Jamf Pro as a weapon: one rogue profile reaches the whole Mac fleet
Jamf Pro is Tier-0 fleet control. Stolen admin and API credentials push a root cert and root-level script to every Mac. Cut the source, do not reimage laptops one by one.
Jamf Pro is to Macs what an MDM server is to any fleet: the central plane that pushes profiles, policies, and scripts to every managed device. That makes it Tier-0, and an attacker with admin access turns it into a deployment weapon.
How the attack works
An attacker obtains Jamf Pro administrator and API credentials and signs in from an unexpected ASN off-hours, immediately minting an API role. The Jamf change log records a new policy scoped to all managed computers, carrying a script payload and a configuration profile that installs a trusted root certificate. Managed Macs check in on their recurring interval and install the profile and run the script as root via the Jamf binary, then the script beacons to an external host. In ATT&CK terms this is T1072, Software Deployment Tools, with T1078, Valid Accounts, T1648, Serverless Execution, and T1556, Modify Authentication Process.
Why it works
A single set of over-privileged, single-factor admin and API credentials was enough to push to the entire fleet unchecked. Devices pull and run policies on every check-in, so the rogue policy keeps executing until the source is cut.
How to fix it
Reimaging laptops while the source keeps pushing means every cleaned device is re-served the policy on its next check-in. Cut the source: revoke the compromised admin session and API role, then disable and unscope the rogue policy and profile so no device runs it on its next check-in. Going forward, rotate Jamf credentials, scope API roles to least privilege with change approval for fleet-wide pushes, enforce MFA and SSO, and remove the pushed certificate and script from affected devices. Scope actual impact from per-device policy run and check-in logs, since the policy scope is intended targets, not execution, and a rogue root cert means treat executed endpoints and their traffic as compromised.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse the fleet-wide push, the cut-the-source containment, and the least-privilege MDM access fix.