When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.

An XCCDF Rule

Description

<VulnDiscussion>When a Jamf Pro EMM server accepts an unverified certificate, it may be trusting a malicious actor. For example, messages signed with an invalid certificate may contain links to malware, which could lead to the installation or distribution of that malware on DoD information systems, leading to compromise of DoD sensitive information and other attacks. SFR ID: FIA_X509_EXT.2.2</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-241790r879612_rule
Severity: Medium
References: CCI-000185 CCI-000366 CCI-001310 CCI-002450
Updated: about 1 year ago

Configure the Jamf Pro EMM server to not accept a certificate if the certificate cannot be validated.

1. Open the Jamf Pro EMM console.
2. Open "Settings".
3. Select "User-Initiated Enrollment".
4. Under the General tab, select "Use a third-party signing certificate".5. Drag and drop the DoD p12 certificate.
6. Click "Save".

When the Jamf Pro EMM server cannot establish a connection to determine the validity of a certificate, the server must not have the option to accept the certificate.

Description

Remediation - Manual Procedure