2020 Release History

New Built-in Analytics for SSH Login Activities (2020-12-09)

The following built-in analytics that monitor SSH login activities are now available in Jamf Protect:

  • SSHLogin

  • SSHLoginAsRoot

  • SSHServiceEnabledViaCmd

To learn more about these analytics, go to the Analytics page in Jamf Protect and search for each analytic.


For instructions on adding analytics to a plan, see Jamf Protect Updates.

1.2.2.222 (2020-11-24)

Version 1.2.2.222 fixes an issue that prevented the agent from successfully monitoring for some macOS GateKeeper events and reporting them in the web app.

For more information about upgrading computers to 1.2.2.222, see Jamf Protect Updates.

Note:

To deploy Jamf Protect to new computers with macOS Big Sur 11, see Jamf Protect Deployment.

Jamf Protect API and 1.2.1.221 (2020-11-18)

This release includes the availability of the Jamf Protect API and a new version of the Jamf Protect agent (1.2.1.221).

Introducing the Jamf Protect API

The Jamf Protect GraphQL API is the primary resource for programmatically interacting with Jamf Protect.

The Jamf Protect API is built using GraphQL, an advanced query service and language that allows you to granularly search and access your data from a single endpoint.

Bug Fix

Fixed an issue that caused computers to continue using the MQTT communications protocol after the computer’s plan was changed to use WebSocket/MQTT, which prevented computers from checking in to Jamf Protect on restricted networks

For more information about upgrading computers to 1.2.0.217, see Jamf Protect Updates.

Note:

To deploy Jamf Protect to new computers with macOS Big Sur 11, see Jamf Protect Deployment.

1.2.0.217 (2020-11-16)

This release includes a new version of the Jamf Protect agent (1.2.0.217) and includes the following improvements and features:

Compatibility with macOS 11 and Apple Silicon

Jamf Protect agent 1.1.6.188 or later provides compatibility with macOS Big Sur 11.

Jamf Protect agent 1.2.0.217 is now a universal binary that runs natively on Macs with Apple silicon*.

*Hardware support is based on testing with the Mac Developer Transition Kit.

Bug Fixes

  • Fixed an issue that caused the " PlistDisguisedAsApple" analytic to incorrectly report valid Apple PLISTs as threats.

  • Fixed an issue that prevented users from reliably disabling and enabling insights, which sometimes caused Jamf Protect to inaccurately display which insights were enabled or disabled in a tenant.

  • Fixed an issue that caused the protectctl repair command to return logs at the "Warn" log level instead of the "Info" log level.

For more information about upgrading computers to 1.2.0.217, see Jamf Protect Updates.

Note:

To deploy Jamf Protect to new computers with macOS Big Sur 11, see Jamf Protect Deployment.

Data Forwarding to an Amazon S3 Bucket (2020-10-23)

You can now forward data collected by the Jamf Protect Cloud to an Amazon S3 bucket in your organization.

Keep the following in mind when enabling data forwarding to Amazon S3:

  • If you do not have an Amazon S3 bucket or you want to create a dedicated S3 bucket for Jamf Protect, you can use the Jamf-provided AWS CloudFormation template to create a new S3 bucket and the IAM role for Jamf Protect. To download the template file, navigate to AdministrativeData in the Jamf Protect sidebar.

  • Only data that is sent to the Jamf Protect Cloud via an action configuration (alerts, logs, and unified logs) can be forwarded to Amazon S3.

  • In the Cloud Collection Options for action configurations, the Forward Unified Log Data to a Third Party Storage Solution checkbox is now available. This setting will send all unified log data collected by Jamf Protect to an already configured Amazon S3 bucket.

Note:

Unified log data is not displayed in the Jamf Protect web app.

To enable data forwarding, navigate to AdministrativeData in the Jamf Protect sidebar.

For more information, including instructions, see Data Forwarding to a Third Party Storage Solution.

Unified Log Remote Collection Endpoint

In action configuration settings, unified log data can now be configured with its own remote collection endpoint under Unified Log Collection Endpoints.

Note:

If you previously used the Log Collection Endpoints to send unified log data, your configured endpoint values for this setting have been automatically copied and populated into the new Unified Logs Collection Endpoint Settings.

