Jamf Protect Integration with Jamf Pro

Jamf Protect is an enterprise endpoint security solution for the Mac. With Jamf Protect, you can create custom detections that protect computers with real-time monitoring for suspicious and unwanted activities, while measuring computers against the Center for Internet Security (CIS) benchmarks with security insights. Jamf Protect runs without using kernel extensions to support continuous macOS updates and preserve the Apple user experience.

Integrating Jamf Protect allows you to do the following from Jamf Pro:

  • Enable automatic package deployment.

  • Download the Jamf Protect package.

  • Sync Jamf Protect plan configuration profiles.

To integrate Jamf Pro with your Jamf Protect tenant, you must do the following:

  1. Create an API Client in Jamf Protect to generate the configuration and endpoint information required by Jamf Pro.

  2. Register your Jamf Protect tenant to establish a secure connection between Jamf Pro and Jamf Protect.

Registering Your Jamf Protect Tenant in Jamf Pro

Registering your Jamf Protect tenant establishes a secure connection between Jamf Pro and Jamf Protect.

Requirements
  • Cloud Connection Services enabled

    For instructions, see Cloud Services Connection in the Jamf Pro Documentation.

  • An API Client created from Jamf Protect.

    To create an API Client, go to Administrative > API Clients in your Jamf Protect tenant.

  • The following Jamf Pro user account privileges:

    CategoryPrivilege

    Jamf Pro Server Settings

    Jamf Protect. (Read and Update)

    Cloud Services Connection (Read)

    Jamf Pro Server Actions

    Read and Download Jamf Application Assets

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Jamf Applications section, click Jamf Protect .
  3. Click Begin Registration.
  4. Enter your Jamf Protect API endpoint in the Jamf Protect API URL field.
  5. Enter your API Client configuration information in the Client ID and Password fields.
  6. Click Register.

Your Jamf Protect tenant is integrated with your Jamf Pro instance and a package download and list of plans should display.

Jamf Protect Plans in Jamf Pro

If you have a Jamf Pro subscription and registered your Jamf Protect tenant with Jamf Pro, plans from your Jamf Protect tenant are available as computer configuration profiles in Jamf Pro. You can configure the scope of plan configuration profiles to deploy them to target computers.

Keep the following in mind when configuring scope for plan configuration profiles:

  • If you delete plan configuration profiles from Jamf Protect, the plans will re-appear without a scope the next time Jamf Pro syncs with Jamf Protect (every six hours).

  • You cannot edit the settings in a Jamf Protect plan from Jamf Pro . To edit a plan, navigate to the plan in your Jamf Protect tenant. Changes to a plan on computers are applied the next time the computer checks in with Jamf Protect.

  • If the Jamf Protect PKG is deployed without a plan configuration profile, computers will not check in with the Jamf Protect Cloud and the agent will not successfully monitor for threats. Configuring scope for your plans before deploying the Jamf Protect PKG is recommended.

  • To help you find plan configuration profiles synced from Jamf Protect on the computer configuration profiles pane, "(Jamf Protect)" is appended to each profile name that is synced.

Configuring Scope for Jamf Protect Plans

You can configure the scope of available plan configuration profiles to deploy them to target computers.

Requirements
  • A Jamf Protect subscription 

  • One or more plans in Jamf Protect

    For instructions, see the Creating a Plan section in the Jamf Protect Documentation

  • Registration of your Jamf Protect tenant in Jamf Pro

    For more information, see the Jamf Protect Integration with Jamf Pro.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Jamf Applications section, click Jamf Protect .
  3. In the Jamf Protect Plans table, click the plan configuration profile you want to configure in the Profile column.
    Note:

    You can click Sync to manually check Jamf Protect for plan updates. Jamf Pro automatically syncs with Jamf Protect every six hours.

  4. Click Edit .
  5. Click the Scope tab.
  6. Configure the scope of your plan configuration profile.
  7. Click Save .

The plan configuration profile is distributed to target computers the next time they check in with Jamf Pro, and the scope also displays in the Scope column on the Jamf Protect page in Jamf Pro.

If you selected the Automatically deploy the Jamf Protect PKG with plans checkbox in the Jamf Protect Deployment section, the Jamf Protect PKG is automatically deployed to computers in the scope that have not yet installed the Jamf Protect PKG.

Viewing and Retrying Jamf Protect Deployments

You can view the status of Jamf Protect deployments to see if the Jamf Protect package was successfully installed. If you need to retry a deployment, you can resend the install commands for one or more computers.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Jamf Applications section, click Jamf Protect .
  3. Next to the Jamf Protect plan for which you want to view or retry deployment, click View.

    Computers in the scope of the plan are displayed, along with their deployed version and deployment command statuses.

  4. (Optional) To retry deployment for a computer, click Retry next to the deployment command status for that computer. To retry deployment for multiple computers, select the computers you want and then click Retry Selected in the top-right corner of the pane.