Creating a Plan

You can create one or more plans for deployment to computers in your organization.

  1. In Jamf Protect, click Plans.
  2. Click Create Plan at the top of the page.
  3. Give your plan a name and description.
  4. Select an action configuration from the Action Configuration pop-up menu.

    If you have not created an action configuration, only the "DefaultAction" will be available. To create your own action configuration, see Creating an Action Configuration.

  5. Configure the following in the Advanced Agent Configurations section:
    1. Select the Enable AutoUpdate checkbox to automatically send Jamf Protect agent updates to computers. This ensures computers are always using the most current agent and are compatible with the latest Jamf Protect features.
    2. Choose a TCP port from the Communications Protocol pop-up menu to configure communication between the agent and Jamf Protect Cloud. By default, MQTT:443 is used on macOS 10.13.5 or later, and MQTT:8883 is used on macOS 10.13.4 or earlier. If you your environment uses transparent or explicit TCP proxies, you can use Websocket/MQTT:443 to secure communication via WebSocket communication protocol.
    3. Choose one of the following Built-in Threat Prevention Options to determine how Jamf Protect will respond to threat database matches:
      • Block & Report

        Block and quarantine any process that matches the threat database. This setting is enabled by default for new plans.

      • Report Only

        Disable process blocking and file quarantine but report database matches as an alert in the Jamf Protect web app. This setting is enabled by default for any plans that were created before general availability of of the Jamf Protect agent.

      • Disable

        Disable all process blocking, file quarantines, and reporting in response to a threat database match

    4. Choose a level from the Log Level pop-up menu to configure the log level of Jamf Protect on computers.
  6. (Optional) Configure Endpoint Information Collection settings.

    By default, all Computer Check-in Information options are selected, and the default Sync Interval is every five minutes.


    Deselected inventory information in a plan will not be visible in Jamf Protect or a configured data collection endpoint for computers assigned to the plan.

  7. (Optional) Configure insights settings.

    By default, the Enable Insights Collection setting is enabled, and the default Insights Collection Interval is 1440 minutes (one day). The collection interval must be between 5 and 1440 minutes.


    Enabling insights in a plan only collects data for insights you have enabled on the Insights page. For more information about individual insights, click Insights in the Jamf Protect sidebar.

  8. Click Save

You can now add analytics to the plan.

Adding Analytics to a Plan

You can add and edit which analytics are included in a plan. Analytics are not automatically added to plans, and you must manually add them when the following occurs:

  • You create a new plan

  • You create a new analytic that you want to include in a plan

  • Jamf adds a new built-in analytic that you want to include in a plan

  1. In Jamf Protect, click Plans.
  2. Select the plan you want to add analytics to.
  3. Click the Analytics tab.
  4. Choose which analytics you want to add to your plan. To select all currently available analytics, select the checkbox at the top left on the page.

    When Jamf releases new built-in analytics or you create new analytics, you must manually update each existing plan to include the new analytics.

  5. Click Save Plan Analytics.

The plan now includes the added analytics. Changes to a plan are automatically sent to computers with the plan installed.

You can now download the plan in .mobileconfig format by clicking the download icon  next to the plan.

If your Jamf Protect tenant is registered with Jamf Pro, navigate to Settings > Jamf Applications > Jamf Protect and click Sync to populate your plan in Jamf Pro.

Downloading a Custom Plan to Install on Unmanaged Computers

You can customize which configuration profile payload settings and certificates are included with a plan when you download it from the Jamf Protect web app. This allows you to deploy Jamf Protect in more complex environments or install Jamf Protect without an MDM solution.


One or more plans created in Jamf Protect

  1. In Jamf Protect, click Plans.
  2. Select an existing plan.
  3. Click the Custom Profile tab.
  4. Deselect the the following from the Profile Options list:
    • Include System Extension

    • Include PPPC

    These options must be deselected to install the plan on computers that are not enrolled in an MDM solution.

  5. (Optional) Deselect any of the following additional checkboxes from the Profile Options list:
    • Sign the Profile

    • Include Websocket Certificate

    • Include Certificate Authority

    • Include Certificate Signing Request CertificateInclude Bootstrap Token

  6. Click Download.

The plan downloads to your computer and can be installed with the Jamf Protect PKG.

If you are installing the plan to computers that are not enrolled in MDM, make sure to open System Preferences and navigate to Security & Privacy > Privacy > Full Disk Access and grant Jamf Protect full disk access.