-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathjamf_connect_monitor_schema.json
More file actions
348 lines (348 loc) · 13 KB
/
jamf_connect_monitor_schema.json
File metadata and controls
348 lines (348 loc) · 13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
{
"title": "Jamf Connect Monitor Configuration",
"description": "Enterprise security monitoring settings for Jamf Connect privilege elevation detection with legitimate elevation tracking. SMTP SETUP: 1) Select provider type, 2) Leave server/port blank for auto-config, 3) Enter username/password/from-address based on provider requirements.",
"version": "2.4.0",
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"NotificationSettings": {
"title": "📢 Notification Settings",
"description": "Configure how security violations are reported",
"type": "object",
"properties": {
"WebhookType": {
"title": "Webhook Platform",
"description": "Select your webhook platform for proper message formatting",
"type": "string",
"enum": ["none", "slack", "teams"],
"enum_titles": ["None", "Slack", "Microsoft Teams"],
"default": "none",
"property_order": 10,
"options": {
"infoText": "Teams recommended (Slack webhooks are being deprecated)"
}
},
"WebhookURL": {
"title": "Webhook URL",
"description": "Complete webhook URL for real-time security alerts",
"type": "string",
"format": "uri",
"property_order": 11,
"options": {
"infoText": "Teams: https://outlook.office.com/webhook/... | Slack: https://hooks.slack.com/..."
}
},
"EmailRecipient": {
"title": "Security Team Email",
"description": "Email address for violation reports and alerts",
"type": "string",
"format": "email",
"property_order": 20,
"options": {
"infoText": "Example: security@yourcompany.com"
}
},
"SMTPProvider": {
"title": "SMTP Provider Type",
"description": "Select your SMTP provider for configuration guidance",
"type": "string",
"enum": ["gmail", "office365", "sendgrid", "aws_ses", "smtp2go", "mailgun", "custom"],
"enum_titles": [
"Gmail (requires App Password)",
"Office 365 / Exchange Online",
"SendGrid (use 'apikey' as username)",
"AWS SES",
"SMTP2GO (requires domain verification)",
"Mailgun (requires domain verification)",
"Custom / Other SMTP Server"
],
"default": "custom",
"property_order": 25,
"options": {
"infoText": "If server/port fields are left blank, these defaults apply: Gmail→smtp.gmail.com:587, Office365→smtp.office365.com:587, SendGrid→smtp.sendgrid.net:587, SMTP2GO→mail.smtp2go.com:587"
}
},
"SMTPServer": {
"title": "SMTP Server Address",
"description": "SMTP server hostname (leave blank to use provider defaults)",
"type": "string",
"property_order": 26,
"placeholder": "Leave blank for auto-config",
"options": {
"infoText": "Defaults: Gmail=smtp.gmail.com, Office365=smtp.office365.com, SendGrid=smtp.sendgrid.net, SMTP2GO=mail.smtp2go.com"
}
},
"SMTPPort": {
"title": "SMTP Port",
"description": "SMTP server port (leave blank for 587)",
"type": "integer",
"minimum": 1,
"maximum": 65535,
"property_order": 27,
"placeholder": 587,
"options": {
"infoText": "Default 587 works for Gmail, Office365, SendGrid, SMTP2GO, Mailgun. Use 465 for SSL/TLS."
}
},
"SMTPUsername": {
"title": "SMTP Username",
"description": "Username for SMTP authentication",
"type": "string",
"property_order": 28,
"options": {
"infoText": "Gmail: your email, SendGrid: 'apikey', SMTP2GO: your username"
}
},
"SMTPPassword": {
"title": "SMTP Password",
"description": "Password for SMTP authentication",
"type": "string",
"format": "password",
"property_order": 29,
"options": {
"infoText": "Gmail: 16-char App Password, SendGrid: API key, SMTP2GO: account password",
"inputAttributes": {
"type": "password"
}
}
},
"SMTPFromAddress": {
"title": "From Email Address (Required)",
"description": "Email address shown as sender - must be verified with your SMTP provider",
"type": "string",
"format": "email",
"property_order": 30,
"options": {
"infoText": "Must be a verified sender address for your SMTP provider (e.g., verified domain for SMTP2GO)",
"required": true
}
},
"NotificationTemplate": {
"title": "Notification Style",
"description": "Choose notification detail level",
"type": "string",
"enum": ["simple", "detailed", "security_report"],
"enum_titles": ["Simple Alert", "Detailed Report", "Full Security Report"],
"default": "detailed",
"property_order": 30,
"options": {
"infoText": "Detailed includes hostname, user, timing. Security Report includes full system context."
