Jamf v1.0.0 Plugin for Risk Exchange
Jamf v1.0.0 Plugin for Risk Exchange
This document explains how to configure the Jamf v1.0.0 plugin with the Risk Exchange module of the Netskope Cloud Exchange platform. This plugin is used to fetch devices from the Jamf Security Cloud platform > Devices > Manage page. It also supports performing the Override Risk Level and Revert Risk Level action on devices.
Netskope normalization score calculation: Risk Level Secure = 875, Risk Level Low = 875, Risk Level Medium = 625, Risk Level High = 375.
Note that scores are based on the median of Netskope’s risk score ranges, like, Low (751-1000) has a median of 875.
Prerequisites
To complete this integration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances).
- A Netskope Cloud Exchange tenant with the Tenant plugin and Risk Exchange module already configured.
- Jamf instance credentials (Application ID, Application Secret).
- Connectivity to the following host: https://radar.wandera.com.
CE Version Compatibility
Netskope CE v5.1.0
Jamf Plugin Support
This plugin fetches devices and their respective details from the Jamf Security Cloud platform. It also supports performing Override Risk Level, Revert Risk Level, and No actions on the pulled Devices.
Type of data pulled | Devices |
Actions Supported |
|
Mappings
Mapping will be used to view the pulled Devices and their respective details. Mapped fields during plugin configuration will be visible on the Records page once the data is pulled. Below is the suggested mapping that should be used while configuring the plugin.
Pull Mapping for Devices
Plugin Field Label | Expected Data Type | Suggested Field Label | Aggregate Strategy |
---|---|---|---|
Device ID | String | Device ID | Unique |
User Name | String | User Name | Overwrite |
User Email | String | User Email | Overwrite |
Device Name | String | Device Name | Overwrite |
Device System Version | String | Device System Version | Overwrite |
OS Type | String | OS Type | Overwrite |
Device Platform | String | Device Platform | Overwrite |
Device Risk Category | String | Device Risk Category | Overwrite |
App Name | String | Application Name | Overwrite |
App Version | String | Application Version | Overwrite |
Netskope Normalized Score | Number | Netskope Normalized Score | Overwrite |
Permissions
Here are permissions required to configure the Jamf plugin and perform actions on the pulled Devices.
User for which Application ID, and Application Secret are generated should be a Global admin.
- Devices
- Settings
API Details
List of APIs Used
API Endpoint | Method | Use Case |
---|---|---|
/v1/login | POST | To get authentication token |
/risk/v2/devices | GET | To Fetch devices from Jamf platform |
/risk/v1/override | PUT | To override the risk level of the fetched devices |
Get an Auth Token
API Endpoint: <Base URL>/v1/login
Method: POST
Headers
Key | Value |
User-Agent | netskope-ce-5.1.0-cre-jamf-v1.0.0 |
Authorization
Basic auth
Username | <Application_ID> |
Password | <Application_secret> |
Sample API Response
{ "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJjdXN0b21lcl9pZCI6ImMwZmUzNmU2LWNhNDUtNGFkNS05OWM3LTBjM2NjODliZDU2NiIsImlhdCI6MTcyNTg2MDg1NSwiZXhwIjoxNzI1ODYxNzU1LCJhdWQiOiJSSVNLX0FQSSIsImNsaWVudF9pZCI6IjRhMTk3MzExLTI0ZGUtNDQxZi1iYTRkLTNjOTc4YzY4MjQ0NyIsImFub255bWl6ZWQiOmZhbHNlfQ._FRbcbpo02VFZOUc1j0kj8-geXIKI2U9un9f6i_Qrss" }
Fetch Devices
API Endpoint: <Base URL>/risk/v2/devices
Method: GET
Headers:
Key | Value |
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-jamf-v1.0.0 |
Parameters
Key | Value |
page | 0 |
pageSize | 99 |
Sample API Response
