Core Components

Jamf Protect is an enterprise endpoint security solution for the Mac. With Jamf Protect, you can create custom detections that protect computers with real-time monitoring for suspicious and unwanted activities, while measuring computers against the Center for Internet Security (CIS) benchmarks with security insights. Jamf Protect runs without using kernel extensions to support continuous macOS updates and preserve the Apple user experience.

Jamf Protect Web App

The web app is used to administer computers with the agent installed, you can do the following with the web app:

  • Configure and view reports and data per computer against an industry standard benchmark (CIS).

  • Create custom agent configurations and modify a computer's plan settings.

  • Configure custom endpoints, such as an SIEM endpoint, to receive alert data directly.

  • View alert data collected on all computers, if enabled.

Jamf Protect Agent

The agent runs on your macOS computers and performs the following tasks:

  • Audits your security settings against an industry standard benchmark (CIS).

  • Monitors real-time event-driven activity generated on macOS.

  • Syncs with a plan configuration created in the web application to analyze and respond to events for a specific computer.

  • Performs an analysis for events using the highly optimized built-in game engine on the Mac.

Agent updates are regularly available from Jamf and can be installed on computers automatically or manually.

For more information, see Jamf Protect Updates.

protectctl Command-Line Tool

The Jamf Protect agent includes the protectctl tool, which allows you to execute some Terminal commands on computers. The following commands are available:

Command

Description

repair

Finds and repairs issues that may occur during installation of the Jamf Protect agent

version

Prints the Jamf Protect agent version installed on computers

info

Prints the following information about computers, including the following:

  • Agent uptime and version

  • Install Type (system extension or launch daemon)

  • Agent status (e.g., Protected, Enrolling, Missing Plan)
  • Plan ID
  • Plan hash
  • The date and time of the last agent check-in
  • The date and time of the last insights check-in

You can also use the following flags:

  • The -v flag prints verbose information about the agent, such as agent connection information (state, protocol, and identifier) and Threat Prevention information (current version and event and match count per sensor).
  • The --json flag prints the information in JSON format.
  • The --plist flag prints the information in PLIST format.
  • The --plain flag prints the information in plain text without tables.

checkin

Forces a Jamf Protect agent check-in on computers. You can also use the --insights flag to force an insights check-in.

help

Prints help information about protectctl commands

Information returned from protectctl commands can also be shared with Jamf Pro via extension attributes for additional management action. For extenstion attribute examples, see the Jamf Protect extension attribute templates available in Jamf Pro or the Jamf Protect open source GitHub repository from Jamf: https://github.com/jamf/jamfprotect.

Jamf Protect System Extension

On computers with macOS 10.15 or later, Jamf Protect installs and runs as a macOS system extension rather than a launch daemon. This improves the performance, stability, and security of Jamf Protect on computers while continuing to run in the user space.

The Jamf Protect system extension is protected by Apple's native System Integrity Protection (SIP). This reduces Jamf Protect's exposure to tampering on computers.

Jamf Protect Launch Daemon

On computers with macOS 10.14 or earlier, Jamf Protect runs as a launch daemon. The launch daemon has the identifier of com.jamf.protect.daemon and launches a root daemon process named JamfProtect. You can execute any of the following commands to manage the launch daemon:

sudo launchctl list com.jamf.protect.daemon
Validates if the launch daemon is running correctly
sudo launchctl stop com.jamf.protect.daemon

Stops the Jamf Protect launch daemon (and process)

Note:

The Jamf Protect launch daemon will automatically restart after stopping.

sudo launchctl start com.jamf.protect.daemon

Starts the Jamf Protect launch daemon (and process)

sudo launchctl unload /Library/LaunchDaemons/com.jamf.protect.daemon.plist
Completely stops the Jamf Protect launch daemon
sudo launchctl load /Library/LaunchDaemons/com.jamf.protect.daemon.plist

Restarts the Jamf Protect launch daemon after a complete stop

Installation Files

The Jamf Protect agent installs the following files on computers:
Jamf Protect application

/Applications/JamfProtect.app

Launch Daemon

/Library/LaunchDaemons/com.jamf.protect.daemon.plist

The launch daemon is only installed on computers with macOS 14.0 or earlier and computers that have not safelisted and enabled the system extension.

System Extension

Contents/Library/SystemExtensions/com.jamf.protect.security-extension.systemextension in the JamfProtect.app folder.

The Jamf Protect system extension is installed by on computers with macOS 10.15 or later and must be safelisted via a configuration profile.