Release History

The release history contains a complete list of releases, features, and enhancements.

3.1.0.380 (2021-10-21)

Resolved Issue

Fixed two issues that could cause memory leaks and reduce computer performance.

3.0.0.366 (2021-10-11)

Introducing Alert Statuses and Severity

The redesigned Alerts page includes new and configurable fields to help you sort and filter alerts. This includes the following enhancements:

  • Alerts are now assigned severity levels (informational, low, medium, high). The following severity values are assigned by default:
    • Old logs that have been converted to alerts are now assigned an informational severity level. This is the minimum severity level and can be easily searched.

    • Alerts from built-in analytics and Threat Prevention database detections are pre-assigned severity levels from Jamf. Only analytic severity levels can be edited.

  • Alerts are now populated with Severity, Status, and Action fields.

    • Alert severity levels are Informational, Low, Medium, and High.

    • Possible actions include Prevented and SmartGroup.

    • Alert statuses are New, In Progress, Auto-Resolved, and Resolved.

  • You can edit Alert status in bulks of 100 or by page limit.

  • You can filter alerts by Severity, Action, and Status. By default, Informational alerts and alerts with a status of Resolved or Auto-Resolved will be filtered from view.

For more information, see Alerts.

Deprecation of Jamf Protect Logs

The Jamf Protect log endpoint is removed, and all data is now automatically sent to the alerts endpoint. This impacts the following Jamf Protect features and workflows:

  • In the Jamf Protect web app, the Logs page has been removed. Any data sent to the Jamf Protect Cloud now displays on the Alerts page, and old log data is converted to alerts.

  • If you send data to a remote endpoint (such as a SIEM), the Log Collection Endpoint in action configurations is removed. To ensure existing remote data collection is not disrupted, the following migration steps are automatically completed:

    • Existing alert collection endpoints receive low, medium, and high severity alerts by default.

    • Existing log collection endpoints that are unique from an existing alerts collection endpoint are converted to an alert collection endpoint that only receive informational alerts (formerly logs).
      BeforeAfter
    • If both alert and log remote data collection to the same endpoint exists, they are now merged into a single endpoint that sends all alerts (information, low, medium, high) to the same configured endpoint.

      BeforeAfter

      For more information, see Creating an Action Configuration.

  • The ListLogs GraphQL API query is deprecated. If you use this query in any workflows, you can continue to retrieve data in JSON format via the ListAlerts query that uses severity as a filter. For an example, see the Export Alert Data example API script.

Dashboard Redesigns

The Detections dashboard redesign displays alert data in a more visual and intuitive way. The dashboard includes new alert totals based on severity and a line graph that shows the total amount of alerts over the selected time range. You can change the dashboard to only display alert totals from the last 24 hours, 7 days, or 30 days.

The Computers dashboard redesign includes new data sections that display computers with the most low, medium, and high severity alerts in the last 7 days.

Jamf Protect Upgrades

Upgrading computers to Jamf Protect 3.0.0.366 is strongly recommended. Earlier versions of the Jamf Protect agent will continue to detect threats and report data to the Jamf Protect Cloud or remote collection endpoints but will not correctly report alert severity.

For more information about upgrading Jamf Protect, see Jamf Protect Updates.

2.0.1.343 (2021-09-13)

Resolved Issues

  • Added mitigation for incorrectly defined PPPC configuration profile payloads, which could result in Jamf Protect running as a launch daemon instead of a system extension.

  • Fixed an issue that caused a memory leak in the Jamf Protect launch daemon or system extension processes.

  • Fixed an issue that caused Jamf Protect agent to report the install type as a daemon, even for system extension installations.

2.0.0.338 (2021-08-30)

Jamf Protect System Extension

Jamf Protect now installs and runs as a macOS system extension rather than a launch daemon on computers with macOS 10.15 or later. This improves the performance, stability, and security of Jamf Protect on computers while continuing to run in the user space.

When Jamf Protect 2.0.0.338 installs on computers with macOS 10.15 or later, the system extension will automatically be installed with the Jamf Protect application bundle. On computers with macOS 10.14 or earlier, Jamf Protect will continue to run as a launch daemon.

System Extension Requirements

  • Computers with macOS 10.15 or later

  • A configuration profile that includes a system extension and Privacy Preferences Policy Control (PPPC) payload that safelists Jamf Protect as a system extension installed on computer.

    Important:

    If Jamf Protect is deployed without this payload, Jamf Protect will continue to run as a launch daemon until the system extension is safelisted.

For more information, see Migrating to the Jamf Protect System Extension.

System Integrity Protection Support

Jamf Protect is now protected by Apple's native System Integrity Protection (SIP). This reduces Jamf Protect's exposure to tampering on computers.

For more information about SIP, see the About System Integrity Protection on your Mac article from Apple's support website.

Further Considerations

  • The Jamf Protect application bundle now installs in the /Applications folder.

