![what is jamf jss what is jamf jss](https://media.jamf.com/images/photos/key-pair.png)
![what is jamf jss what is jamf jss](https://media.jamf.com/images/news/jnuc-2016-the-art-of-scaling-jss.jpg)
Attacker on the left, victim computer on the right (OS X with jamf client).We wrote a Bettercap module to demonstrate the impact of this misconfiguration, get it here: Īlso we recorded a video of the POC demo here:
WHAT IS JAMF JSS PASSWORD
ASIDE: With Casper Suite, you can write a policy to randomize the management account password on each client and you can change the password as often as your organization allows. If the MITM attack is successful, an attacker could deploy scripts and packages to the clients and steal the management password for that particular endpoint client. Contained in the XML data blobs from the server are policy enforcement actions, packages and scripts to deploy, and a randomly generated management password for the JAMF admin account on the client.
![what is jamf jss what is jamf jss](https://media.jamf.com/images/news/use-keychain-access-to-create-an-ssl-certificate-for-your-jss.jpg)
A simple example after gaining local network access, would be to use Bettercap to launch an ARP spoofing attack to route traffic through the attacker machine.Īfter conducting a successful MITM attack, with the “Enable SSL certificate verification” box not checked, we noticed that JSS client server communications are clear text XML usually encapsulated in SSL/TLS communications.
WHAT IS JAMF JSS VERIFICATION
So we wanted to know what exactly happens if SSL certificate verification is off or fails for server to client communications? As one would expect, MITM is trivial depending on attacker capabilities and relative location to the network.
WHAT IS JAMF JSS SOFTWARE
For JAMF Cloud users, certificates are taken care of by JAMF, however, this feature should still be tested before enabling it on a small subset of users, as the organization may be using deep packet inspection (DPI) on its web proxy and this could cause issues like clients no longer being managed.īeing pentesters/hackers, we tend to take advantage of implementation misconfigurations whether in deployed software or systems. This is important as an organization could lock out its entire fleet if it enables this setting and certificate authentication were to fail. The reason for this is during the configuration of the JSS self-hosted deployment option, an organization is responsible for ensuring that SSL/TLS certificates are properly deployed before enabling this setting. The ‘JSS Settings’ section of the document outlines additional settings, and we’ll look at one: “Enable SSL certificate verification.” Note that this setting is not on by default. JAMF has outlined the steps to secure JSS deployment here: In particular, it is important to note that with the self-hosted solution organizations are responsible for SSL certificate generation for use with the JSS. When choosing a deployment model for Casper Suite there are two basic solutions: Self-hosted or a solution hosted in the JAMF Cloud where an organization would configure their instance of the JSS. This suite of tools includes software that will help track inventory, manage devices, implement security policies, and deployment of software and scripts to end point Apple product clients. Specifically for this post, we'll be focusing on JAMF’s Casper Suite and deploying a JSS. JAMF Software encompasses a number of solutions for fleet management of Apple products, including their own Apple MDM. We alerted JAMF Software and it has been responsive with its next steps to address the issue. Organizations should make sure they have enabled a very simple configuration setting, e.g. We came across a default setting in JAMF Software Server (JSS), which we believe can put companies leveraging the solution at risk.