Jamf Protect

Overview

Jamf Protect is an endpoint security solution purpose-built for Apple devices, delivering comprehensive protection without compromising the Apple user experience. Rather than relying solely on traditional antivirus or generic endpoint tools, Jamf Protect is designed to understand macOS and iOS at a deep level, enabling it to detect, prevent, and remediate threats in ways that align with Apple’s ecosystem.  

Supported data types

Jamf Protect Users logs

Table name: jamf_protect_users

Jamf Protect Users provide comprehensive user account information and authentication details within the Jamf Protect platform. They track user identities, login activities, and connection details from various authentication providers, enabling organizations to monitor user access patterns and maintain security compliance. These logs help teams track user lifecycle events, identify suspicious login activities, and ensure proper access controls across their macOS security infrastructure.

Jamf Protect Audit logs

Table name: jamf_protect_audit

Jamf Protect Audit logs provide detailed records of administrative actions and configuration changes within the Jamf Protect platform. They track operations such as policy modifications, Integration settings, user management activities, and system configuration updates, ensuring complete transparency and accountability for platform administration. These logs help security teams monitor administrative actions, detect unauthorized changes, and maintain compliance with organizational security policies and regulatory requirements.

Jamf Protect Computers logs

Table name: jamf_protect_computers
Jamf Protect Computers provide comprehensive device inventory and security posture information for macOS endpoints managed by Jamf Protect. They track device details, operating system versions, security insights, protection plan assignments, and connection status, enabling organizations to maintain complete visibility into their endpoint security landscape. These logs help teams monitor device compliance, track security posture changes, and ensure all endpoints are properly protected and up-to-date with the latest security configurations.

Jamf Protect Alerts logs

Table name: jamf_protect_alerts

Jamf Protect Alerts provide real-time security notifications and threat detection information from the Jamf Protect platform. They track security events, threat indicators, device-specific alerts, and response actions, enabling organizations to quickly identify and respond to potential security incidents on their macOS endpoints. These logs help security teams prioritize threats, investigate security events, and maintain comprehensive threat visibility across their entire device fleet with detailed context about affected devices and security postures.

Send data to Hunters

Hunters supports the Ingestion of jamf alerts logs via an API.

To connect Jamf Protect logs:

1. Generate an API token by following the steps Creating an API Client in Jamf Protect

2. Once created, follow the steps in this section to onboard the Data source to the platform.

Expected format

Logs are expected in JSON format.

Jamf Protect Users logs

{"id": "100", "email": "ANON-USER@ANON-DOMAIN.com", "sub": "oidc|ANON-PROVIDER|ANON-ID", "lastLogin": "2025-05-15T20:52:05.564942Z", "created": "2025-03-20T13:32:29.291411Z", "updated": "2025-05-09T18:17:55.660641Z", "connection": {"id": "34", "name": "ANON-CONNECTION-NAME", "created": "2025-02-24T23:33:07.748276Z", "updated": "2025-02-24T23:33:07.748276Z"}}

Jamf Protect Audit logs

{"date": "2025-09-11T21:09:22.186Z", "args": "{\"input\":{\"s3\":{\"bucket\":\"ANON-BUCKET\",\"role\":\"arn:aws:iam::ANON-ACCOUNT:role/ANON-ROLE\",\"encrypted\":true,\"prefix\":\"jamf_protect\",\"enabled\":true},\"sentinel\":{\"sharedKey\":\"\",\"logType\":\"jamfprotect\",\"domain\":\"ANON-DOMAIN.com\",\"customerId\":\"ANON-CUSTOMER\",\"enabled\":false},\"sentinelV2\":{\"alerts\":{\"dcrImmutableId\":null,\"streamName\":null,\"enabled\":false},\"azureClientId\":null,\"endpoint\":null,\"telemetriesV2\":{\"dcrImmutableId\":null,\"streamName\":null,\"enabled\":false},\"ulogs\":{\"dcrImmutableId\":null,\"streamName\":null,\"enabled\":false},\"azureTenantId\":null,\"enabled\":false,\"telemetries\":{\"dcrImmutableId\":null,\"streamName\":null,\"enabled\":false}}}}", "error": "Operation Failed: InvalidForwardParameter", "ips": "ANON-IP", "op": "updateOrganizationForward", "user": "ANON-USER@ANON-DOMAIN.com#oidc|ANON-PROVIDER|ANON-ID", "resourceId": null}

