Integrating Jamf with
Endpoint Protection Mobile

This guide describes the steps that are required to integrate Jamf with Symantec Endpoint Protection Mobile. Integrating Endpoint Protection Mobile with your organization's MDM/EMM/UEM is highly recommended as it allows:
  • A seamless and easy deployment of the Endpoint Protection Mobile across the devices and groups.
  • Advanced security features and security enforcement.
Prerequisites
Before you start, make sure that your network configuration allows the required incoming and outgoing communication between your systems and Endpoint Protection Mobile.
Step 1: Selecting your MDM/EMM/UEM and downloading the relevant integration files
  1. Go to the Endpoint Protection Mobile management console
    Settings
    Integrations
    EMM Integration Selection
    tab.
    After you select an EMM, the
    EMM Integration Selection
    tab name will be replaced with your EMM name.
  2. Select
    Jamf
    and click
    Apply Changes
    .
  3. Look under
    Resources
    and download the following
    Integration setup files
    and
    Symantec certificate
    .
    • mdm_configuration.zip
      The zip file contains a
      sep_mobile_configuration.plist
      property list file that you will refer to in Step 4.10.
    • client.sepmobile.securitycloud.symantec.com.x509.cer
Step 2: Setting up the Jamf API user account for the SEP Mobile integration
  1. Go to your Jamf portal
    All Settings
    (gear icon)
    System Settings
    Jamf Pro User Accounts & Groups
    , and click
    + New
    .
  2. Click
    Create Standard Account
    and then click
    Next
    .
  3. In the
    Accounts
    tab, enter the required details for the new API user:
    • User ID: jamfapi
    • Privilege Set: Custom
    • Access Status: Enabled
    • Full Name: JAMF API USER
  4. In the
    Privileges
    tab, provide the following permissions that are required for the integration with Symantec Endpoint Protection Mobile.
    C = Create, R = Read, U = Update, D = Delete
    API Permission
    Notes
    C
    R
    U
    D
    Under
    Jamf Pro Server Objects
    Advanced Mobile Device Searches
    For searching devices in Jamf Pro.
    x
    x
    x
    x
    Mobile Device Apps Object
    App Inventory from Devices are used by SEP Mobile or App Security Assessments.
    x
    Mobile Device Extension Attributes Object
    Device Extension Attributes are used for tagging devices in Jamf with Non-compliant Incidents identified by SEP Mobile. These are created and managed by SEP Mobile.
    x
    x
    x
    x
    Mobile Devices Object
    For getting Device Inventory and updating Device Extension Attributes. (1)
    x
    x
    x
    Smart Mobile Device Groups Object
    SEP Mobile supports Smart Device Groups for scoping which Devices to be included in Device Inventory Syncs.
    x
    Static Mobile Device Groups Object
    SEP Mobile supports Static Device Groups for scoping which Devices to be included in Device Inventory Syncs
    x
    Users Object
    Additional requirement for Update Device API.  See JAMF documentation. (2)
    x
    Under
    Jamf Pro Server Actions
    Send Inventory Requests to Mobile Devices Action
    SEP Mobile uses this Action to request Devices to Sync App Inventory with JAMF Server.
    Allow
    1. The Create Mobile Device Permission is an additional requirement for the
    /mobiledevicecommands
    API to Create MDM commands for requesting Mobile Devices to update inventory.
    2. The User Update Permission is an additional requirement for
    "PUT /mobiledevices-{id}"/mobiledevicecommands
    API to update Device Extension Attributes.
    For more information about the required privileges, you can refer to Jamf documentation.
  5. Click
    Save
    .
Step 3 (optional): Creating the SEP Mobile deployment scope
  1. Go to your Jamf portal and navigate to
    Devices
    Smart Device Groups
    .
  2. Click
    + New
    .
  3. Click the display name.
  4. Go to
    Criteria
    and click
    + Add
    .
  5. Select the relevant criteria.
  6. Click
    Save
    and then
    Done
    .
Step 4: Adding the SEP Mobile app for iOS
  1. Go to your Jamf portal and navigate to
    Devices
    Mobile Device Apps
    .
