Threat Prevention Policy Threat Categories

Phishing

5

A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form

Data leaks

App data leak: credit card

4

An app-based communication that includes a credit card number in an unencrypted (or easily decrypted) format

Data leaks

Web data leak: credit card

4

A browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format

Data leaks

App data leak: password

3

An app-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise

Data leaks

Web data leak: password

3

A browser-based communication to a network service that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise

Data leaks

App data leak: email

2

An app-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format

Data leaks

App data leak: location

2

An app-based communication that includes the device's physical geolocation in an unencrypted (or easily decrypted) format

Data leaks

App data leak: user identity

2

An app-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format

Data leaks

Web data leak: email

2

A browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format

Data leaks

Web data leak: location

2

A browser-based communication that includes the device's physical geolocation in an unencrypted (or easily decrypted) format

Data leaks

Web data leak: user identity

2

A browser-based communication that includes an identifiable username for access to a service in an unencrypted (or easily decrypted) format

Malware network traffic

4

Network access from an app to a web service that is known to demonstrate malicious behavior. This can include downloading unauthorized software to a device, disrupting normal operation or gathering sensitive information.

Cryptojacking

3

A site designed to secretly hijack the target's device to mine cryptocurrencies

Spam

3

Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware

Third-Party app store traffic

2

A connection was made to a third-party app store. These stores often contain apps that may pose security risks.

Malware

Adware

5

Malware that aggressively displays ads, negatively affecting user productivity and device performance

Malware

Banker

5

Malware that steals bank credentials

Malware

Generic malware

5

A malicious application that demonstrates harmful behavior and disrupts the device

Malware

Ransomware

5

Malware that blocks access to a device until a ransom is paid

Malware

Rooting

5

Malware that attempts to obtain escalated system privileges

Malware

SMS

5

Malware that causes SMS-related charges

Malware

Spyware

5

Malware that is monitoring and collecting information about a user and the device

Malware

Trojan

5

Malware that obtains unauthorized access to your device

Malware

Potentially unwanted application

4

A potentially unwanted application that can cause harm to your device

Device admin app installed

3

Unauthorized apps with device admin privileges pose a security risk in an organization

Sideloaded app installed

3

Apps that are not installed through official channels, such as through official app stores or a UEM service, are unlikely to have gone through the rigorous quality checks expected of an app store release and may be poorly written or malicious.

Third-party app stores installed

2

Third-party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior.

Vulnerable app installed

2

An application that has a critical vulnerability identified by the CVE system.

You can find these details in Jamf Security Cloud by navigating to Reports > Security > Threat view, Device view, or Vulnerability management, and then viewing the details of individual security events.

Vulnerable applications should be updated or removed immediately.

Dangerous certificate

5

A suspicious third-party root certificate that could compromise the authenticity of trusted SSL connections by enabling the stealthy interception of encrypted communications

Adversary-in-the-Middle (formerly Man-in-the-Middle)

Adversary-in-the-Middle (compromised trust store)

5

The device has been manipulated to fully trust unauthorized third-party certificates.

Adversary-in-the-Middle

Adversary-in-the-Middle (SSL strip)

5

An intermediate server is using advanced techniques to impose as a genuine service.

Adversary-in-the-Middle (targeted certificate spoof)

4

An intermediate server is actively attempting to impose as a genuine service.

Risky hotspots

3

SSL interception is taking place, but using an untrusted certificate (common for paid hotspots).

Jailbreak

5

A modified build of an operating system (OS) that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack

Vulnerable OS (major)

4

An operating system (OS) that has an exploitable critical vulnerability identified by the CVE system. Jamf recommends that you investigate these CVEs and upgrade to a more recent OS version if possible.

You can find these details in Jamf Security Cloud by navigating to Reports > Security > Threat view, Device view, or Vulnerability management and then viewing the details of individual security events.

Major vulnerabilities should be resolved immediately.

App inactivity

3

Jamf Trust has been inactive on the device for a specified amount of time.

Device encryption disabled

3

On Android devices, if device encryption is disabled, the device can become susceptible to data exfiltration attacks.

Lock screen disabled

3

Once the lock screen is disabled, including disabling Touch ID or Face ID, the device encryption is rendered useless against physical attacks.

Risky iOS profile

3

iOS, iPadOS and visionOS

Device configurations that may put corporate and personal data at risk

Vulnerable OS (minor)

3

An operating system (OS) that has a critical vulnerability identified by the CVE system. Jamf recommends that you investigate these CVEs and upgrade to a more recent OS version if possible.

You can find these details in Jamf Security Cloud by navigating to Reports > Security > Threat view , Device view, or Vulnerability management and then viewing the details of individual security events.

Even if minor vulnerabilities are not exploitable, they should still be considered risky.

Android security patches missing

2

Devices missing security patches for more than 3 months become vulnerable.

Out-of-date OS

2

An older version of an OS (operating system) that does not contain the latest features and bug fixes

Unrecognized sources enabled

2

Applications installed from unknown sources do not pass vigorous security tests performed by official app marketplaces.

USB app verification disabled

2

Apps installed through USB do not get checked for harmful behavior.

User password disabled

2

macOS

A device without a password set compromises the physical security of the device and/or data, as anyone with physical access can log in.

Developer mode enabled

1

Once developer mode is enabled, side-loading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled.

USB debugging enabled

1

Lower level access to the Android device through the USB channel can pose a security risk.