Preventions
Prevent lists allow processes executed with a pre-defined hash or signing information to be blocked on computers. With prevent lists, you can block processes with the following identifiers:
-
File hashes in the following format:
-
SHA1
-
SHA256
-
-
Apple-specific signing information in the following formats:
-
Team IDs—A developer signing certificate issued by Apple. Team IDs are formatted alphanumerically, such as "526FTYP998". Blocking a team ID allows you to block all applications from a specific, possibly untrusted, vendor.
-
Code directory hash (CDHash)—The executing binary's code section. CDHashes identify the code section of a signed binary, represented as a SHA1 hash. To obtain the CDHash for an executing binary, execute the following command:
codesign -dvvv /path/to/binary
Find the SHA1 hash value, and then copy and paste it into a prevent list.
-
Signing ID—An application's identifier, such as "com.apple.calculator". Adding a signing ID to a prevent list allows you to block all versions of a specific application, including copies of the application that evade process name and path restrictions. To obtain the signing ID of any signed binary, execute the following command:
codesign -dv /path/to/binary
The “Identifier” value will be the signing ID, which you can copy and paste into a prevent list.
-
Creating a Prevent List
-
In Jamf Protect, click Prevent.
-
Click Add New List.
-
Enter a list name in the List Name field.
-
Choose one of the following prevent types:
-
File Hash—An executing binary file that can be a SHA1or SHA256 hash.
-
Signing Information—The signature information of an executing binary. You can specify a team ID, CDHash, or signing ID.
-
-
Add list data by doing one of the following:
-
Text Input—Use the text field to add values to block.
-
File Upload—Upload a newline delimited list of values to block.
-
-
Click Save.
The prevent list automatically deploys to computers with the Jamf Protect agent during the next check-in.