  • The protectctl command-line tool can be used to enable the Jamf Protect system extension by executing the sudo protectctl repair command after 2.0.0.338 and the system extension payload is installed. This command is automatically executed by the Jamf Protect agent every 15 minutes. To remove the system extension, run the the Jamf Protect uninstaller PKG.

  • How Jamf Protect is installed (launch daemon or system extension) is reported in the web app on the Computer Info tab for each computer as the Install Type. You can also execute sudo protectctl info on computers to determine the install type.

Important Updates to Jamf Protect Profile Downloads (2021-08-05)

Important:

An upcoming release of the Jamf Protect agent introduces significant changes to how Jamf Protect installs and runs. On computers with macOS 10.15 or later, Jamf Protect will deploy as a macOS system extension and will require extra configuration profile payloads to safelist the system extension.

This release includes important changes to Jamf Protect plans and supporting configuration profiles to support Jamf Protect's upcoming migration to running as a macOS system extension. Migrating computers to the system extension, when available, is not required but strongly recommended. Computers that do not meet the requirements to run the system extension will continue to run as a launch daemon.

The following changes ensure the system extension, when available, is safelisted in your environment and can be enabled correctly:

  • Existing and new plan configuration profiles downloaded from Jamf Protect now include an updated Privacy Preferences Policy Control (PPPC) payload and a new system extension payload. This ensures any plans created or downloaded after August 5, 2021 include the required payloads to safelist Jamf Protect.

  • You can download a separate configuration profile for deployment that includes the system extension payload from the Jamf Protect web app by navigating to Administrative > Downloads and downloading the PPPC and System Extension Profile. This allows you to install the required payloads without re-deploying existing plans.

For more information about how to prepare for the upcoming Jamf Protect system extension, including additional safelisting options for Jamf Pro users, see Migrating to the Jamf Protect System Extension.

1.3.5.315 (2021-07-14)

Bugs Fixes and Enhancements

  • You can now use isShell to filter custom analytics in Jamf Protect. This ensures analytics are easier to read when various shell processes are detected.

  • You can now use tty to filter custom analytics in Jamf Protect. This ensures analytics can retrieve the PTY or TTY values of a process when detected.

  • Fixed an issue that prevented the XProtect Version Up To Date insight from reporting correctly on computers with macOS 11.3.1.

  • Fixed an issue that prevented the protectctl command-line tool from installing correctly if the usr/local/bin directory did not exist on computers.

Apple Beta Testing

This version of Jamf Protect has been tested on and is capable of running on computers with macOS Monterey 12, Beta 2.

1.3.4.294 (2021-05-24)

Bug Fixes

  • Fixed an issue that sometimes caused the Login Window Banner insight to incorrectly report as non-compliant when a PolicyBanner file located at /Library/Security contained non-ASCII characters, such as embedded images.

  • Fixed an issue that caused the Sudo Timeout Reduced insight to incorrectly report when a timeout value was entered with quotes (Defaults timestamp_timeout = "0") rather than without quotes (Defaults timestamp_timeout = 0.

  • Fixed an issue that prevented the agent from reporting USB events from Mac computers with Apple silicon.

User Roles and Email Notifications (2021-05-03)

Important:

Effective June 3, 2021, Passwordless authentication will no longer be an available authentication method within Jamf Protect. For continued access to Jamf Protect, begin logging in with an existing Jamf ID. Don't have a Jamf ID? Create one now.

User Roles and Groups

You can now assign Jamf Protect users specific permissions based on user roles and groups. User roles can be configured locally in the Jamf Protect web app or by mapping groups from your cloud identity provider (IdP).

Users can receive roles from one or more of the following methods:

  • User-based assignmentRoles can be directly assigned to a user by editing the user's settings.
  • Group-based assignmentGroups allow you to configure roles for a group that can include one or more users directly in Jamf Protect.
  • Identity Provider MappingsIdentity Provider Mappings allow you to use a group membership in Microsoft Azure AD to automatically assign roles to users in Jamf Protect.
    Note:

    Azure AD is currently the only supported IdP for role assignment via Identity Provider Mappings. If your organization uses a different IdP, use group and user-based assignment to manage roles.

For more information, see User Roles and Groups.

Email Notifications

You can configure Jamf Protect to send users email notifications about new alerts.

Emails from Jamf Protect are sent from the following address no-reply@protect.jamfcloud.com and look like to the following:

For more information, see Email Notifications.

1.3.3.280 (2021-04-12)

Jamf Protect agent 1.3.3.280 includes the following enhancements and bug fixes:

  • Computers now immediately receive plan updates when an administrator saves a change to a plan rather than waiting until the next agent check-in interval or forced check-in using the protectctl checkin command.

  • Fixed an issue that prevented the Keychain Automatically Locked For Inactivity and Keychain Automatically Locked When Computer Sleeps insights from reporting correctly.

  • Fixed an issue that prevented some analytics that use the GPProcessEvent sensor from detecting matching analytic events correctly on computers with macOS 10.15 or later.

