You can create a new exception set from a blank form, or you can clone an existing exception set and modify it to suit your needs.
A Jamf-managed exception set that is cloned becomes a user exception set and will no longer receive updates for Jamf-managed exceptions.
- In the Rules section, choose one of the following identifiers from the pop-up menu and complete the field:
- File Path
- The location of an item starting at the root of the file system. Wildcards are supported to implement exceptions for File Path. The following are examples of a File Path:
/tmp/log/* /Users/*/Pictures/Photos Library.photoslibrary/resources/* */Library/Cookies/Cookies.binarycookies*Note:File Path exceptions will only apply to the following event monitors:
File System Event
Download System Event
Screenshot System Event
- App Signing Info
- An application's identifier, such as
com.apple.calculator. Signing ID requires both a Team ID and an App ID or Signing ID. This only applies to Threat Prevention, Process, File, Click, and Keylogger events.Both the App ID and Signing ID of an application can be found by running the
codesigncommand in a terminal window; for example,codesign -dv /Applications/JamfProtect.app.The following are examples of Signing IDs:Example:App ID:
com.jamf.protect.daemonJamf Team ID:
483DWKW443
- Platform Binary
- A Platform Binary is built into macOS and is specially signed by Apple. These specially signed binaries do not have an associated Team ID, and are referenced by the App ID, such as
com.apple.calculator. The App ID of a Platform Binary can be found by running thecodesign -dvv /System/Applications/Calculator.appcommand in a terminal window.The following are examples of the Platform Binary:com.apple.calculator com.apple.news.widget com.apple.photolibrary - Team ID
- A unique code issued by Apple that identifies an application developer in the signed certificate. Team IDs are alphanumeric, for example
526FTYP998. This only applies to Threat Prevention, Process, File, Click, and Keylogger events. - Process Path
- The full path to an application or binary. The path is responsible for the system event or activity targeted by an exception, such as File, Keylogger, and Click events, or to the application itself being launched (process event) or prevented (Threat Prevention). Wildcards are supported to implement exceptions for Process Path.
The following are examples of a Process Path:
/Applications/1Password\7.app /System/Applications/Calculator.app /Applications/ThisApp.app - User
- The local account name responsible for generating the event on the monitored computer. This can include system accounts.Example:
- User account
- janet.smith
- System account
- jamfpro
- Group
- The local group name responsible for generating the event on the monitored computer.Example:
- Group account
- threat.analysts
- System account
- jamfprotect
Note:File Path and Process Path exceptions provide support for the following Unix shell wildcards.
Pattern Description * Matches everything ? Matches any single character [seq] Matches any character in seq[!seq] Matches any character not in seqUnix shell wildcards and Regular Expressions are similar, however the two are not explicitly interchangeable. For a literal match, wrap the meta-character in brackets. Typing
[*]matches the character*instead of using it as a wildcard. For example, to matchApplication/Data/*profiletemplateenterApplication/Data/[*]profiletemplate.