1.1.6.193 (2020-10-16)

Version 1.1.6.193 fixes the following issues:

  • Fixed an issue that caused Jamf Protect data sent to remote collection endpoints, such as a security information and event management (SIEM) solution, to appear in an unexpected format.

Note:

Data searches that query data sent to a remote collection endpoint between 2020-10-12 9:25 PM GMT and 2020-10-16 8:45 PM GMT must include an additional "report" key in the search criteria in the following format: {“input”:{“report”:{“match”:{“facts”:...}},“retry”:“endpoints”},…}
 Any data sent to a remote collection endpoint outside of the above time range will be searchable with the previously used search format: {“input”:{“match”:{“facts”:[...}]}},…}

  • Fixed an issue that caused the Jamf Protect agent to check-in at an increased frequency when insights were disabled on computers or the agent could not contact the Jamf Protect Cloud.

1.1.6.188 (2020-10-12)

This release includes a new version of the Jamf Protect agent (1.1.6.188) and includes a new deployment method, audit logs for the Jamf Protect web app, and UI enhancements for administrative settings.

Plan and Agent Deployment Updates

The Jamf Protect agent and plans can now be downloaded separately from your Jamf Protect tenant and deployed via an MDM solution. This allows users more flexibility during deployment and the ability to use an MDM solution, such as Jamf Pro, to perform mass actions and granular changes with plans.

Keep the following in mind about this new deployment method:

  • This deployment method is recommended for all target computers and required for target computers with mac OS Big Sur 11* or later.

Note:

A future release of Jamf Protect will discontinue the legacy deployment method that uses a single package to install the agent and plans.

  • If Enable AutoUpdate is selected in a plan, computers with that plan will continue to automatically install the latest Jamf Protect agent version when available.

  • The plan configuration profile should be deployed first or at the same time as the Jamf Protect agent. If the Jamf Protect agent is deployed without a plan configuration profile, computers will not check in with the Jamf Protect Cloud and the agent will not successfully monitor for threats.

*Feature support is based on testing with the latest Apple beta releases.

Plan Configuration Profiles

Plan configuration profiles can be downloaded from your Jamf Protect tenant in .mobileconfig format and deployed to computers via an MDM solution.

A plan configuration profile includes the following payloads, as displayed when uploaded to Jamf Pro:

  • Applications & Custom Settings

    Includes plan settings, analytics, and action configuration

  • Privacy Preference Policy Control

    Grants Jamf Protect full disk access.

  • Certificates

    Deploys Root CA Certificate, Certificate Request Identity, WebSocket Authorizer Key

    Note:

  • Downloaded configuration profiles are signed and cannot be edited after you upload it to Jamf Pro.

  • Plan configuration profiles must be deployed via a user-approved MDM solution.

  • The Root CA will appear as untrusted on computers when installed via a plan configuration profile.

To download a plan, go to the Plans page and click the download icon next to a plan.

Jamf Protect PKG

The Jamf Protect PKG installs the latest Jamf Protect agent on computers without an associated plan or additional configuration.

To access the Jamf Protect PKG download, navigate to AdministrativeAccount in your Jamf Protect tenant and click the Jamf Protect PKG download link.

For more information about this deployment method, including instructions, see Jamf Protect Deployment.

Note:

If you run the Jamf Protect uninstaller provided by Jamf Support, all Jamf Protect files will be removed, except for the plan. If used, you must manually remove the plan from your MDM solution and re-install a new plan on computers in addition to the new Jamf Protect agent.

Audit Logs

Audit logs track and display all activity by users in the Jamf Protect web app. To view audit logs for your Jamf Protect tenant, navigate to AdministrativeAudit Logs.

For more information, see Audit Logs.

Administrative Settings UI Enhancements

The “Information” heading in the Jamf Protect sidebar has been removed and replaced with the Administrative settings grouping. This grouping contains the following nodes:

  • Account

    Organization information, Jamf Protect PKG and advanced downloads, user information, and data retention settings

  • Documentation

    Reference tables for creating analytics and predicate-based detections

  • Audit Logs

    Activity by users in the Jamf Protect web app.

Log Level Configuration Update

The Log Level setting, which determines the severity level of Jamf Protect agent logs on computers, is now configured in a plan rather than a deployment package.

