Get started
Login
© 2024

Restrict device access with Jamf Pro

Jamf Pro device posture integration is available for the Enterprise plan.

Jamf Pro collects a series of signals from the MDM profile installed on devices and these signals can be used to determine the security posture of a device. Tailscale can fetch these signals from Jamf Pro and use them as device posture attributes in access rules, which can allow organizations to grant access to sensitive resources only to devices that have a high enough level of trust.

This can be achieved using Tailscale's device posture management features:

  • Device Identity Collection, which collects identifiers (for example, serial numbers), used to match devices in Tailscale to devices in Jamf Pro.
  • Jamf Pro posture integration, which synchronizes signals from Jamf Pro to device posture attributes in Tailscale.
  • Posture conditions in access rules, which allows configuring access restrictions based on device attributes.

This document provides instructions on how to:

  • Enable Device Identity collection for your tailnet.
  • Configure Jamf Pro posture integration.

What is Jamf Pro posture integration?

Jamf Pro posture integration lets you connect your Tailscale network to Jamf Pro. The integration runs periodically and copies signals from Jamf Pro to device posture attributes.

When configured, it will periodically:

  • Fetch a list of hosts recorded in your Jamf Pro account, and the data reported.
  • Match Jamf Pro devices with corresponding devices in your tailnet, based on the serial numbers associated with a device.
  • Write the data from each device into the following Tailscale device posture attributes:
Attribute keyDescriptionAllowed values
jamfPro:remoteManagedWhether the device is managed by Jamf Protrue, false
jamfPro:supervisedWhether the device is supervised by Jamf Protrue, false
jamfPro:firewallEnabledWhether the macOS firewall is enabledtrue, false
jamfPro:fileVaultStatusStatus of FileVault disk encryptionALL_ENCRYPTED, SOME_ENCRYPTED, BOOT_ENCRYPTED, NOT_ENCRYPTED, NOT_APPLICABLE
jamfPro:SIPEnabledWhether macOS System Integrity Protection is enabledNOT_COLLECTED, NOT_AVAILABLE, DISABLED, ENABLED

Prerequisites

Create Jamf Pro API Token

Create a Jamf Pro API Token that will be used to fetch a list of devices and their data from Jamf Pro.

  1. In Jamf Pro, in the left-hand panel, select Settings.

  2. Select API roles and clients.

  3. In the view for API Roles, select + New in the upper right corner.

  4. Add a Display Name for the API role and add "Read Computers" to Privileges and then select Save.

  5. Go back to the API roles and clients view and select API Clients and select + New in the upper right corner.

  6. Add a Display Name for the API Client and select the API Role created in the previous step, toggle Enable API client, and then select Save.

The Jamf Pro Add an API client dialog
  1. Select Generate client secret and select Create secret in the pop-up dialog. Make sure to copy the Client ID and Client Secret for use in the next section.

Configure Jamf Pro posture integration

Configure Tailscale to fetch the attributes from Jamf Pro.

  1. Open the Device management page of the Tailscale admin console.

  2. Under the Device Posture Integrations section, select Connect next to the Jamf Pro integration.

  3. Enter your Jamf API URL, the URL you use to access the Jamf Pro console.

  4. Enter your Client ID.

  5. Enter your Client Secret.

    The configuration screen for connecting to Jamf Pro from the Tailscale admin console.
  6. Select the Connect to Jamf button.

View the integration status

Check that the integration has run successfully.

In the Device Posture Integrations section of the Device management page of the Tailscale admin console, configured integrations and their status will show under Integrations. The time of the most recent sync will display on this page. If an error occurs while synchronizing, it will display on this page.

Status of the Jamf Pro integration.

Check node attributes

After you configure Jamf Pro posture integration, you can confirm that the new attributes are being written for your Tailscale nodes via the Machines page of the admin console.

  1. Open the Machines page of the Tailscale admin console.
  2. Select a machine you want to inspect.
  3. The attributes for the machine are in the Machine Details section. This should include the set of jamfPro: attributes listed previously.
View of the machine attributes in the Machines page.

You can also check node attributes via the Tailscale API.

Adjust Tailscale access rules

Once Jamf Pro posture integration is configured and your devices have device posture attributes that reflects their signals as reported by Jamf Pro, you can use that device posture attribute as part of your posture rules.

For example, to only allow access to tag:production from devices which are actively managed by and supervised by Jamf Pro, you can create a new posture and use it as part of a corresponding access rule:

"postures": {
  "posture:trusted": [
    "jamfPro:remoteManaged == true",
    "jamfPro:supervised == true",
  ],
},
"acls": [
  {
    "action":     "accept",
    "src":        ["autogroup:member"],
    "srcPosture": ["posture:trusted"],
    "dst":        ["tag:production:*"],
  },
]

Schedule

For each configured integration, Tailscale will aim to sync device posture attributes every 15 minutes, with a few exceptions:

  • Adding a new integration, or changing configuration of an existing one, will trigger an out-of-schedule sync.
  • If an integration fails due to authentication error (usually caused by invalid credentials), it will be paused for up to 24 hours.

Audit log events

The following audit log events are added for device posture.

TargetActionDescription
IntegrationCreate posture integrationA new posture integration was created
IntegrationUpdate posture integrationA posture integration was updated
IntegrationRemoved posture integrationA posture integration was removed
NodeUpdate node attributeDevice posture attributes for a node were changed

Last updated Dec 11, 2024