}
},
"NotificationCooldownMinutes": {
"title": "Notification Cooldown (Minutes)",
"description": "Prevent spam by limiting notification frequency per device",
"type": "integer",
"minimum": 1,
"maximum": 60,
"default": 15,
"property_order": 40,
"options": {
"infoText": "Prevents notification spam during repeated violations"
}
}
},
"property_order": 10
},
"MonitoringBehavior": {
"title": "🔍 Monitoring Behavior",
"description": "Configure how monitoring operates",
"type": "object",
"properties": {
"MonitoringMode": {
"title": "Monitoring Mode",
"description": "Choose between periodic checks or real-time monitoring",
"type": "string",
"enum": ["periodic", "realtime", "hybrid"],
"enum_titles": ["Periodic (5 min)", "Real-time", "Hybrid (Both)"],
"default": "realtime",
"property_order": 10,
"options": {
"infoText": "Real-time provides immediate detection but uses more resources"
}
},
"AutoRemediation": {
"title": "Automatic Admin Removal",
"description": "Automatically remove unauthorized admin privileges",
"type": "boolean",
"default": true,
"property_order": 20,
"options": {
"infoText": "When enabled, unauthorized admin accounts are immediately demoted"
}
},
"GracePeriodMinutes": {
"title": "Grace Period (Minutes)",
"description": "Wait time before removing admin privileges",
"type": "integer",
"minimum": 0,
"maximum": 30,
"default": 5,
"property_order": 30,
"options": {
"infoText": "Allows brief admin access for legitimate elevation before removal"
}
},
"MonitorJamfConnectOnly": {
"title": "Require Jamf Connect Event for Monitoring",
"description": "Only check for violations when Jamf Connect elevation is detected",
"type": "boolean",
"default": true,
"property_order": 40,
"options": {
"infoText": "When TRUE: Only checks admins after Jamf Connect elevation. When FALSE: Always checks for unauthorized admins regardless of Jamf Connect activity."
}
}
},
"property_order": 20
},
"SecuritySettings": {
"title": "🔐 Security Settings",
"description": "Advanced security and compliance options",
"type": "object",
"properties": {
"RequireConfirmation": {
"title": "Require Confirmation Before Removal",
"description": "Prompt before removing admin privileges (disables auto-remediation)",
"type": "boolean",
"default": false,
"property_order": 10,
"options": {
"infoText": "Only enable for testing - disables automatic security response"
}
},
"ViolationReporting": {
"title": "Enable Violation Reporting",
"description": "Create detailed logs and reports for security violations",
"type": "boolean",
"default": true,
"property_order": 20
},
"LogRetentionDays": {
"title": "Log Retention (Days)",
"description": "How long to keep monitoring and violation logs",
"type": "integer",
"minimum": 7,
"maximum": 365,
"default": 30,
"property_order": 30,
"options": {
"infoText": "Longer retention helpful for security audits and compliance"
}
},
"ExcludeSystemAccounts": {
"title": "Excluded System Accounts",
"description": "System accounts to ignore during monitoring",
"type": "array",
"items": {
"type": "string"
},
"default": ["_mbsetupuser", "root", "daemon"],
"property_order": 40,
"options": {
"infoText": "Default exclusions prevent false alerts for system accounts"
}
}
},
"property_order": 30
},
"JamfProIntegration": {
"title": "☁️ Jamf Pro Integration",
"description": "Configure integration with Jamf Pro services",
"type": "object",
"properties": {
"UpdateInventoryOnViolation": {
"title": "Update Inventory on Violations",
"description": "Automatically update Jamf Pro inventory when violations occur",
"type": "boolean",
"default": true,
"property_order": 10,
"options": {
"infoText": "Ensures Extension Attributes reflect current violation status"
}
},
"TriggerPolicyOnViolation": {
"title": "Policy Trigger for Violations",
"description": "Custom trigger to execute additional policies during violations",
"type": "string",
"property_order": 20,
"options": {
"infoText": "Example: security_incident_response"
}
},
"CompanyName": {
"title": "Company Name",
"description": "Organization name for branding in reports and notifications",
"type": "string",
"default": "Your Company",
"property_order": 30,
"options": {
"infoText": "Appears in security reports and notification messages"
}
},
"ITContactEmail": {
"title": "IT Support Email",
"description": "IT contact information for user notifications",
"type": "string",
"format": "email",
"property_order": 40,
"options": {
"infoText": "Included in user-facing security messages"
}
}
},
"property_order": 40
},
"AdvancedSettings": {
"title": "⚙️ Advanced Settings",
"description": "Expert configuration options",
"type": "object",
"properties": {
"DebugLogging": {
"title": "Enable Debug Logging",
"description": "Verbose logging for troubleshooting (increases log size)",
"type": "boolean",
"default": false,
"property_order": 10,
"options": {
"infoText": "Only enable during troubleshooting - significantly increases log volume"
}
},
"MonitoringInterval": {
"title": "Periodic Check Interval (Seconds)",
"description": "How often to check for violations in periodic mode",
"type": "integer",
"minimum": 60,
"maximum": 3600,
"default": 300,
"property_order": 20,
"options": {
"infoText": "Only applies when Monitoring Mode is Periodic or Hybrid"
}
},
"MaxNotificationsPerHour": {
"title": "Max Notifications Per Hour",
"description": "Rate limit to prevent notification flooding",
"type": "integer",
"minimum": 1,
"maximum": 60,
"default": 10,
"property_order": 30,
"options": {
"infoText": "Prevents overwhelming security team during major incidents"
}
},
"AutoPopulateApprovedAdmins": {
"title": "Auto-populate Approved Admin List",
"description": "Automatically create approved admin list from current administrators during installation",
"type": "boolean",
"default": true,
"property_order": 40,
"options": {
"infoText": "Recommended: Creates baseline from current admin accounts"
}
}
},
"property_order": 50
}
}
}