Setting Up Analytic Remediation With Jamf Pro

If you use Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic.

If configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group.

Jamf Pro administrators can then monitor computers in the smart group and remediate the threat. In addition, you can run a script using a policy in Jamf Pro to display an alert to users.

Setting up analytic remediation with Jamf Pro involves the following steps:

  1. Configuring Analytic Action Settings in Jamf Protect.

  2. Creating a Jamf Protect extension attribute in Jamf Pro.

  3. Creating a smart computer group using the extension attribute in Jamf Pro.

  4. (Optional) Creating an end user alert dialog script and policy.

Configuring Analytic Action Settings in Jamf Protect

To send analytic detections to Jamf Protect, you must must select the select Add to Jamf Pro Smart Group configure to checkbox and configure a value that will populate a Jamf Protect extension attribute.

  1. In Jamf Protect, click Analytics.
  2. Do one of the following:
    • Select the Analytic you want to edit and click Update Actions.

    • Click Create Analytic.

  3. Select Add to Jamf Pro Smart Group.
  4. Enter a value that will populate the Jamf Pro extension attribute in the Identifier field.
    Note:

    This value must match the field defined in your Jamf Protect smart group criteria in Jamf Pro.

  5. Click Save.

When detected, the analytic will now send data to a Jamf Protect extension attribute.

To create a Jamf Protect extension attribute in Jamf Pro, see Creating an Extension Attribute.

Creating an Extension Attribute

You must add a computer extension attribute that is populated by analytics to Jamf Pro.

Depending on which version of Jamf Pro you use, do the following from the Jamf Pro computer extension attribute settings page:

  • If using Jamf Pro 10.19.0 or later, click New From Template and enter Jamf Protect - Smart Groups in the search bar to find the correct template.

  • If using Jamf Pro 10.18.0 or earlier, choose Script from the Input Type pop-up menu, and then enter the following:

    #!/bin/bash
    SMARTGROUPS_DIR=/Library/Application\ Support/JamfProtect/groups
    if [ -d "$SMARTGROUPS_DIR" ]; then
    SMART_GROUPS=`/bin/ls "$SMARTGROUPS_DIR" | tr '\n' ','`
    echo "<result>${SMART_GROUPS%?}</result>"
    else
    echo "<result></result>"
    fi
    exit 0

You can now use the extension attribute as smart group membership criteria.

To create a smart group using Jamf Pro, see Creating a Smart Group in Jamf Pro.

Creating a Smart Group in Jamf Pro

In Jamf Pro, create a smart computer group that uses the Jamf Protect smart group to control group membership in response to a detected analytic:

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Smart Computer Groups.
  3. Click New .
  4. On the Computer Groups tab, configure basic settings and email notification preferences.
  5. On the Criteria tab, click Add > Show Advanced Criteria.
  6. Choose the Jamf Protect extension attribute you previously created.
  7. Configure the Operator and Value fields similar to the following:
    Note:

    The Value field must match the Identifier field in a Jamf Protect analytic action.

  8. Click Save .

Creating an End User Alert Dialog with Jamf Helper

Using Jamf Pro and Jamf Helper, you can create a script that will alert end users if Jamf Pro detects a threat on their computer. This script can run by a custom trigger using a policy in Jamf Pro.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Computer Management section, click Scripts .
  3. On the General tab, configure basic information about the script.
  4. Click the Scripts tab and enter script contents similar to the following example:
    "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType hud -title "Possible Malicious Application" -heading "Malware Detected" -alignHeading natural -description "Your computer may be infected with malware. Contact your IT administrator immediately." -alignDescription natural -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" -button1 Ok -alignCountdown center -lockHUD
    When triggered, the script will display an alert similar to the following:
  5. (Optional) Use the Options and Limitations tabs to configure additional settings.
  6. Click Save .

Creating a Policy to Run the Script

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the following trigger and execution frequency settings:
    1. For the trigger, select Custom and then enter protect in Custom Event field.
    2. Select Ongoing from the Execution Frequency pop-up menu.
    3. (Recommended) Select Make Available Offline.
  5. Select the Scripts payload and click Configure.
  6. Add the previously created Jamf Protect script and configure settings for the script.
  7. Click the Scope tab and configure the scope of the policy to include the previously created smart group in Jamf Pro.
  8. Click Save .

Resetting Analytic Detections on Computers

To remove a remediated computer from Jamf Pro smart groups used for Jamf Protect analytics, you can remove the extension attribute values (the Identifier values defined by the Add to Jamf Pro Smart Group analytic action setting) written by Jamf Protect.

To remove all extension attribute values written by Jamf Protect analytics from a computer, execute the following command:

/bin/rm /Library/Application\ Support/JamfProtect/groups/*

To remove a single extension attribute value written by Jamf Protect from a computer, execute the following command that specifies the Identifier value:

/bin/rm /Library/Application\ Support/JamfProtect/groups/value

The extension attribute values written by analytics are removed, and the computer is also removed from any smart groups using the Jamf Protect extension attribute as criteria the next time inventory is submitted to Jamf Pro.

To immediately submit inventory, execute /usr/local/bin/jamf recon.