Jamf Nation Community

Hi @Tomas_Lukl1 are their plans to support the exceptions.plist so you can exempt some rules from a subset of computers in scope of the benchmark? The JCE supports this with the Compliance - Failed Results Count EA and the Compliance - Exemptions EA.

Hi @c_kay . Thank you for the question. Could you please describe in a bit more detail what is the use case the exemptions are useful for you?

I have an open feature request for this https://ideas.jamf.com/ideas/JPRO-I-1278

Here's the situation I face. My creative team needs all our CIS benchmarks except 1. Airdrop. It would be very beneficial if I could go to the CIS rule, click an 'exception' button, and add a smart or static group to exclude it from that specific rule without having to create a whole new set of benchmarks for just one small group. That makes things very confusing and conveluded when trying to assess our security standards.

For us we need a small number of Macs to have Apple Remote Desktop and SSH enabled but we don't want to have to create a seperate benchmark for them. There might be further exemptions a few users might need in the future and again we don't want to create more benchmarks. The script that Jamf Pro Compliance creates for the Benchmark already supports the Exemption plist its just your Failed Result List EA for the benchmark that doesn't. It reports rules that have been exempt as failures instead of ignoring them.

Are their plans to be able to sort the rules in a benchmark numerically instead of alphabetically to rule 1.10 comes after rule 1.2 ?

Actually that's been fixed so ignore.

Yes, right on Monday! But keep this feedback coming please!

@Tomas_Lukl1 is their going to be an API for Benchmarks so we can access the reporting data?

@c_kay yes, creating an API to get reporting data programatically is on our roadmap. Is there anything specific you would expect this API to provide and what would you use it for?

I'd like the API to be able to get the Rule report data. So the pass, fail, unknown numbers for each rule please.

Speaking of the Rule report. I've noticed that a rule with 0 pass 0 fail 0 unknown is calculated to 0% Computers passed. I'm think that should be 100% Computers passed otherwise it looks like the rule failed where really it just doesn't apply to any other the Macs in scope.

For example, rule 5.9 Ensure Extensible Firmware Interface Version is Valid

Good point, thank you for the feedback! Let me look at that and get back to you.

Hi @c_kay. Getting back to this topic - just wanted to let you know that we've removed the percentages from rules with no applicable computers in scope to prevent confusion.

@danlaw777 Do you mind sharing your compliance benchmark configuration as well as the profiles section under device management (screenshots incl. rules, if that is ok)? If you can't share it publicly for privacy reasons, please share it via DM to me or open a support ticket. Thank you.

Hi @danlaw777. A bit guessing about the configuration profiles in device management. You've mentioned that you haven't 'enforce quite yet'. The profiles are only used for enforcing the rules - monitoring is done via a script (executed via a policy, resulting in a filled extension attribute).

Checking our test instance, I can see the profiles used for benchmark enforcement in the computer inventory.

Is this what you've been looking for?

Hi@danlaw777 . Here is my Calendly link. Feel free to pick a time that suits you the best! Thank you.

Hi @mattjerome . Thank you for your feedback. We are actively working on many improvements to the compliance benchmarks capability - allowing to change the smart group (scope) is one of the items that are on our near-term roadmap. Please stay tuned for updates. In the meantime, as a workaround, you could potentially use nested smart groups feature in Jamf Pro to achieve what you need.

Could you please describe the use case for which you need to edit the scope?

scoping feature is NEEDED! 
1. pilot this configuration

2. post pilot, rescope to all devices

3. pilot next macOS

these are 3 but there are more I know

This makes sense. Thank you for the context. Ability to edit scoping (by changing smart group) will come very soon.

this is wonderful!!!