Security Frequently Asked Questions (FAQ)
Is our data encrypted?
Data in transit is encrypted using TLS with Perfect Forward Security (PFS), and data at rest uses industry standard AES-256 to encrypt fields in the database that contain sensitive information, such as passwords and FileVault individual recovery keys.
Is TLS always used?
Yes, Jamf Cloud and the latest versions of Jamf Pro installers no longer include support for SSL v3.0. For existing on-premise installations, instructions are available on Jamf Nation for removing support for SSL v3.0 and configuring supported cipher suites for Tomcat HTTPS connections.
How are our passwords stored?
Passwords for local Jamf Pro user accounts are hashed using SHA-512 with a unique, random salt for each user, and all other passwords are encrypted using industry standard AES-256 with a unique, random key for each database.
Where are Jamf Cloud data centers located?
Jamf Cloud relies on Amazon Web Services (AWS) to provide infrastructure as a service (IaaS) within different geographic regions, including the United States and Germany. Data at rest remains in the region in which the Jamf Cloud instance was created.
Does Jamf use a secure Software Development Lifecycle (SDLC)?
Yes. We use an Agile methodology that incorporates cross-functional teams with members from Product Management, Engineering, Quality, and Technical Communications. Overarching Release and Quality processes ensure necessary oversight and consistency throughout the organization.
Does the Jamf Cloud hosting service have a SOC 2 Type 2 report?
We are currently preparing for a SOC 2 Type 2 report that is expected in 2017.
Does Jamf audit its security?
Jamf Pro is tested for common vulnerabilities prior to each public release, and independent third-party security assessments are periodically performed on key system components, including the Jamf Pro server and client binary. For Jamf Cloud, Jamf relies on the Amazon Web Services (AWS) Shared Responsibility Model to ensure the security of the underlying infrastructure that is provided by AWS: AWS Shared Responsibility Model
Can we undertake our own security testing?
Security testing on your own systems and networks is permitted within the terms of the End User License and Service Agreement (EULSA).
Have questions that we didn't cover? Please don't hesitate to reach out to us and talk security.
26 juli 2017