JAMF Software Security

At JAMF Software, we practice what we preach. We understand that company and employee data protection is the top priority for not only our organization, but for all organizations. That's why we ensure our devices are secure with the Casper Suite, because we can't secure yours if we don't secure ours.

Like most organizations, our employees want to know how we're securing their devices, what we can and cannot access, and that their private information remains just that, private.

Take a deeper dive into our security overview and then check out the frequently asked questions that our IT staff receives from our employees. We have a feeling that yours might be similar. 

JAMF Software security overview

Securing Apple since 2002. 

Download our security overview to learn more about the Casper Suite's device management capabilities and framework. 

Download PDF

Server architecture

Choose how you host your server.

At the heart of the Casper Suite is the JAMF Software Server (JSS). The JSS is the management server that acts like a web server running on Tomcat and MySQL, and communicates with your devices over HTTPS. 

The JSS can run on an OS X, Windows, or Linux server for on-premise deployments. We also offer a service where we host the JSS for you in the cloud.

Visit our System Requirements for details and learn how to best secure your JSS

JAMF Cloud

Secure server and services hosting.

If your organization is growing like ours, a secure option for all of your devices is to host your JAMF Software Server (JSS) and Casper Suite services in the Cloud. 

By allowing us to worry about the infrastructure, you'll enjoy:

  • A hosted environment profiling a JAMF Software Server (Tomcat and MySQL) in a data center in North America
  • 99.9% uptime and 24/7 availability
  • Security — industry-standard encryption and auditing
  • Simplicity — environment is patched and always kept up-to-date

For additional resources, check out the JAMF Cloud Privacy Policy and Terms of Service.

Security Frequently Asked Questions (FAQ)

We get asked a lot of questions, we’ve gathered them together to make it easier for you. This section is regularly updated, so be sure to check back.

Is our data encrypted?
Data in transit is encrypted using TLS with Perfect Forward Security (PFS), and data at rest uses industry standard AES-256 to encrypt fields in the database that contain sensitive information, such as passwords and FileVault 2 individual recovery keys.

Is TLS always used?
Yes, JAMF Cloud and the latest versions of the JAMF Software Server (JSS) installers no longer include support for SSL v3.0. For existing and upgraded on-premise installations, instructions are available on JAMF Nation for removing support for SSL v3.0 and configuring supported cipher suites for Tomcat HTTPS connections:

Mitigating the SSL v3.0 POODLE Vulnerability

Configuring Supported Ciphers for Tomcat HTTPS Connections

How are our passwords stored?Passwords for local JSS user accounts are hashed using SHA-512 with a unique, random salt for each user, and all other passwords are encrypted using industry standard AES-256 with a unique, random key for each database.

Who has access to our data?
For JAMF Cloud, employee access to customer data is described in the Casper Suite Security Overview document and our Privacy Policy

Where are JAMF Cloud data centers located?
JAMF Cloud relies on Amazon Web Services (AWS) to provide infrastructure as a service (IaaS) within different geographic regions, including the United States, Germany, and Australia. Data at rest remains in the region in which the JAMF Cloud instance was created.

Does JAMF Software use a secure Software Development Lifecycle (SDLC)?
Yes. We use an Agile methodology that incorporates cross functional teams with members from Product Management, Engineering, Quality, and Technical Communications. Overarching Release and Quality processes ensure necessary oversight and consistency throughout the organization. 

Does the JAMF Cloud JSS Hosting service have a SOC 2 Type 2 report?
We are currently preparing for a SOC 2 Type 2 report that is expected in 2016.

Does JAMF Software audit its security?
The Casper Suite is tested for common vulnerabilities prior to each public release, and independent third-party security assessments are periodically performed on key system components, including the JAMF Software Server (JSS) and client binary. For JAMF Cloud, JAMF Software relies on the Amazon Web Services (AWS) Shared Responsibility Model to ensure the security of the underlying infrastructure that is provided by AWS:

AWS Shared Responsibility Model

Can we undertake our own security testing?
Security testing on your own systems and networks is permitted within the terms of the End User License and Service Agreement (EULSA). For JAMF Cloud, our service provider requires prior written authorization before conducting any penetration testing or vulnerability assessments:

Vulnerability and Penetration Testing

Have questions that we didn't cover? Please don't hesitate to reach out to us and talk security.