Plans

Plans are comprehensive security configurations that are deployed to computers as configuration profiles. They include a selection of analytics that are paired with an action configuration and allow you to configure check-in intervals for data collection.

You can do the following using a plan:

  • Pair a plan with an an action configuration.

  • Enable automatic Jamf Protect agent updates.

  • Enable and configure inventory collection.

  • Configure Threat Prevention options.

  • Enable insights collection.

  • Add analytics.

You can deploy multiple plans and configure a unique scope for each configuration profile.

Example:

In an organization with software engineering and finance departments, you could create the following plans to target specific groups.

  • Engineering Plan

    Disables analytics that track and report certain commands (sudo, curl, etc.) that are commonly executed by software engineers.

  • Finance Plan

    Enables analytics that track and report certain commands (sudo, curl, etc.) by finance and accounting employees.

Plan Configuration Profiles

Plan configuration profiles can be downloaded from your Jamf Protect tenant in .mobileconfig format and deployed to computers via an MDM solution.

A plan configuration profile includes the following payloads:

  • Applications & Custom Settings

    Includes plan settings, analytics, action configuration

  • Privacy Preferences Policy Control

    Grants Jamf Protect full disk access.

  • Certificates

    Deploys Root CA Certificate, Certificate Request Identity, WebSocket Authorizer Key

    Note:
    • Downloaded configuration profiles are signed.

    • Plan configuration profiles must be deployed via a user-approved MDM solution.

    • The Root CA will appear as untrusted on computers when installed via a plan configuration profile.

Jamf Protect Plans in Jamf Pro

If you have a Jamf Pro subscription and registered your Jamf Protect tenant with Jamf Pro, plans from your Jamf Protect tenant are available as computer configuration profiles in Jamf Pro. You can configure the scope of plan configuration profiles to deploy them to target computers.

Keep the following in mind when configuring scope for plan configuration profiles:

  • If you delete plan configuration profiles from Jamf Protect, the plans will re-appear without a scope the next time Jamf Pro syncs with Jamf Protect (every six hours).

  • You cannot edit the settings in a Jamf Protect plan from Jamf Pro . To edit a plan, navigate to the plan in your Jamf Protect tenant. Changes to a plan on computers are applied the next time the computer checks in with Jamf Protect.

  • If the Jamf Protect PKG is deployed without a plan configuration profile, computers will not check in with the Jamf Protect Cloud and the agent will not successfully monitor for threats. Configuring scope for your plans before deploying the Jamf Protect PKG is recommended.

  • To help you find plan configuration profiles synced from Jamf Protect on the computer configuration profiles pane, "(Jamf Protect)" is appended to each profile name that is synced.