Core Components
Jamf Protect is an enterprise endpoint security solution for the Mac. With Jamf Protect, you can create custom detections that protect computers with real-time monitoring for suspicious and unwanted activities, while measuring computers against the Center for Internet Security (CIS) benchmarks with security insights. Jamf Protect runs without using kernel extensions to support continuous macOS updates and preserve the Apple user experience.
Jamf Protect Web App
The web app is used to administer computers with the agent installed, you can do the following with the web app:
Configure and view reports and data per computer against an industry standard benchmark (CIS).
Create custom agent configurations and modify a computer's plan settings.
Configure custom endpoints, such as an SIEM endpoint, to receive alert data directly.
View alert data collected on all computers, if enabled.
Jamf Protect Agent
The agent runs on your macOS computers and performs the following tasks:
Audits your security settings against an industry standard benchmark (CIS).
Monitors real-time event-driven activity generated on macOS.
Syncs with a plan configuration created in the web application to analyze and respond to events for a specific computer.
Performs an analysis for events using the highly optimized built-in game engine on the Mac.
Agent updates are regularly available from Jamf and can be installed on computers automatically or manually.
For more information, see Jamf Protect Updates.
protectctl Command-Line Tool
The Jamf Protect agent includes the protectctl tool, which allows you to execute some simple commands on computers. The following commands are available:
Command |
Description |
---|---|
|
Finds and repairs issues that may occur during installation of the Jamf Protect agent |
|
Prints the Jamf Protect agent version installed on computers |
|
Prints the following information about computers, including the following:
You can also use the following flags:
|
|
Forces a Jamf Protect agent check-in on computers. You can also use the |
|
Prints help information about |
Jamf Protect System Extension
On computers with macOS 10.15 or later, Jamf Protect installs and runs as a macOS system extension rather than a launch daemon. This improves the performance, stability, and security of Jamf Protect on computers while continuing to run in the user space.
The Jamf Protect system extension is protected by Apple's native System Integrity Protection (SIP). This reduces Jamf Protect's exposure to tampering on computers.
Jamf Protect Launch Daemon
On computers with macOS 10.14 or earlier, Jamf Protect runs as a launch daemon. The launch daemon has the identifier of com.jamf.protect.daemon
and launches a root daemon process named JamfProtect
. You can execute any of the following commands to manage the launch daemon:
-
sudo launchctl list com.jamf.protect.daemon
- To determine if the launch daemon is running correctly, execute the following command:
-
sudo launchctl stop com.jamf.protect.daemon
-
Stops the Jamf Protect launch daemon (and process)
Note:The Jamf Protect launch daemon will automatically restart after stopping.
-
sudo launchctl start com.jamf.protect.daemon
-
Starts the Jamf Protect launch daemon (and process)
-
sudo launchctl unload /Library/LaunchDaemons/com.jamf.protect.daemon.plist
- Completely stops the Jamf Protect launch daemon
-
sudo launchctl load /Library/LaunchDaemons/com.jamf.protect.daemon.plist
-
Restarts the Jamf Protect launch daemon after a complete stop
Installation Files
- Jamf Protect application
/Applications/JamfProtect.app
- Launch Daemon
/Library/LaunchDaemons/com.jamf.protect.daemon.plist
The launch daemon is only installed on computers with macOS 14.0 or earlier and computers that have not safelisted and enabled the system extension.
- System Extension
Contents/Library/SystemExtensions/com.jamf.protect.security-extension.systemextension in the JamfProtect.app folder.
The Jamf Protect system extension is installed by on computers with macOS 10.15 or later and must be safelisted via a configuration profile.