Custom Prevent Lists

Custom prevent lists allow you block processes on computers by defining hash or signing information associated with the process. Unlike built-in Threat Prevention, items will not be quarantined when blocked. With custom prevent lists, you can block processes using the following identifiers:

  • File hashes in the following format:

    • SHA1

    • SHA256

  • Apple-specific signing information in the following formats:

    • Team IDs

      A developer signing certificate issued by Apple. Team IDs are formatted alphanumerically, such as "526FTYP998". Blocking a team ID allows you to block all applications from a specific, possibly untrusted, vendor.

    • Code directory hash (CDHash)

      The executing binary's code section. CDHashes identify the code section of a signed binary, represented as a SHA1 hash. To obtain the CDHash for an executing binary, execute the following command:

      codesign -dvvv /path/to/binary

      Find the SHA1 hash value, and then copy and paste it into a prevent list.

    • Signing ID

      An application's identifier, such as Adding a signing ID to a prevent list allows you to block all versions of a specific application, including copies of the application that evade process name and path restrictions. To obtain the signing ID of any signed binary, execute the following command:

      codesign -dv /path/to/binary

      The Identifier value will be the signing ID, which you can copy and paste into a prevent list.

Creating a Custom Prevent List

  1. In Jamf Protect, click Threat Prevention in the sidebar.
  2. Click the Custom Prevent Lists tab.
  3. Click Add New List.
  4. Give your new custom prevent list a name.
  5. Choose one of the following prevent types:
    • File Hash

      An executing binary file that can be a SHA1or SHA256 hash.

    • Signing Information

      The signature information of an executing binary. You can specify a team ID, code directory hash, or signing ID.

  6. Add list data by doing one of the following:
    • Text Input

      Use the text field to add values to block.

    • File Upload

      Upload a newline delimited list of values to block.

  7. Click Save.

The custom prevent list will automatically deploy to computers during their next check-in with Jamf Protect.