For computers that have already received a deployment package and plan via the legacy deployment method, keep the following in mind when you change the log level in a plan:

  • Computers that received log level settings from a legacy deployment package will continue to log at the previously set level, but their plan will display the log level as Not Set.

  • If you change the log level in a previously created plan from Not Set to a specific log level, the new setting will be applied to all computers assigned that plan and override the previously used log level that was configured in a legacy deployment package.

For newly created plans and deployments, keep the following in mind:

  • If you continue to use the legacy deployment method, you must set the log level in a plan.

  • By default, the log level will display as Not Set in a plan but Error will be used if a specific log level is not selected.

1.1.5.184 (2020-10-01)

Version 1.1.5.184 fixes an issue that caused Jamf Protect to use an unexpected amount of memory on some computers.

1.1.5.177 (2020-09-21)

This release includes a new version of the Jamf Protect agent (1.1.5.177) and the following improvements.

Insights Enhancements and Redesign

The following improvements have been made to Jamf Protect insights.

Insights Collection Enhancements

Computers with 1.1.5.177 or later of the Jamf Protect agent now support the following insight collection improvements:

  • Insights now align with the latest Center for Internet Security (CIS) benchmark recommendations for macOS 10.15.

  • Each enabled insight will now report accurate compliance statuses for settings regardless of whether the setting is configured locally or managed via MDM.

For more information about CIS benchmarks, see the following resource from CIS: https://www.cisecurity.org/benchmark/apple_os/

Insights Page Redesign

The Insights page has been redesigned to make it easier to view and monitor insight compliance by category, status (enabled or disabled), and CIS level.

The redesign also includes the following enhancements and changes:

  • The insight numbers that correlated to the CIS benchmarks have been removed. All insights that match a CIS benchmark recommendation now have a CIS Level tag.

  • The status bar on each insight has been redesigned to make it easier to assess overall insight compliance across all computers.

  • The Insights dashboard in the Overview section of the Jamf Protect web app has been removed.

  • The Insights status and tab in Computer Info pages have been updated to match the Insights page redesign.

To view the new Insights page, click Insights in the Jamf Protect sidebar.

For more information about managing insights for your organization, see Insight Management.

Bug Fixes and Enhancements

Values for the following information returned from the protectctl info command have been updated to correspond with the web app UI:

  • "Config ID" was renamed to "Plan ID".

  • "Config Hash" was renamed to "Plan Hash".

  • "Signature Feed" was renamed to "Threat Prevention Version ".

  • "Last Info Sync" was renamed to "Last Check-in".

For information about upgrading computers to 1.1.5.177, see Jamf Protect Updates.

New Built-in Analytic (2020-09-03)

The “SuspiciousOfficeActivity ” Analytic monitors for suspicious activity from weaponized macros in productivity software.

For instructions on adding this Analytic to a plan, see Jamf Protect Updates.

Deployment Bug Fix (2020-08-25)

Fixed an issue that prevented the Jamf Protect agent from being deployed with Jamf Now and other MDMs that use the InstallApplication or InstallEnterpriseApplication MDM commands.

1.1.4.169 (2020-08-20)

This release includes a new version of the Jamf Protect agent (1.1.4.169) and the following improvements.

Command-line Interface Options

You can now use the protectctl command-line tool to execute simple tasks with Jamf Protect. The following commands are available:

Command

Description

repair

Finds and repairs issues that may occur during installation of the Jamf Protect agent

version

Prints the Jamf Protect agent version installed on computers

info

Prints the following information about computers:

  • Plan ID
  • Plan hash
  • Threat database version
  • The date and time of the last agent check-in
  • The date and time of the last insights check-in

checkin

Forces a Jamf Protect agent check-in on computers. You can also use the --insights flag to force an insights check-in.

help

Prints help information about protectctl commands

Bulk Changes for Plans

You can now change the plan on multiple computers by creating and deploying a new deployment package that contains a different plan.

For instructions, see "Manually Deploying Agent Updates" in the Jamf Protect Updates section of this guide.

Bug Fixes and Improvements

Reduced the CPU and memory usage of the Jamf Protect agent on computers.

