Understanding MDM/Endpoint Security

Mobile Device Management is any software that allows IT to automate, control, and secure administrative policies on laptops, smartphones, tablets, or any other device connected to an organization’s network.

MDM Compliance Requirements

A Mobile Device Manager (MDM) is not a hard requirement for any framework however, it simplifies the requirements for device management within the company. We recommend getting an MDM solution because it simplifies enforcing requirements (i.e. OS patching, anti-malware management, configuration management, etc.) for each employee's device.

Secureframe MDM Integrations

Secureframe has integrations with many different MDM providers. Below you will see the MDM's we currently support. (Note: see our full list of Integrations here.)

To find out more about some popular MDM tools Secureframe integrates with, please follow the article links below:

(Note: Some articles may require signing in. Please sign in using your Secureframe credentials or social sign-in to access additional content) 

Supported MDM & Control Table

Secureframe supports a wide range of MDM (Mobile Device Management) and EDR (Endpoint Detection and Response) tools to help you pull user and device information into your platform. These integrations allow Secureframe to automatically test critical endpoint security controls, such as encryption, antivirus, firewall, and session management.

The table below outlines which controls are supported by each integration and the operating systems each tool can monitor:

Popular MDMs

• DattoRMM
• Microsoft Intune
• JumpCloud
• Kolide
• Mosyle

Try our FREE Secureframe Agent

Secureframe offers the Secureframe Agent, free for our customers to use. The Secureframe Agent is a read-only agent designed to help your organization be secure by reporting on key device settings. To read more on the Secureframe Agent, please follow the link below:

How does the Secureframe Agent work? 

Mac Users with no MDM

If you are using Xprotect as the baseline endpoint security software for Mac computers, use the below guidance to help collect the required evidence once the auditor has selected their sample from the population.

Antivirus Check

For the test "Anti-malware enforcement for user endpoints"

1. Go to "System Settings"

2. Go to "General" and then "About"

3. Click "System Report" at the bottom 

4. Scroll down to Software and click "Installations"

5. Within software name scroll down to the latest version of XProtect and take a screenshot of the visual below be sure to include the date is showing.

Password Check

For the test "Password policy on user endpoints"

1. Go to "System Preferences" →

2. Go to "Users & Groups"  and click on the “i” for the user

3. Change password to show password is required prior to accessing the operating system within the laptop/computer.

4. Take a screenshot and make sure to have the date showing as well.

HD Encryption

For the test "Hard drive encryption for user endpoints"

1. Go to "System Settings"

2. Go to "Privacy & Security"

3. Scroll down to "Firevault" and take a screenshot and upload to the relevant test be sure include the date in the screenshot.

Frequently Asked Questions (FAQ)

Who should install the MDM?

If utilizing an MDM, it should be installed on all company-issued devices (mobile and tablets can be left out of scope). 

• All employees will need to have an MDM in place.
• Contractors that do not have access to the production environment or sensitive customer information (information beyond customer name or basic information) are out of scope for the MDM solution.

What are the recommended MDM settings?

• Enable remote lock (default for most MDM software)
• Enable hard disk encryption (i.e. FileVault)
• Require OS updates to be installed
• Require automatic software updates
• Require anti-virus / anti-malware
  • Windows Defender
  • MacOS XProtect (on by default)
• Start screensaver on after: 15 minutes
• Require password
  • Require alphanumeric / complex password
  • Minimum password length: 8 characters
  • Maximum grace period: immediately
  • Maximum password age: 6 months
  • Install 1Password as a custom application if available

I noticed that some of your MDM/Endpoint integrations (SimpleMDM) do not pull in Screenlock or Policy checks. Why is that?

• That is correct and due to the fact that some of our Integrations have an API limitation and provide less data than others. 
• If an integration has an API limitation, and we are unable to pull that info from the integration, we will adjust the associated test from an Integration tests to an Upload test, to ensure the customer understands manual evidence will be required.

What type of Jamf Pro account should I use to integrate with Secureframe?

• You can use either a standard user or an API integration account, as long as it has the required read permissions.

What permissions are required for the Jamf Pro account used in the Secureframe integration?

The account must have the following read permissions:

• Read Computers

• Read Mobile Devices

• Read – macOS Configuration Profiles

I'm using Jamf Pro 11.5.0 or later. What authentication method should I choose?

• For Jamf Pro version 11.5.0 or higher, we recommend selecting Bearer token authentication when setting up the integration.

I’m still having issues syncing Jamf Pro with Secureframe. What should I check?

• First, verify your Jamf Pro version and whether you're using a custom role. If so, ensure it includes the correct read permissions. If problems persist, let us know these details and we’ll help troubleshoot further.