The Jamf extension is an OpenGraph extension for Jamf Pro environments that enables BloodHound to model Jamf Pro users, groups, sites, scripts, API integrations, and related relationships as graph data.
It adds Jamf-specific nodes, edges, Cypher queries, and Privilege Zone rules to help security professionals visualize and analyze Jamf Pro configurations in BloodHound.
The other main products in Jamf’s portfolio are Jamf Protect, Jamf Account, Jamf Now, and Jamf Connect. The Jamf extension does not currently support these products.
Jamf Pro Attack Paths
Jamf Pro is a highly valuable target in the modern enterprise. The privileged MDM actions required to administer Apple devices with Jamf Pro can provide elevated access to local devices and complicate the job of defensive teams trying to separate benign administrative behavior from attacker activity. Compromising a Jamf Pro tenant can provide attackers with a wide range of access to laterally move to Apple devices, exfiltrate information, lock or DOS devices, and more.
Available Collectors
The Jamf extension supports two collector paths:- OpenHound Jamf collector: The SpecterOps-supported Jamf collector. This is the primary documented path for collecting Jamf data for BloodHound.
- JamfHound collector: An alternative Jamf collector that also targets the Jamf extension schema.
Jamf Pro Trial
Jamf Pro provides a free trial for organizations interested in testing their MDM capability.References
We recommend reading the following posts and pages to learn more about potential Jamf Pro attack vectors:- Lance Cain and Daniel Mayer (SpecterOps): Leveraging Jamf For Red Teaming in Enterprise Environments
- Video: Leveraging Jamf For Red Teaming in Enterprise Environments
- Calum Hall and Luke Roberts (GitHub): Come to the Dark Side, We Have Apples | Turning macOS Management Evil
- (1nf1n1ty): macOS Red Teaming | Abusing MDMs
Research Tools
Here are some interesting GitHub repositories related to Jamf Pro security research:Community
Please join us in the#jamf channel of the BloodHound Community Slack workspace if you want to chat about attack paths in Jamf. You are also welcome to open an issue or pull request on GitHub.