Introduction
Jamf Auto Update is a cloud-based service that integrates seamlessly with Jamf Pro to provide fully automated application packaging, deployment, installation, upgrading and uninstallation of over 800 titles to managed Mac computers. All without the need for manual packaging and uploading, or the overhead of continuous Jamf Pro administration.
Once configured, Jamf Auto Update will equip Jamf Pro administrators with an extensive catalogue of more than 800 applications that can be delivered and kept fully updated without the need for manual packaging and uploading, or the overhead of continuous policy and profile administration.
Jamf Auto Update is designed to bring an App Store-like update experience to all third-party applications outside of the Mac App Store. In addition to keeping hundreds of applications updated, this framework can be leveraged to provide in-place macOS upgrades for managed Intel-based Mac computers, with minimal configuration required by Jamf Pro administrators.
The purpose of this document is to provide an overview of the security measures employed within Jamf Auto Update. This document outlines dataflows and protocols used in the delivery of this service and is aimed at information security personnel.
Infrastructure overview and compliance
Jamf Auto Update utilises a cloud-based infrastructure with global CDN capabilities hosted within Amazon.
All external communication to the service is limited to the URLs listed below:
- auto-update-cdn.datajar.mobi
- envquery.datajar.mobi
Any passwords are encrypted at rest using the Advanced Encryption Standard (AES) algorithm, AES-256. When these passwords are accessed, their keys are rotated; if a password is used for REST-API operations, they are validated via the password hash.
Secure communications
All communication between the Jamf Auto Update service and managed Mac computers is performed over HTTPS/TLS 1.2.
To ensure further secure validation, communication between managed Mac computers and the Jamf Auto Update service uses signed JSON Web Tokens (JWTs), which are signed using Hash-based Message Authentication Code (HMAC) with a unique shared secret per Jamf Auto Update subscription.
JWTs are an open, industry standard (RFC 7519) method for verifying the integrity of claims between two parties. These tokens are used within the service to transfer repository credentials between the envquery.datajar.mobi service and managed macOS clients. If the service cannot verify the signature HMAC Digest of a JWT, it is disregarded and the pending Jamf Auto Update run on the managed Mac computer is aborted.
Data collection
The Jamf Auto Update service has been designed with consideration towards both security and compliance. The service collects minimal data that could be classified as Personally Identifiable Information (PII). PII data, classified as General Data Protection Regulation (GDPR)-relevant data, collected in conjunction with the service, is limited to the local IP address and public IP address of a managed Mac computer. If you would like further information on how we utilise customer data, please review our Privacy Policy (see https://datajar.co.uk/privacy-policy/).
As such, the collected data consists of:
- the UUID of the managed macOS client
- the local IP address of the managed macOS client
- the public IP address of the managed macOS client
Automated software packaging and distribution
Jamf Auto Update leverages an industry-leading, open source application called AutoPkg.
AutoPkg is used to acquire readily available software directly from the vendor, and populate the Jamf Auto Update repository.
Each software title has a Recipe Override which links to the files that contain the download, packaging, verification and versioning details as well as being stamped with ‘trust-info’. The trust-info key comprises the Parent Recipes’ git commit hashes and SHA-256 of the Recipe Override, plus any additional items. These are then stored, checked and processed when the Recipe Override is run.
When a software title Recipe Override run has completed successfully, the downloaded media is uploaded to VirusTotal for analysis before being pushed to the Repository for distribution.
If for any reason any steps fail within the Recipe Override, such as SHA-256, Code Signature, or VirusTotal, then the process is halted and a service desk incident is raised for remediation according to the Service Level Agreement (SLA).
Client components
In order for managed macOS clients to communicate and access the Jamf Auto Update service, there are several components installed which can be found within the latest JamfAutoUpdate.zip.
The JamfAutoUpdate-x.pkg, and the included Jamf Auto Update.app, Notifier.app, autoupdate and managedsoftwareupdate binaries are all signed as Jamf and notarized by Apple.
In addition to the JamfAutoUpdate.zip, customers are supplied with a configuration profile that will contain details unique to their organisation and will be required to be deployed in order for Jamf Auto Update to function.
Each of the supplied profiles need to be distributed to managed Mac computers in order for Jamf Auto Update to run as required. For the full installation guide, please click here.
Integration with Jamf
The Jamf Auto Update service is designed to work seamlessly with an existing and supported Jamf environment.
The Jamf Auto Update process is triggered by a Policy within Jamf Pro which is defined and controlled by the Jamf Pro administrator.
The policy logs will contain detail as to the actions undertaken, and additionally a Jamf Pro Extension Attribute is supplied which reads the last line of the client log. This is submitted whenever a managed Mac computer submits an inventory update, such as when Jamf Auto Update installs/uninstalls an software title.
For information on this log's content, please click here.
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.