Jamf Protect uses the Apple logic engine to monitor events, collect data, and perform actions in real-time. Jamf Protect uses Apple's Endpoint Security framework to monitor file and process events. The following system events types are monitored by the Jamf Protect sensor:
- Files —
Written, terminated, and deleted files on computers and mounted volumes
- Processes —
Launched or exited processes on computers
- USBs —
USB devices that are removed or ejected from computers
- Downloads —
Files that are downloaded from the internet
- Screenshots —
Screenshots taken by end users on computers
- Synthetic clicks —
Programmatic mouse clicks used to dismiss notifications, approve actions, and interact with user prompts
- Malware Removal Tool (MRT) Events —
Actions and logs from by MRT, Jamf Protect's built-in application responsible for removing targeted files from macOS
- Gatekeeper Events —
Actions and logs from Gatekeeper, built-in feature for enforcing code signing and verifying downloaded apps before running them
- Keylog Register Events —
New "event tap" registrations via the Core Graphics framework on macOS