Restrict device access with Jamf Pro
Jamf Pro collects a series of signals from the MDM profile installed on devices and these signals can be used to determine the security posture of a device. Tailscale can fetch these signals from Jamf Pro and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.
This can be achieved using Tailscale's device posture management features:
- Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Jamf Pro.
- Jamf Pro posture integration, which synchronizes signals from Jamf Pro to device posture attributes in Tailscale.
- Posture conditions in access rules, which lets you configure access restrictions based on device attributes.
This guide explains how to enable Device Identity collection for your Tailscale network (tailnet) and configure Jamf Pro posture integration.
What is Jamf Pro posture integration?
The Jamf Pro integration syncs data between Jamf Pro and Tailscale on a recurring schedule. During each sync, Tailscale performs the following actions:
- Fetches a list of hosts and their reported data from your Jamf Pro account.
- Matches Jamf Pro devices to devices in your tailnet based on serial numbers.
- Writes the Jamf Pro data to device posture attributes on each matched device.
The integration writes the following device posture attributes to matched devices:
| Attribute key | Description | Allowed values |
|---|---|---|
jamfPro:remoteManaged | Whether the device is managed by Jamf Pro | true, false |
jamfPro:supervised | Whether the device is supervised by Jamf Pro | true, false |
jamfPro:firewallEnabled | Whether the macOS firewall is enabled | true, false |
jamfPro:fileVaultStatus | Status of FileVault disk encryption | ALL_ENCRYPTED, SOME_ENCRYPTED, BOOT_ENCRYPTED, NOT_ENCRYPTED, NOT_APPLICABLE |
jamfPro:SIPEnabled | Whether macOS System Integrity Protection is enabled | NOT_COLLECTED, NOT_AVAILABLE, DISABLED, ENABLED |
Prerequisites
- Device Identity Collection is enabled, and devices in your tailnet are reporting identifiers
- Jamf Pro API Token
Create Jamf Pro API Token
To authenticate your Jamf Pro account with Tailscale, you'll need to create a Jamf Pro API Token. The Jamf Pro integration uses these to fetch a list of devices and their data from Jamf Pro.
To create a Jamf Pro API Token:
-
In Jamf Pro, in the left-hand panel, select Settings.
-
Select API roles and clients.
-
Select + New in the upper right corner.
-
Add a Display Name for the API role and add "Read Computers" to Privileges and then select Save.
-
Go back to the API roles and clients screen and select API Clients and select + New in the upper right corner.
-
Add a Display Name for the API Client and select the API Role created in the previous step, toggle Enable API client, and then select Save.
-
Select Generate client secret and select Create secret in the pop-up dialog. Make sure to copy the Client ID and Client Secret for use in the next section.
Configure Jamf Pro posture integration
To configure Tailscale to fetch data about devices from Jamf Pro:
-
Open the Device management page of the Tailscale admin console.
-
Under the Device Posture Integrations section, locate the Jamf Pro integration, then select Connect.
-
Enter your Jamf API URL, the URL you use to access the Jamf Pro console.
-
Enter your Client ID.
-
Enter your Client Secret.
-
Select Connect to Jamf.
Review the integration status
After you set up the Jamf Pro integration, check to ensure the integration has run successfully. You can do so by visiting the Device Posture Integrations section of the Device management page. This page shows the configured integrations and their statuses under the Integrations section. For the Jamf Pro integration, it should have the time of the most recent sync, the number of synced devices, and any errors that occurred while synchronizing.
Check node attributes
After you configure Jamf Pro posture integration, you can confirm that Tailscale is writing the new attribute for your Jamf Pro devices on the Machines page of the admin console.
- Open the Machines page of the Tailscale admin console.
- Select a device to inspect.
- The attributes for the device are in the Machine Details section. This should include the set of
jamfPro:attributes listed previously.
You can also check device attributes using the Tailscale API.
Adjust Tailscale access rules
After you configure Jamf Pro posture integration, and your devices have device posture attributes that reflect their signals as reported by Jamf Pro, you can use those device posture attributes as part of your posture rules.
For example, to only permit access to tag:production from devices that are actively managed and supervised by Jamf Pro, you can create a new posture and use it as part of a corresponding access rule:
"postures": {
"posture:trusted": [
"jamfPro:remoteManaged == true",
"jamfPro:supervised == true",
],
},
"grants": [
{
"src": ["autogroup:member"],
"dst": ["tag:production"],
"ip": ["*"],
"srcPosture": ["posture:trusted"]
}
]
You can use the visual policy editor to manage your tailnet policy file. Refer to the visual editor reference for guidance on using the visual editor.
Schedule
For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:
- Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
- If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.
Audit log events
The following audit log events are added for device posture.
| Target | Action | Description |
|---|---|---|
| Integration | Create posture integration | A new posture integration was created |
| Integration | Update posture integration | A posture integration was updated |
| Integration | Removed posture integration | A posture integration was removed |
| Node | Update node attribute | Device posture attributes for a node were changed |