Cyber Essentials for Jamf Pro: Mac configuration guide

Cyber Essentials for Jamf Pro: Mac configuration guide

Cyber Essentials v3.3 has specific, testable requirements for macOS - FileVault on, Gatekeeper enabled, Application Firewall on, auto-updates on, supported OS version, minimum 12-character password. Jamf Pro can enforce each one through Configuration Profiles and Smart Group-driven policies. The common Jamf failure is Smart Groups that look right but silently exclude devices that haven't checked in recently, so coverage gaps go undetected.

1. Enrolment and scope

Every Mac that touches organisational data must be enrolled and reporting in Jamf:

• Automated Device Enrolment (ADE) via Apple Business Manager for new devices - removes the user's ability to skip enrolment
• User-Initiated Enrolment for existing devices, with a time-bounded migration plan

Reconcile Jamf's All Computers inventory against Entra ID / Google Workspace active user accounts monthly. A Smart Group showing "Last Check-in within 7 days" is the cleanest coverage metric.

2. Configuration profiles - the mandatory set

Create a single umbrella Configuration Profile scoped to all managed Macs:

Security & Privacy payload

• Require passcode, minimum length 12, complex characters, max age 365 days
• Auto-lock: 10 minutes
• Disable automatic login

FileVault payload

• Enable FileVault 2 at next login
• Escrow recovery key to Jamf
• Prevent users from disabling FileVault

Firewall payload

• Turn Application Firewall on
• Enable stealth mode
• Block all incoming connections (or allow only signed built-in services)

Software Update payload (macOS 14+)

• Automatic checking on
• Automatic download on
• Automatic installation of macOS updates on
• Automatic installation of app updates on
• Defer major upgrades at most 30 days (Cyber Essentials v3.3 treats high/critical patches as 14-day SLA - major OS upgrades have different treatment)

Restrictions payload

• Require Gatekeeper: Mac App Store and identified developers
• Disable AirDrop if not business-needed
• Require signed system volume (SSV) - automatic on Apple Silicon

3. Patching - Jamf's weak point without care

Cyber Essentials v3.3 requires high/critical vulnerability patches within 14 days. On macOS this means:

• Rapid Security Responses (RSRs) enabled via the Software Update profile
• Nudge or Jamf's built-in macOS managed software updates (DDM-based on macOS 14+) to force install within a tight window
• Supported-OS enforcement: a Smart Group of devices on macOS < 14 flagged for remediation. Apple only patches N-1 major versions, so macOS 13 is on its way out of the supported window as of 2026.

4. Antivirus / EDR

macOS includes XProtect (Apple's built-in malware protection) which is acceptable for Cyber Essentials malware-protection control. If you layer a third-party EDR (CrowdStrike, SentinelOS, Jamf Protect):

• Deploy via Jamf policy with Smart Group scope
• Full Disk Access and System Extensions pre-approved via Configuration Profile
• A dashboard showing agent health across all enrolled devices is valuable evidence

5. User access control

• No admin rights for standard users. Every enrolled Mac gets a managed local admin (rotated password via LAPS-equivalent) plus a standard user account for the human.
• Jamf Connect or Platform SSO for federated identity with MFA
• Sudo with bioauth (Touch ID) is fine - assessors care about an MFA factor on privileged operations, not specifically a phone-based one

6. Evidence assessors expect

• Smart Group reports showing FileVault encryption across all devices
• Configuration Profile payload screenshot confirming firewall, Gatekeeper, password, auto-update clauses
• macOS version distribution (Smart Group by OS version)
• Evidence that macOS 13 and older are either upgraded or out of scope
• Inventory count matched against IdP user count

7. Common failure points

1. FileVault reported "not enabled" on a handful of devices - usually devices that enrolled before the profile was scoped. Smart Group those and remediate.

2. macOS 12 (Monterey) still on one or two older Intel MacBooks - outside the supported-OS window. Upgrade, replace, or remove from scope.

3. Self-service Rapid Security Responses ignored for weeks. Switch from self-service to managed software updates with a 7-day enforcement window.

4. An exception group that turns off Gatekeeper for developers. Narrow the scope sharply - developer exceptions are fine if documented, but blanket exceptions fail.

What Fig checks

Our CE readiness scan reviews Jamf inventory exports and Smart Group coverage against the specific v3.3 clauses above. Jamf-managed Mac estates pass first-time at >96% when FileVault coverage is ≥99% and all devices are on macOS 14+.

Start Cyber Essentials - from £299.99 + VAT | All tiers | CE Plus with on-device testing