Jamf Protect Deployment

You can deploy Jamf Protect to computers in your organization using one of the following methods:

  • (Jamf Pro) Directly from Jamf Pro

    If you use Jamf Pro, you can deploy the latest Jamf Protect PKG and scope plans directly from Jamf Pro. Jamf recommends this method for Jamf Pro users.

    For more information about this integration, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.

  • (Other MDM solutions) Manually download and upload

    If you use another MDM solution, you can download the latest Jamf Protect PKG and plans from your Jamf Protect tenant and upload them to your MDM solution for deployment. The PKG can be obtained from the Jamf Protect console or by a unique URL.

The following diagram shows how Jamf Protect is deployed:


If your Jamf Protect tenant is registered with Jamf Pro, your plans and the Jamf Protect PKG are automatically available. To access your Jamf Protect assets in Jamf Pro, navigate to Settings > Jamf Applications > Jamf Protect.

Keep the following in mind when deploying Jamf Protect:

  • If Enable AutoUpdate is enabled in a plan on computers, Jamf Protect agent updates will automatically be installed. If this setting is disabled, you must download the latest package and upload it to your MDM solution to deploy updates.

  • The plan configuration profile and Jamf Protect agent should be deployed simultaneously with your MDM solution. If the Jamf Protect agent is deployed without a plan configuration profile, computers will not check in with the Jamf Protect Cloud and the agent will not successfully monitor for threats.

Downloading the Jamf Protect Package and Plans for Deployment

Complete the following steps to manually download plan configuration profiles and the latest Jamf Protect PKG for deployment via an MDM solution.


You must have one or more plans in Jamf Protect.

  1. In Jamf Protect, click Plans.
  2. On the Plans page, click the download icon next to your plan to download its configuration profile in .mobileconfig format. Repeat this step for each plan you want to upload to your MDM solution.
  3. Click Administrative > Downloads and download the latest Jamf Protect PKG.

    If you want to automate obtaining the current installer or uninstaller PKG, the Generate Download URL feature provides a URL to the current Jamf Protect PKG without requiring authentication into the Jamf Protect Console or API.

    The URL contains a unique security identifier specific to your Jamf Protect tenant, which can be rotated if necessary.

  4. Upload your plan configuration profile to your MDM solution and configure the scope.
  5. Upload the Jamf Protect PKG to your MDM solution.
  6. Create a policy that deploys the Jamf Protect PKG to target computers.

The Jamf Protect PKG and plan configuration profiles are deployed to computers the next time they check in with your MDM solution.


The Root CA may appear as untrusted on computers when installed via a plan configuration profile.

Confirming Installation

  1. Open Activity Monitor on a test computer and search for JamfProtectAgent to confirm the agent is on the computer.

    If no activities appear, make sure View > All Processes is enabled from the menu bar.

  2. If sending computer inventory to the Jamf Protect Cloud (configured with an Action configuration), monitor computer inventory collection in the Jamf Protect web app. Complete inventory collection takes two check-ins, which occur every 5 minutes by default.
  3. Review the initial data collection in Jamf Protect Cloud or your SIEM.