New Built-in Analytics (2020-08-18)

The following built-in Analytics that monitor for suspicious activities that attempt to access Safari cookies and bypass authentication prompts have been released:

  • "SafariCookieAccessedWithSCP"

  • "SafariSessionAddedToKeychain"

To learn more about these Analytics, go to the Analytics page in Jamf Protect and search for each Analytic.

For instructions on adding these Analytics to a plan, see Jamf Protect Updates.

1.1.3.163 and Data Retention Settings (2020-07-31)

This release includes a new version of the Jamf Protect agent (1.1.3.163) and the following improvements.

Agent Performance Enhancements

  • Improved the usage of Apple's Endpoint Security Framework's caching capabilities during process authorization

  • Changed the log level of Unified Log Filters from info to default

  • Simplified the amount of file activity monitored by built-in Analytics

Data Retention Settings

If you send data to the Jamf Protect Cloud, you can now configure data retention settings for your organization. Data retention settings allow you to configure the following:

  • The number of days that alerts and logs are viewable in the Jamf Protect web app

  • The number of days that alerts and logs are securely archived

By default, alerts and logs are viewable and securely archived for 365 days unless the alert or log databases exceed 2 million entries.

To configure data retention settings in Jamf Protect, navigate to Accounts > Retention.

Note:

Data retention settings can only be changed once every 24 hours.

New Built-in Analytic and Other Changes (2020-07-10)

  • The “SetuidBitOnShell” Analytic monitors for shells that are executed as basic users but are running with root privileges.

  • Jamf Protect has made some changes to how we retain your alert and log data in the Jamf Protect Cloud.

  • The Threat Database Options setting in a plan is now named Built-in Threat Prevention Options.

1.1.2.149 (2020-06-22)

This release includes a new version of the Jamf Protect agent (1.1.2.149) and the following improvements:

New Built-in Analytic

The “FlashDownloadNotSignedByAdobe” Analytic monitors for threats from attackers that disguise malware and adware as an Adobe Flash Player DMG.

Bug Fixes and Enhancements

  • Fixed an issue that caused unexpected errors when Unified Log Filters were configured with an invalid predicate.

  • Improved the stability of Jamf Protect agent upgrades.

To upgrade computers to 1.1.2.149 and update plans, see Jamf Protect Updates.

Note:

If the Enable AutoUpdate setting is enabled in a plan, computers with that plan will automatically receive the agent update the next time they check in with Jamf Protect.

New Built-in Analytic (2020-06-04)

"ProcessDisguisedAsApple" creates an alert when defense evasion tactics that blend in with Apple processes on the operating system occur. To begin using this Analytic, add it to your plans.

For more information about adding an Analytic to a plan, see Jamf Protect Updates.

1.1.0.124 (2020-05-19)

This release includes a new version of the Jamf Protect agent (1.1.0.124), which supports the following new feature.

Introducing Threat Prevention

Threat Prevention is Jamf Protect's built-in feature that can detect, block, and quarantine malicious processes on the Mac. Threat Prevention uses the Jamf Protect threat database, an extensive repository of signatures and certificate information associated with known macOS malware, to monitor computers for processes that match the database. When matches occur, Jamf Protect can automatically block the matching process and quarantine the associated file.

To use Threat Prevention, you need the following:

  • Computers with macOS 10.15.0 or later

  • Computers with version 1.1.0.124 or later of the Jamf Protect agent

For agent update instructions, see the Jamf Protect Updates section of this guide.

How Jamf Protect responds to database matches can be configured with the Threat Database Options setting in a plan.

Note:

By default, existing plans will be configured to Report Only, which only creates an alert for database matches in the Jamf Protect web app. Any new plans will be configured to Block & Report threats by default.

For more information about Threat Prevention, see the Threat Prevention section of this guide.

UI Enhancements

  • Insights and computer check-in interval settings in a plan are now configured in minutes rather than seconds.

  • The Prevent tab has been renamed Threat Prevention and contains an overview of the both the threat database and custom prevent lists.

1.0.5.93 (2020-04-20)

This release includes a new version of the Jamf Protect agent (1.0.5.93), which supports the following improvements.

