Setting Up Analytic Remediation With Jamf Pro

If you use Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic.

If configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group. Jamf Pro administrators can then identify computers in the smart group and remediate the threat. In addition, you can run a script using a policy in Jamf Pro to display an alert to users.

Setting up analytic remediation with Jamf Pro involves the following steps:

  1. Configuring Analytic Action Settings in Jamf Protect.

  2. Creating a Jamf Protect extension attribute in Jamf Pro.

  3. Creating a smart computer group using the extension attribute in Jamf Pro.

  4. (Optional) Creating an end user alert dialog script and policy.

Configuring Analytic Action Settings in Jamf Protect

To send analytic detections to Jamf Protect, you must must select the select Add to Jamf Pro Smart Group configure to checkbox and configure a value that will populate a Jamf Protect extension attribute.

  1. In Jamf Protect, click Analytics.
  2. Do one of the following:
    • Select the Analytic you want to edit and click Update Actions.

    • Click Create Analytic.

  3. Select Add to Jamf Pro Smart Group.
  4. Enter a value that will populate the Jamf Pro extension attribute in the Identifier field.

    This value must match the field defined in your Jamf Protect smart group criteria in Jamf Pro.

  5. Click Save.

When detected, the analytic will now send data to a Jamf Protect extension attribute.

To create a Jamf Protecttect extension attribute in Jamf Protect, see Creating an Extension Attribute.

Creating an Extension Attribute

You must add a computer extension attribute that is populated by analytics to Jamf Protect.

Depending on which version of Jamf Protect you use, do the following from the Jamf Protect computer extension attribute settings page:

  • If using Jamf Protect 10.19.0 or later, click New From Template and enter Jamf Protect - Smart Groups in the search bar to find the correct template.

  • If using Jamf Pro 10.18.0 or earlier, click , choose Script from the Input Type pop-up menu, and then enter the following:

    SMARTGROUPS_DIR=/Library/Application\ Support/JamfProtect/groups
    if [ -d "$SMARTGROUPS_DIR" ]; then
    SMART_GROUPS=`/bin/ls "$SMARTGROUPS_DIR" | tr '\n' ','`
    echo "<result>${SMART_GROUPS%?}</result>"
    echo "<result></result>"
    exit 0

You can now use the extension attribute as smart group membership criteria.

To create a smart group using the Jamf Protect extension attribute, see Creating a Smart Group in Jamf Protect.

Creating a Smart Group in Jamf Protect

In Jamf Pro, create a smart computer group that uses the Jamf Protect smart group to control group membership in response to a detected analytic:

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Smart Computer Groups.
  3. Click New .
  4. On the Computer Groups tab, configure basic settings and email notification preferences.
  5. On the Criteria tab, click Add > Show Advanced Criteria.
  6. Choose the Jamf Protect extension attribute you previously created.
  7. Configure the Operator and Value fields similar to the following:

    The Value field must match the Identifier field in a Jamf Protect analytic action.

  8. Click Save .

Creating an End User Alert Dialog with Jamf Helper

Using Jamf Pro and Jamf Helper, you can create a script that will alert end users if Jamf Pro detects a threat on their computer. This script can run by a custom trigger using a policy in Jamf Pro.

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Computer Management section, click Scripts .
  3. On the General tab, configure basic information about the script.
  4. Click the Scripts tab and enter script contents similar to the following example:
    "/Library/Application Support/JAMF/bin/" -windowType hud -title "Possible Malicious Application" -heading "Malware Detected" -alignHeading natural -description "Your computer may be infected with malware. Contact your IT administrator immediately." -alignDescription natural -icon "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" -button1 Ok -alignCountdown center -lockHUD
    When triggered, the script will display an alert similar to the following:
  5. (Optional) Use the Options and Limitations tabs to configure additional settings.
  6. Click Save .

Creating a Policy to Run the Script

  1. In Jamf Pro, click Computers at the top of the sidebar.
  2. Click Policies in the sidebar.
  3. Click New .
  4. Use the General payload to configure basic settings for the policy, including the following trigger and execution frequency settings:
    1. For the trigger, select Custom and then enter protect in Custom Event field.
    2. Select Ongoing from the Execution Frequency pop-up menu.
    3. (Recommended) Select Make Available Offline.
  5. Select the Scripts payload and click Configure.
  6. Add the previously created Jamf Protect script and configure settings for the script.
  7. Click the Scope tab and configure the scope of the policy to include the previously created smart group in Jamf Pro.
  8. Click Save .