Plans are comprehensive security configurations that are deployed to computers as configuration profiles.

You can do the following using a plan:

  • Pair a plan with an an action configuration.

  • Enable automatic Jamf Protect agent updates.

  • Configure communications protocol.

  • Configure Threat Prevention options.

  • Configure log level.

  • Add Exception Sets.

  • Add a Removable Storage Control Set.

  • Configure inventory collection.

  • Enable and configure Insights collection.

  • Add analytics.

You can deploy multiple plans and configure a unique scope for each configuration profile.


In an organization with software engineering and finance departments, you could create the following plans to target specific groups.

  • Engineering Plan

    Disables analytics that track and report certain commands (sudo, curl, etc.) that are commonly executed by software engineers.

  • Finance Plan

    Enables analytics that track and report certain commands (sudo, curl, etc.) by finance and accounting employees.

Plan Configuration Profiles

Plan configuration profiles can be downloaded from your Jamf Protect tenant in .mobileconfig format and deployed to computers via an MDM solution.

A plan configuration profile includes the following payloads:

  • Applications & Custom Settings

    Includes plan settings, analytics, action configuration

  • Privacy Preferences Policy Control (PPPC)

    Grants Jamf Protect full disk access.

  • System Extension

    Safelists the Jamf Protect system extension on computers macOS 10.15 or later.

  • Certificates

    Deploys Root CA Certificate, Certificate Request Identity, WebSocket Authorizer Key

    • Downloaded configuration profiles are signed.

    • Plan configuration profiles must be deployed via a user-approved MDM solution.

    • The Root CA will appear as untrusted on computers when installed via a plan configuration profile.

Jamf Protect Plans in Jamf Pro

If you have a Jamf Pro subscription and registered your Jamf Protect tenant with Jamf Pro, plans from your Jamf Protect tenant are available as computer configuration profiles in Jamf Pro. You can configure the scope of plan configuration profiles to deploy them to target computers.

Keep the following in mind when configuring scope for plan configuration profiles:

  • If you delete plan configuration profiles from Jamf Protect, the plans will re-appear without a scope the next time Jamf Pro syncs with Jamf Protect (every six hours).

  • You cannot edit the settings in a Jamf Protect plan from Jamf Pro . To edit a plan, navigate to the plan in your Jamf Protect tenant. Changes to a plan on computers are applied the next time the computer checks in with Jamf Protect.

  • If the Jamf Protect PKG is deployed without a plan configuration profile, computers will not check in with the Jamf Protect Cloud and the agent will not successfully monitor for threats. Configuring scope for your plans before deploying the Jamf Protect PKG is recommended.

  • To help you find plan configuration profiles synced from Jamf Protect on the computer configuration profiles pane, "(Jamf Protect)" is appended to each profile name that is synced.