Unified Logging

You can now filter and collect real-time macOS Unified Log messages from computers across your organization with the same predicate-based filter criteria that are often used with the log command. The Jamf Protect agent can collect log entries from configured filters, and then send them to a security information and event management (SIEM) solution. To configure this feature, click Unified Logging in the Jamf Protect sidebar.

Note:

Integration with a SIEM solution is required to use this feature

In-App Announcements

The Jamf Protect web app now displays helpful tool tips and highlights new features. Look for the announcement icon in the Jamf Protect web app to see the latest in-app announcements and resources.

New Built-in Analytic

The "InsecureElevatedExecution", which monitors usage of Apple's deprecated AuthorizationExecuteWithPrivileges API to escalate a user-owned executable to root, has been added to Jamf Protect. For more information, click Analytics in the Jamf Protect sidebar and enter "InsecureElevatedExecution" in the search field.

Default Deployment, Bug Fixes, and Other Enhancements (2020-04-07)

The following improvements have been made to the Jamf Protect web app:

Default Deployment Package

Jamf Protect now includes a default Deployment, Plan, and Action Configuration. The default Deployment includes the default Plan and Action Configuration and can be immediately downloaded on the "Deployments" page. The default Plan and Action Configuration can be included in additional deployments that you may create for your organization.

Bug Fixes and Other Enhancements

  • If you edit a Plan in Jamf Protect, an alert icon and dialog will display on the Computers page when a computer has not checked in and received the updated Plan. You can also select an individual computer, click the Computer Info tab, and then view the alert dialog next to the Plan Hash attribute to see the expected hash of the new Plan version.

  • Fixed an issue that sometimes prevented the "Alerts" and "Logs" pages from loading correctly when clicked.

1.0.4.91 (2020-03-18)

This release includes a new version of the Jamf Protect agent (1.0.4.91), which includes the following changes:

International Support

Jamf Protect has received agent and infrastructure updates to support non-United States and Canada users in the EMEIA region. If you are an international customer, you must deploy 1.0.4.91 or later of the Jamf Protect agent to computers.

New Built-In Analytic

The "TmpFileWithBase64Argument" Analytic, which monitors for files in a user's /tmp directory that use a large base64 string as its last argument, has been added.

Bug Fixes and Other Enhancements

  • Fixed an issue that caused the Computers page to take 10 or more seconds to load.

  • Insights are now enabled by default when creating a new Plan.

New Built-In Analytic and Bug Fix (2020-03-02)

  • Added the "EarthwormMalware" Analytic, which monitors for known arguments from the Earthworm hacking tool that can be used to move laterally across a network.
 For more information, click Analytics in the Jamf Protect sidebar and enter “EarthwormMalware” in the search field.

  • Fixed an issue that prevented some users from downloading deployment packages with Safari.

Persistent User Settings and Bug Fixes (2020-02-27)

Persistent User Settings

The Jamf Protect web app now remembers a user's selected preference of the following settings during successive logins:

  • Whether GMT Timestamp is enabled or disabled

  • Whether "Dark" or "Light" mode is selected for View Mode

  • Whether the Card or List view is selected in each section of the web app.

Bug Fixes and Other Enhancements

  • Fixed an issue that prevented Jamf Protect from redirecting to the login page when a user session was invalid or expired.

  • Fixed an issue that allowed Action configurations to be created without a name, which prevented users from selecting the Action configuration in the list view.

  • The "GateKeeperBlockedUnsignedOrUnknown" Analytic now reports as an alert rather than a log by default.

1.0.3.85 (2020-01-29)

This release includes a new version of the Jamf Protect agent (1.0.3.85) and the following enhancements and bug fixes:

Enhancements

  • Improved Jamf Protect agent communications for environments with corporate proxies using MQTT over WebSockets.

  • Added the ability to detect and use local proxy settings on macOS 10.15 or later.

Bug Fixes

  • Fixed an issue that caused all logs collected by the Jamf Protect agent on computers to report at the debug log level.

  • Fixed an issue that caused a deadlock when HTTP events performed by the agent would fail.

  • Fixed an issue that caused some Insights to report an incorrect status.

  • Fixed an issue that caused an error when sorting computers by their Plan.

  • Improved the display of filenames uploaded to create Prevention lists.