Preventions

Prevent lists allow processes executed with a pre-defined hash or signing information to be blocked on computers. With prevent lists, you can block processes with the following identifiers:

  • File hashes in the following format:

    • SHA1

    • SHA256

  • Apple-specific signing information in the following formats:

    • Team IDs—A developer signing certificate issued by Apple. Team IDs are formatted alphanumerically, such as "526FTYP998". Blocking a team ID allows you to block all applications from a specific, possibly untrusted, vendor.

    • Code directory hash (CDHash)—The executing binary's code section. CDHashes identify the code section of a signed binary, represented as a SHA1 hash. To obtain the CDHash for an executing binary, execute the following command:

      codesign -dvvv /path/to/binary

      Find the SHA1 hash value, and then copy and paste it into a prevent list.

    • Signing ID—An application's identifier, such as "com.apple.calculator". Adding a signing ID to a prevent list allows you to block all versions of a specific application, including copies of the application that evade process name and path restrictions. To obtain the signing ID of any signed binary, execute the following command:

      codesign -dv /path/to/binary

      The “Identifier” value will be the signing ID, which you can copy and paste into a prevent list.

Creating a Prevent List

  1. In Jamf Protect, click Prevent.

  2. Click Add New List.

  3. Enter a list name in the List Name field.

  4. Choose one of the following prevent types:

    • File Hash—An executing binary file that can be a SHA1or SHA256 hash.

    • Signing Information—The signature information of an executing binary. You can specify a team ID, CDHash, or signing ID.

  5. Add list data by doing one of the following:

    • Text Input—Use the text field to add values to block.

    • File Upload—Upload a newline delimited list of values to block.

  6. Click Save.

The prevent list automatically deploys to computers with the Jamf Protect agent during the next check-in.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.