Compliance Configuration and Extension Attribute
- Katelyn Russell
Compliance features are enabled globally for the following ISO-mandated OS hardening configurations. By default, all devices opt-in to receiving the following:
- AUP Banner (Changing on Tues)
- 15-minute screen saver
- Install standard firewall
- Block UT Guest Wifi
- Default Scan schedule for Microsoft Defender
- Install Nessus Agent
- Receive OS patches when published by EPM Service
- Receive Application patches by default (method of patching carries)
- Be prompted by Nudge to install OS patches
Additional compliance applications:
- Install Microsoft Defender
The ISO and EPM encourage using MDE as the preferred method of Antivirus for macOS. However, since the University is migrating from Amp to Defender, ITSOs are in charge of scoping Defender as it aligns with their migrations schedule. Secondarily, Defender is configured with department codes as a part of the payload so that devices can be reported on accurately. Therefore, Defender can't be scoped Globally. When EPM onboards each site, we set up the Defender configurations at the site level. Units simply have to scope their devices.
Extension Attributes for Exceptions
- ISO is the office managing EPM exceptions – If you need an exception, contact ISO via the exception request process.
- An exception for opting out of all patching is needed; examples are excluding Nessus and other ISO requirements.
- Change in configuration – There are EAs for opting out and setting your configuration terms. If EPM isn't managing your patches or other compliance requirements, you assume responsibility for these items as a Site Admin.
- EAs aren't an exception process. EAs are a workflow to manage exceptions.
How to leverage an extension attribute to except a hardening checklist item:
If a machine needs to be excluded from one of the Global policies mentioned above, you can use an Extension Attribute to remove the device from scope.
The EPM team has build in scoping logic that will add a machine to a smart group, which is used for exception frameworks. To use one of these Extension attributes, open the inventory record of the machine in question, and navigate to the “extension attribute” tab on the left column. Here you will find different boolean options for each standard payload. A null value is treated the same as “No”. Once the option is toggled to “yes” the exception will now occur.
EPM is available to IT Support Organizations (ITSOs) with any endpoint management questions. If you have a question about a specific endpoint client, please reach out to your local endpoint client support organization.
- Welcome to Jamf - Service Overview
- Application and Global Settings
- macOS Packet Firewall
- Deploying Microsoft Defender to macOS devices
- Global Configuration Policies
- Automatic install of Code42 in Campus JAMF
- Compliance Configuration and Extension Attribute
- Global Security & Compliance policies
- EPM Core team audit of Jamf Pro server
- MAC Address Randomization: How it works and What IT needs to know
- Upgrade to future macOS major releases
- Nessus Agent deployment to campus Jamf instances
- OS Patching: UT Macintosh Security Updates and Reboot Policy
- Jamf Connect
- Jamf - Site Administrator Policies
- Application installs and patching
- Installing UT-Track
- Centrally Managed iOS Password Standards
- Test and pilot
- Jamf - Server Maintenance and Update Process
Welcome to the University Wiki Service! Please use your IID (yourEID@eid.utexas.edu) when prompted for your email address during login or click here to enter your EID. If you are experiencing any issues loading content on pages, please try these steps to clear your browser cache.