{ "customerId": "c0fe36e6-ca45-4ad5-99c7-0c3cc89bd566", "userDeviceList": [ { "guid": "7d827d40-81a4-4016-8b40-d7048c1e2660", "externalId": null, "phoneNumber": null, "user": { "email": "sam@gmail.com", "name": "Gary Jenkins" }, "joinDate": 1724285780379, "status": "ACTIVE", "traffic": { "lastTrafficRun": 0 }, "info": { "location": { "isoCountry": "us" }, "lastStatusUpdateTime": 1724415515771, "device": { "deviceName": "24566f91-3313-4357-8820-c70f00faa828", "deviceSystemVersion": "14", "osType": "ANDROID", "platform": null }, "app": { "name": null, "version": "11.55.0.0" } }, "hardwareSpec": { "platform": "Other Android", "version": null, "osType": "ANDROID" }, "statusUpdate": { "connector": null, "device": { "payload": {}, "lastStatusUpdateUtcMs": 1724415515771 } }, "connectorState": "UNMANAGED", "riskCategory": "SECURE", "group": "", "deploymentState": "NONE", "lastPrivateAccessDnsTraffic": 0, "lastDnsTraffic": 1724421490768 }, { "guid": "d0f8d97e-11b1-4a0b-8fa6-2d03cee50c21", "externalId": null, "phoneNumber": null, "user": { "email": "sam@gmail.com", "name": "Gary Jenkins" }, "joinDate": 1723247393856, "status": "ACTIVE", "traffic": { "lastTrafficRun": 0 }, "info": { "location": { "isoCountry": "US" }, "lastStatusUpdateTime": 1725834090308, "device": { "deviceName": "f2d374f2-18f6-46d3-b650-1fd1f0bc59e4", "deviceSystemVersion": "16.6.1", "osType": "IOS", "platform": null }, "app": { "name": null, "version": "11.37.0" } }, "hardwareSpec": { "platform": "Apple iPad", "version": null, "osType": "IOS" }, "statusUpdate": { "connector": null, "device": { "payload": {}, "lastStatusUpdateUtcMs": 1725834090308 } }, "connectorState": "UNMANAGED", "riskCategory": "MEDIUM", "group": "", "deploymentState": "NONE", "lastPrivateAccessDnsTraffic": 0, "lastDnsTraffic": 1725859823210 } ], "linkTemplates": {} }
Override Risk Level of Fetched Devices
API Endpoint: <Base URL>/risk/v1/override
Method: PUT
Headers:
Key | Value |
Authorization | Bearer <Bearer Token> |
User-Agent | netskope-ce-5.1.0-cre-jamf-v1.0.0 |
Body
{ "risk": "HIGH", "source": "MANUAL", "deviceIds": [] }
Performance Matrix
Below is the performance matrix conducted on a Large CE Stack with below-mentioned specifications by pulling 500K devices.
Stack Size | Large RAM: 32 GB Core: 16 |
Time taken to store the pulled and updated host records | ~50 mins |
User Agent
netskope-ce-5.1.0-cre-jamf-v1.0.0
Workflow
- Add Permissions to the Global Admin User.
- Get your Application ID and Application Secret.
- Configure Netskope Tenant and Plugin.
- Configure the Jamf plugin.
- Add a Business Rule.
- Add Actions.
- Validate the plugin
Click play to watch a video.
Add Permissions to the Global Admin User
- Log in to the Jamf platform. Click the top-right corner, and then click View all accounts.
- Click Administration.
- Click Actions > Edit for the User.
- Select Devices and Settings, and then click Save.
Get your Application ID and Application Secret
- Go to the menu Icon > Integrations > Risk API.
- Click Generate API key.
- Enter a name and click Generate API Key.
- Copy the Application ID and Application Secret to use in the plugin configuration.
Configure the Jamf Plugin
- Login to Cloud Exchange and go to Settings > Plugins. Search for and select the Jamf v1.0.0 (CRE) plugin box.
- For Basic Information, enter a plugin configuration name, and change the sync interval if needed.
- Click Next. Enter the Base URL, Application ID, and Application Secret.
- Click Next. Select the Entity from the Entity dropdown. The Entity fields can be created from the Schema editor page, or using the + Add Field option from the field dropdown. Provide the field mapping. For the suggested mapping please refer to the Mappings section.
Note that the Device ID field will be required to pull the Devices and to perform actions on the pulled Devices. - Click Save.
Add a Risk Exchange Business Rule for Jamf
- In Risk Exchange, go to Business Rules.
- Click Create New Rule in the top right corner.
- Enter a Rule Name, and select the Entity for which Fields have been configured for the Jamf plugin, and then configure the query based on your requirements. The below example fetches Devices containing Gary in the User Name.
- Click Save.
