Creating a Jamf Protect Plan

Jamf Protect Documentation
Solution
Application
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Plans are comprehensive macOS security configurations that are deployed to computers as configuration profiles.

You can create one plan, or multiple plans, for deployment to computers in your environment.

  1. In Jamf Protect, click Plans.
  2. Click Create Plan.
  3. Give the plan a name and description.
    Note:

    If you have enabled the threat prevention for macOS beta feature, see Threat Prevention for macOS Strategies to configure the threat prevention beta feature. Once you have configured your threat strategy, continue to this step. If you have not enabled the threat prevention for macOS beta feature, continue following the instructions below.

  4. Under Endpoint Threat Prevention, choose one of the following options to determine how Jamf Protect will respond to threat database matches:
    • Block and report

      Blocks and quarantines any process that matches the threat database.

    • Report only

      Disable process blocking and file quarantine, but report database matches as an alert.

    • Disabled

      Disable all process blocking, file quarantines, and reporting in response to a threat database match.

  5. Configure Tamper Prevention settings. Choose to Block and report or Disable in the tamper prevention settings to determine how Jamf Protect responds to actions considered tampering:
    • Block and report

      Prevent unauthorized changes to the Jamf Protect application.

    • Disable

      Do not prevent unauthorized changes to the Jamf Protect application that may be considered tampering.

  6. Configure Advanced Threat Controls settings. Choose Block and report, Report only, or Disable to determine how Jamf Protect provides controls for common attacker techniques.
    Important:

    Jamf recommends testing before enabling in production. For more information, see Advanced Threat Controls.

    Block and report
    Intervene, block, and report on malicious activity to stop attacks.
    Report only
    Only receive reports on malicious activity when attacks occur.
    Disable
    Disable intervention and reporting of malicious attacks as they occur.
  7. Select Analytic sets to trigger alerts for the plan.
  8. Choose a telemetry configuration from the Telemetry menu.

    Only one telemetry configuration can be added to a plan.

  9. Choose a removable storage control set from the Control set menu.

    Only one removable storage control set can be added to a plan.

  10. (Optional) Configure compliance settings.

    By default, the Compliance Baseline Reporting setting is enabled, and the default Reporting interval is 1440 minutes (equivalent to 24 hours). The reporting interval must be between 5 and 1440 minutes.

    Note:

    Enabling Compliance Baseline Reporting in a plan only collects data for baseline rules you have enabled on the Compliance > Baseline page. For more information about individual baseline rules, click on a rule in the Baseline page.

  11. Configure the following advanced settings:
    1. Select the Enable auto update checkbox to automatically send Jamf Protect agent updates to computers.

      This ensures computers are always using the most current agent and are compatible with the latest Jamf Protect features.

    2. Choose a TCP port from the Communications protocol menu to configure communication between the agent and Jamf Protect Cloud.

      By default, MQTT:443 is used. If you your environment uses transparent or explicit TCP proxies, you can use Websocket/MQTT:443 to secure communication via WebSocket communication protocol.

    3. Choose a level from the Log level menu to configure the verbosity of information that Jamf Protect sends to the macOS Unified Logs on computers.

      Jamf recommends choosing the default option, "Error".

      Note:

      Only use the Verbose log level when necessary for diagnostic and testing purposes. Running in verbose mode for an extended period of time can increase the demand for system resources. Using the Verbose log level may also result in sensitive information being sent to the unified log.

    4. Choose an exception set from the Exception sets menu to add any exceptions that will be exempted from triggering alerts.
    5. Select an action configuration from the Actions menu.
  12. (Optional) Configure Computer check-in information settings.

    By default, all options are selected.

    Note:

    Deselected inventory information in a plan will not be visible in Jamf Protect or a configured data collection endpoint for any computers assigned to the plan.

  13. Click Save.