  2. Click
    + New
    .
  3. For
    Choose an App Type
    , select
    App Store app or VPP store app
    .
  4. Click
    Next
    .
  5. In the search field, enter "SEP Mobile".
  6. Click
    Next
    .
  7. Add
    the SEP Mobile app.
  8. Select and check the following:
    • Distribution method: Install Automatically / Prompt Users to Install
    • (Optional) Automatically Force App Updates
    • Make app managed when possible:
      • Make app managed if currently installed as unmanaged
      • Remove app when MDM profile is removed
      • Prevent backup of app data
  9. Go to
    Scope
    and select the target mobile devices and users that the SEP Mobile app will be deployed to.
  10. Go to
    App Configuration
    and enter the details from the
    sep_mobile_configuration.plist
    property list file that you have downloaded in the Step 1.3.
    The details should be in this format:
    <dict> <key>OrgToken</key> <string>ORG_TOKEN_PLACEHOLDER</string> <key>Udid</key> <string>$UDID</string> <key>UserEmail</key> <string>$EMAIL</string> </dict>
  11. Click
    Save
    and then click
    Done
    .
Step 5: Setting up the integration configuration in Endpoint Protection Mobile management console
  1. Go to Endpoint Protection Mobile Management console and navigate to
    Settings
    Integrations
    Jamf
    Basic Setup
    .
  2. Enter the required information under
    Basic Integration Setup
    .
    The username and password requested are the ones you created in the Step 2.3.
  3. Click
    Apply Changes
    for the configuration to take effect.
  4. Click
    Check Now
    under
    Integration Status
    on the right to check if the integration settings are properly configured.
  5. Scroll down to
    Sync Groups
     and select the
    Smart Device Groups
    of the deployment scope that you created in the Step 3. Symantec Endpoint Protection Mobile syncs only with the devices in the selected groups.
  6. Validate the
    Integration Status
    as in the Step 5.3. After the validation process is complete without any errors, the integration status will be in green. Endpoint Protection Mobile will sync the devices in the selected groups, and start reporting information to Jamf.
    If there are any integration errors, the Integration Status box will be in red. To see the Configuration Errors, click the box.
The basic integration setup ends here. To fully use the Endpoint Protection Mobile solution, proceed to Step 6: Full Integration setup.
Step 6: Enabling a full bi-directional integration
Perform the full integration setup only after successfully completing the basic integration setup.
  1. Go to Endpoint Protection Mobile management console and navigate to
    Settings
    Integrations
    Jamf
    Full Integration
    .
  2. Tag the devices in Jamf according to their status in Endpoint Protection Mobile. Hover over a status and click the + / - to add or remove statuses.
  3. Optional: Select a
    Allowed Device Group
    .
  4. Click
    Apply Changes
    for the configuration to take effect.
Available device's statuses, risk scores, and tags in a bi-directional integration with Jamf
Device status ("When...")
Risk score/condition options
Tag options ("tag as...")
Counter tag option ("else tag as...")
Device is compromised.
-
Symantec Compromised = yes
Symantec Compromised = no
Device has an indication of compromise.
High
Medium or higher
Symantec IOC High = yes
Symantec IOC Med-High = yes
Symantec IOC High = no
Symantec IOC Med-High = no
Device has a configuration vulnerability.
High
Medium or higher
Symantec Config Vul High = yes
Symantec Config Vul Med-High = yes
Symantec Config Vul High = no
Symantec Config Vul Med-High = no
Device has unwanted app installed.
High
Medium or higher
Symantec Unwanted App High = yes
Symantec Unwanted App Med-High = yes
Symantec Unwanted App High = no
Symantec Unwanted App Med-High = no
Device has malware installed.
High
Medium or higher
Symantec Malware High = yes
Symantec Malware Med-High = yes
Symantec Malware High = no
Symantec Malware Med-High = no
Device is noncompliant.
-
Symantec Compliant = no
Symantec Compliant = yes
Installation health
Not running Mobile Threat Defense solution properly
Symantec Unhealthy = no
Symantec Healthy = yes