Add Risk Exchange Actions for Jamf
The Jamf plugin supports these action types:
- No Action: No action will be performed for this action. Users can generate UBA alerts in CTO by using this action and enabling the Generate Alerts toggle.
- Override Risk Level: Override Risk Level will assign a new Risk Level to the Device on which an action is performed.
- Revert Risk Level: Revert Risk Level will assign the risk level that was present while creating the Device.
Note that you can perform the actions on the devices pulled from Jamf on the Netskope Tenant.
Override Risk Level
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select your Business Rule, the Configuration (plugin) from their respective dropdowns.
- For Action, select Override Risk Level from the dropdown.
- Enable the Require Approval toggle if approval is needed before performing action on the Devices.
Notes
- Fields mapped with the Device ID while configuring the plugin will be required to perform action on the Devices.
- If Static is selected in the dropdown, provide comma-separated Device ID.
- Click Save.
Revert Risk Level
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select your Business Rule, the Configuration (plugin) from their respective dropdowns.
- For Action, select Revert Risk Level from the dropdown.
- Enable the Require Approval toggle if approval is needed before performing action on the Devices.
Notes
- Fields mapped with the Device ID while configuring the plugin will be required to perform action on the Devices.
- If Static is selected in the dropdown, provide comma-separated Device ID.
- Click Save.
No Action
- In Risk Exchange, go to Actions and click Add Action Configuration.
- Select your Business Rule, the Configuration (plugin) from their respective dropdowns.
- For Action, select No actions from the dropdown, and if you want, enable the Generate Alert toggle button to generate alerts in the CTO module.
- Enable the Require Approval toggle if approval is needed before performing action on the Devices.
Notes
- Fields mapped with the Device ID while configuring the plugin will be required to perform action on the Devices.
- If Static is selected in the dropdown, provide comma-separated Device ID.
- Click Save.
Validate the Jamf Plugin
Validate on Cloud Exchange
To validate the pulling on Cloud Exchange:
- In Risk Exchange, go to Records. Select the Entity that is selected while configuring the field mapping for Devices to view the pulled Devices.
- Go to Logging and search for the logs of the plugin.
- In Logging, verify the action performed for a Device.
Validate on Jamf
The Devices are pulled from the Devices > Manage page from the Jamf platform.
If you want to validate the Override Risk Level action, go to Devices > Manage to verify if risk level is updated or not. You can check the existing level of the users, and then the updated level after the action is triggered.
If you want to validate the Revert Risk Level action, go to Devices > Manage to verify if risk level is updated or not.
Troubleshoot the Jamf Plugin
Unable to configure the Jamf Plugin
If you are unable to configure the Jamf plugin, it could be due to providing an incorrect Application ID and Application Secret.
To resolve this issues, check to make sure the Application ID and Application Secret are correct.
Unable to pull Devices
If you are unable to pull Devices from the Jamf plugin, it could be due to one of these reasons:
- No Devices present on the Jamf platform.
- An error is received while pulling Devices from the platform.
- Mapping is not added while configuring the plugin in the entity source page.
To resolve these issues, follow these steps:
- Check on the Jamf platform if Devices exist or not. To verify if Device exists or not, follow the steps in Validate on Jamf.
- Receiving 500 error: The server might be down; wait for a while and check later.
- Receiving 403 error: The plugin configuration parameter does not have sufficient permissions, or the credentials no longer exist.
- Make sure that the mapping was added and the Device ID field was mapped while configuring the plugin.
Unable to perform an action on Jamf
If you are unable to perform action on the Devices, it could be due to one of these reasons:
- Receiving error while performing an action.
- Device is not present on the Jamf Platform.
- The Require Approval toggle is enabled while configuring the Action, and the request is not approved.
To resolve these issues, follow these steps:
- Verify the error present on the Logging page, and try to resolve it.
- Go to the Jamf Platform, verify if the Device for which the action needs to be performed is present or not.
- Go to Action Logs, select the logs that you want to approve the requests for, and click on the approve icon. Or disable the Require Approval toggle from the configured action, and perform the action again.
Unable to view device details on the Record
If you are unable to view Devices details on the record table, it could be due to one of these reasons:
- Mapping for all the Jamf fields was not provided while configuring the Jamf plugin.
- Pulled Devices are displayed in a row with comma-separated values.
To resolve these issues, follow these steps:
- Make sure to provide the needed mapping while configuring the plugin.
- Make sure that the fields created in an entity are according to the Mappings.