Skip to content

JAMF

Overview

Why is it important for Threat Hunting?

Jamf is the most prominent way to manage MacOS devices in an enterprise organization. As such, logs pulled from the Jamf API provide important information regarding the organizational MacOS devices being used, which is all the more important as these MacOS endpoints are usually not a part of a managed Active Directory network (as opposed to Windows enterprise fleets).

For example, the Jamf Computers API allows establishing a contextual list of all endpoints belonging to the organization, which enables detection of access to organizational resources or SaaS applications done from an unmanaged device.
Additional important contextual information pulled from the Jamf API includes user lists, policies, managed scripts, network segments and more.

Supported data types

  • Computers
  • Mac Applications
  • Network Segments
  • Packages
  • Policies
  • Scripts
  • Users

Sending data to Hunters

Prerequisites

In order to intergate your JAMF instance with Hunters, you will need to follow these steps in order to create an appropriate user and an API key.

  1. Login to jamf and go to the Settings section
    Go to Settings
  2. Go to Accounts
    it can be found in All settings or System Settings tabs and under Jamf Pro User Accounts & Groups
    Go to Accounts
  3. Add new user
    Add new user
  4. Choose create account
    Select Create Standard Account and then click Next
    Choose create account
  5. Fill out the new user account form
    Please make sure that:
          a. Access level is Full Access
          b. Privilege Set is Auditor
          c. Access Status is Enabled
    Copy the Username and Password for the next stage and click save
    Fill out new user account form
  6. Generate Authentication Key - generate a basic authentication token by encoding the <username>:<password> in Base64 using the username and password from last step.
    One way to do it is to open a (macos or linux) terminal and run this command:
    echo -n "username:password" | base64
  7. Get API domain copy the api host address from your browser address bar when in the jamf console
    Copy domain address