New Built-in Analytics (2020-04-09)

The following analytics that monitor for suspicious behaviors in application bundles are now available:

  • NestedAppSignatureMismatch

  • ScriptDisguisedAsApplication

For additional details about these analytics, go to the Analytics page in Jamf Protect.

To begin using these analytics in your environment, add them to your Jamf Protect plans. For more information about adding analytics to a plan, see Jamf Protect Updates.

1.3.2.268 (2021-03-05)

Jamf Protect agent 1.3.2.268 includes the following enhancements and bug fixes:

  • Improved the protectctl command-line tool to include more verbose status information (e.g., Protected, Enrolling, Missing Plan) with the info command. For more information about the protectctl tool, see Core Components.

  • Added a Jamf Protect Uninstaller PKG that users can download and run on computers to remove the Jamf Protect agent. To access this download, navigate to Administrative > Downloads Downloads.

  • Fixed an issue that caused the agent to exclude some file events from Jamf Protect alerts and logs.

  • Fixed an issue that caused the Date & Time Set Automatically insight to incorrectly report on computers with macOS 11.

  • Fixed an issue that caused the EFI Version Is Valid And Regularly Checked insight to incorrectly report on Mac computers with Apple silicon.

For more information about upgrading computers to 1.3.2.268, see Jamf Protect Updates.

1.3.1.252 (2021-02-22)

This release includes UI updates for file downloads and a bug fix that addresses a Jamf Protect agent performance issue.

UI Enhancements for Jamf Protect Downloads

Download links for the latest Jamf Protect agent and other advanced download files have moved from the Account page to a new Downloads page in the Jamf Protect web app.

To access these downloads in Jamf Protect, navigate to Administrative Downloads.

Custom Plan Configuration Profile Download Options

You can now customize which configuration profile payload settings and certificates are included with a plan when you download it from the Jamf Protect web app. This gives administrators more control over how Jamf Protect is deployed.

You can use the custom profile options to do the following:

  • Sign the configuration profile

  • Include the Privacy Preference Policy Control (PPPC) payload settings required by Jamf Protect

  • Include a WebSocket Certificate from Jamf Protect

  • Include a Certificate Authority (CA) from Jamf Protect

  • Include a Certificate Signing Request (CSR) identity from Jamf Protect

  • Include a Bootstrap Token

Note:

All custom profile download options are enabled by default. Plans downloaded using the Download button on the Plans page or synced with Jamf Pro will continue to include all additional payload settings.

To access this feature, click Plans from the Jamf Protect sidebar, select a plan, and then click the Custom Profile tab.

New Built-in Analytics

The following built-in analytics have been added to Jamf Protect:

  • The "HiddenScriptRunFromVolumes" analytic monitors for hidden shell scripts that are executed from a mounted drive.

  • The "SuspiciousFileDownload" analytic monitors for downloaded files with a known malware file name.

For more information about these new analytics, click Analytics in the Jamf Protect sidebar.

To begin using these analytics in your environment, add them to your Jamf Protect plans. For more information about adding analytics to a plan, see Jamf Protect Updates.

Note:

Version 5051 of Jamf Protect's built-in Threat Prevention feature prevents the new known malware Silver Sparrow. For more information about the Silver Sparrow macOS malware, see the Silver Sparrow Mac-specific malware blog from Jamf.

Removal of Legacy Deployments

The Deployments page has been removed from the Jamf Protect web app, and you can no longer create legacy deployments that combine the Jamf Protect agent and plans into a single package installer.

Legacy deployment packages previously created in the Jamf Protect web app are stored in the Archived Deployments tab on the Downloads page.

To continue deploying Jamf Protect to new computers, you must deploy the Jamf Protect agent and a plan configuration profiles separately via an MDM solution. For more information, see Jamf Protect Deployment.

Bug Fix

Jamf Protect agent 1.3.1.252 fixes an issue that caused an unexpected increase in CPU usage on computers when users were compiling code in Java.

1.3.0.249 (2021-02-08)

This release includes a new version of the Jamf Protect agent (1.3.0.249) and includes the following improvements and features:

Performance Enhancements with Apple's Endpoint Security Framework

On computers with macOS 10.15 or later, Jamf Protect now uses Apple's native Endpoint Security framework to monitor for suspicious file and process events. Utilizing the Endpoint Security framework allows the Jamf Protect agent to use fewer system resources while monitoring for threats, which allows the agent to run more efficiently on computers.

For more information about upgrading computers to 1.3.0.249, see Jamf Protect Updates.

Deployment Integration with Jamf Pro 10.27.0—If you have a Jamf Pro subscription, you can now deploy Jamf Protect directly from Jamf Pro. When you register your Jamf Protect tenant with Jamf Pro, you can do the following:

  • Download the latest Jamf Protect package.

  • Sync Jamf Protect plans and deploy them as computer configuration profiles by configuring scope.

  • Receive notifications in Jamf Pro when a new Jamf Protect version is available.

For more information about this integration, see the Deploying Jamf Platform Products Using Jamf Pro to Connect, Manage, and Protect Mac Computers technical paper.