (created in step 1) that is designated for isolated endpoints.
- Click Save.
Note: This type of isolation will occur at the recurring check-in frequency configured in Jamf Pro as notated in the Jamf Pro console. For more information see, Recurring Check-in Frequency.
Step 8: Jamf Pro–Setup your isolation revert policy
- From your Jamf Pro dashboard, click Policies.
- Click New.
- Name your isolation revert policy.
- Select Enabled, and then select Recurring Check-in.
- (Optional) Set Execution Frequency to Ongoing. This will increase security by continually running this script to maintain isolation.
- Click Scripts.
- Click Configure, and then click Add and select the isolation revert script created in Step 5.
- Click Scope.
- Click Edit, add a Target Group of the smart computer group Red Canary – Network Isolation Enforced.
- Confirm that the Exclusions section is highlighted, and then click + Add.
- Add the computer group that is designated for isolated endpoints.
- Click Save.
Note: This mechanism will look for computers with enforced network isolation policy which are not members of the Red Canary – Isolated Endpoints group and remove the network isolation.
Comments
0 comments
Please sign in to leave a comment.