Jamf Protect uses the following security practices and interacts with the following computer system files.

Data Collection

Jamf Protect uses the Apple logic engine to monitor events, collect data, and perform actions in real-time. On computers with macOS 10.15 or later, Jamf Protect uses Apple's Endpoint Security framework to monitor file and process events. The following system events types are monitored by the Jamf Protect sensor:

  • Files

    Written, terminated, and deleted files on computers and mounted volumes

  • Processes

    Launched or exited processes on computers

  • USBs

    USB devices that are removed or ejected from computers

  • Downloads

    Files that are downloaded from the internet

  • Screenshots

    Screenshots taken by end users on computers

  • Synthetic clicks

    Programmatic mouse clicks used to dismiss notifications, approve actions, and interact with user prompts

  • Malware Removal Tool (MRT) Events

    Actions and logs from by MRT, Jamf Protect's built-in application responsible for removing targeted files from macOS

  • Gatekeeper Events

    Actions and logs from Gatekeeper, built-in feature for enforcing code signing and verifying downloaded apps before running them

  • Keylog Register Events

    New "event tap" registrations via the Core Graphics framework on macOS

Center for Internet Security (CIS) Benchmarks

Jamf Protect follows the CIS benchmarks for Apple operating systems to create Insights and Analytics.

For more information, see the Apple OS Benchmark webpage from CIS.

Insights aligns with the latest CIS benchmark recommendations for macOS 11.


Access to the Jamf Protect web app can be managed by your organization's identity provider (IdP) and leverages the OpenID Connect protocol.

For more information, see Identity Provider Integrations.


The Jamf Protect agent communicates with the following endpoints, if enabled:

  • The Jamf Protect Cloud

  • A security information and events (SIEM) management system

  • An MDM solution

The Jamf Protect agent uses the following network communication protocols:

  • All network communication is transmitted over TCP port 443 on computers. On computers with macOS 10.13.4 or earlier, port 8883 is used.

  • If your environment uses transparent or explicit TCP proxies, you can enable WebSockets to secure communication via WebSocket communication protocol.

  • Depending on the region your Jamf Protect tenant is located in, the Jamf Protect agent communicates with different AWS domains.

Jamf Protect uses Amazon's Simple Email Service (SES) to securely send emails. Email exchanges comply with Domain-based Message Authentication, Reporting and Conformance (DMARC) email authentication protocols, and emails are signed and verified using DomainKeys Identified Mail (DKIM).

System Integrity Protection

The Jamf Protect system extension is protected by Apple's native System Integrity Protection (SIP). This reduces Jamf Protect's exposure to tampering on computers.

For more information about SIP, see About System Integrity Protection on your Mac article from Apple's support website.


To ensure secure communication between the agent and Jamf Protect server, the following items are created in the system keychain:

  • The certificate signing request (CSR) certificate named for your organization and the associated private key

  • The root certificate authority, named for your organization

  • A Jamf Protect client certificate, named “JamfProtect Client <UUID>”, and the associated private key named "Jamf Protect Private Key"

  • A Jamf Protect Public Key

  • A Jamf Protect Web-Services Security (WSS) Authorizer Key

  • A Jamf Protect Verification Certificate used to verify signed updates from backend operations

The following data points are secured in the keychain and used to manage Jamf Protect:
The last check-in time of the agent
The last Insights check-in of the agent
Bootstrap information for initial communication and configuration
The configuration of the Jamf Protect agent