Jamf

Set up Jamf Pro for automated tests with TrustCloud

Purpose

Once you set up your compliance program, TrustCloud TrustOps works to ensure that your systems remain compliant with your adopted controls. To do so, TrustCloud runs automated tests against systems in your product and business stack, and verifies that they are properly configured.

This document outlines the steps you can take to grant TrustCloud auditor access to only read metadata about the configuration settings for your Jamf Pro account and Jamf users and workstations, so that TrustOps can validate and generate evidence for your compliance program.

⚠️ Please note that due to limitations imposed by Jamf, only Jamf Pro accounts can be integrated with TrustCloud. Additionally, Jamf does not yet support OAuth access to its APIs — as such, we will guide you through creating a new user account for TrustCloud, limiting its access to Jamf data, and providing us with this account’s credentials.

Instructions to grant TrustCloud limited access to Jamf Pro metadata

Follow the steps below to create a new user service account in your Jamf Pro admin console. This service account will use the built-in Jamf auditor role, which only allows for the ability to read metadata about your Jamf Pro settings, users, workstations, and policies.

1. Login to your Jamf Pro admin console using your company-specific URL
2. Click on the Settings gear icon in the upper-right corner.
3. Select Jamf Pro User Account & Groups.
4. Click the + New button at the upper-right corner of the table.
5. Select Create Standard Account and click Next.
6. Fill in a username, such as TrustCloud.
7. For Access Level, select Full Access. This does not give TrustCloud full permissions — we will restrict privileges as part of the next step — but rather gives TrustCloud access to test all users and workstations within your Jamf organization, as opposed to a specific site or group within your organization.
8. For Privilege Set, select Auditor, which is a Jamf built-in role that provides read-only access to metadata and other information about the configuration and policies applied to individual users and workstations.
9. Fill out the name and email fields (for email, you can use support@trustcloud.ai).
10. Fill out a password.
    1. ⚠️ Since this is a service account, we recommend that you make this password as long as complex as possible, ideally using a password generator. However you choose to create it, make sure that it is a strong, unique password (minimum 12 characters, mixture of character types).
11. Keep track of this password, since you will need to enter it into TrustOps.
12. Click Save.
13. Enter the username and password you generated into TrustOps. Only the auditor read privileges will be granted to the service account. These credentials will be stored in an encrypted keystore, and accessed only by the TrustCloud service, and only as needed to run tests against your Jamf account.