Jamf Protect Computers logs

{ "arch": "arm64", "certid": "ANON_CERT_ID", "configHash": "ANON_CONFIG_HASH", "created": "2024-12-23T22:52:54Z", "hostName": "ANON-HOST", "kernelVersion": "Darwin Kernel Version X.Y.Z", "memorySize": 8589934592.0, "modelName": "ANON_MODEL", "osMajor": 15, "osMinor": 6, "osPatch": 1, "osString": "Version 15.6.1 (Build XXXX)", "plan": { "id": "ANON_ID", "uuid": "ANON_UUID", "name": "SumoLogic Integrated", "description": "SumoLogic integrated Plan", "created": "2024-12-04T16:06:51Z", "updated": "2025-09-08T16:31:49Z", "hash": "ANON_PLAN_HASH", "logLevel": "INFO" }, "serial": "ANON_SERIAL", "updated": "2025-09-14T10:54:20Z", "uuid": "ANON_UUID", "version": "7.6.0.2", "insights": "ANON_INSIGHTS_JSON", "insightsStatsFail": 8, "insightsStatsPass": 47, "insightsStatsUnknown": 0, "insightsUpdated": "2025-09-14T10:33:35Z", "checkin": "2025-09-14T10:54:15Z", "signaturesVersion": 21068, "label": "", "tags": null, "provisioningUDID": "ANON_UDID", "installType": "systemExtension", "connectionStatus": "Connected", "lastConnection": "2025-09-14T10:54:13Z", "lastConnectionIp": "ANON_IP", "lastDisconnection": "2025-09-14T10:38:54Z", "lastDisconnectionReason": "MQTT_KEEP_ALIVE_TIMEOUT", "webProtectionActive": false, "fullDiskAccess": "Authorized", "scorecard": [ { "uuid": "ANON_UUID", "label": "Security Auditing Enabled", "description": "macOS's audit facility ...", "section": "Logging and Auditing", "pass": true, "tags": ["CIS Level 1"], "enabled": true }] }

Jamf Protect Alerts logs

{ "id": "REDACTED", "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "status": "New", "severity": "Low", "created": "2025-09-04T10:18:16Z", "updated": "2025-09-04T10:18:16Z", "received": "2025-09-04T10:18:16Z", "eventTimestamp": "2025-09-04T10:18:15Z", "actions": [], "tags": [ "MITREattack", "BootOrLogonAutostartExecution", "Persistence", "T1547", "Visibility" ], "eventType": "GPFSEvent", "computer": { "arch": "arm64", "certid": "REDACTED", "configHash": "REDACTED", "created": "2024-12-23T22:52:54Z", "hostName": "REDACTED-HOST", "kernelVersion": "Darwin Kernel Version X.X.X", "memorySize": 8589934592.0, "modelName": "REDACTED", "osMajor": 15, "osMinor": 6, "osPatch": 1, "osString": "Version 15.6.1 (Build XXXX)", "plan": { "id": "REDACTED", "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "name": "REDACTED-PLAN", "description": "REDACTED", "created": "2024-12-04T16:06:51Z", "updated": "2025-09-08T16:31:49Z", "hash": "REDACTED", "logLevel": "INFO" }, "serial": "REDACTED", "updated": "2025-09-14T10:54:20Z", "uuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "version": "7.6.0.2", "insights": "{}", "insightsStatsFail": 8, "insightsStatsPass": null, "insightsStatsUnknown": null, "insightsUpdated": "2025-09-14T10:33:35Z", "checkin": "2025-09-14T10:54:15Z", "signaturesVersion": 21068, "label": "", "tags": null, "provisioningUDID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx", "installType": "systemExtension", "connectionStatus": "Connected", "lastConnection": "2025-09-14T10:54:13Z", "lastConnectionIp": "xxx.xxx.xxx.xxx/32", "lastDisconnection": "2025-09-14T10:38:54Z", "lastDisconnectionReason": "MQTT_KEEP_ALIVE_TIMEOUT", "webProtectionActive": null, "fullDiskAccess": "Authorized", "scorecard": null }, "plan": null }