When creating a telemetry configuration in Jamf Protect, you can choose which categories of information to collect. For a detailed list of the included events for each category see the Telemetry Data Model Documentation.
Learning Hub Login Required
To access this content, log in to the Jamf Learning Hub with a valid Jamf ID.
The events collected by each category may differ depending on which versions of macOS are in your environment. Some events included in a category may only be compatible with a later operating system.
Events and their categories are managed by Jamf and are subject to future updates and changes. Future changes and updates are applied automatically to all computers collecting data in applicable telemetry categories.
Applications and processes
Includes information about application usage and process activity on the system, including audit information for full traceability.
Audit all application usage and process activity across all of your endpoints, including heritage and audit token details, for full traceability and correlation with other telemetry.
Detect the execution of unauthorized or unsigned processes (such as malware living-off-the-land) or correlate all other telemetry together to fully reconstruct an attack timeline.
Provide detailed audit logs for processes handling sensitive data or identify unmanaged software (shadow IT) to be brought under management.
Access and authentication
Includes information about access and authentication events for the system, applications, and users; including local and remote sessions, and pseudoterminal access.
Maintain an audit trail for all user access and authentication events, mapping users and methods used (e.g. Jamf Connect) to specific system activity for security and compliance auditing.
Monitor all command-line execution with elevated (sudo) or substituted privileges (su).
Audit when computers are accessed remotely through SSH or screen sharing, with a record of source address and session time stamps, to build a correlated timeline and uncover unauthorized or malicious actions.
Identify when access is granted/closed to a pseudoterminal control device so administrators can identify who is gaining access to the shell and for what reasons.
Users and groups
Includes information about user and group changes on the system, including user creation and permission elevation.
Detect unauthorized user account creation and unauthorized privilege escalation attempts, signaling potential insider threats.
Log all user and group changes to demonstrate adherence in compliance audits and with access control policies.
Trace all related activity and changes made by the user after privilege elevation to identify unauthorized or malicious actions.
Persistence
Includes information about persistence creation and removal by the Background Task Management service, including LaunchDaemons and LaunchAgents.
Record all common persistence established or removed across endpoints, including visibility into the instigator and persisted artifacts.
Detect rare or suspicious persistence mechanisms, such as unauthorized launch agents masquerading as legitimate persistence, indicating malware infection.
Identify shadow IT in the form of user-installed software and persistence that can be transitioned to managed alternatives.
Hardware and volumes
Includes information about hardware connections and volume mounting, including local storage devices and network file shares.
Record all volume mounts from external devices, applications, and over the network.
Detect users mounting DMGs and installing unmanaged software.
Introduce visibility into network file shares being remotely accessed.
Apple security
Includes information about security events from built-in Apple security tools on computers, including XProtect, XProtect Remediator, and Gatekeeper.
Gain full understanding of built-in malware detection and remediation events on your systems to further investigate.
Identify legitimate applications being blocked by XProtect to reduce user friction while maintaining security.
Identify when users attempt to override Apple's Gatekeeper protections, so that administrators can block the application from loading, or offer an approved method of accessing the application.
System
Includes information about important operations completed by the system, including system time, configuration profile changes, and Transparency Consent and Control (TCC) changes.
Verify installation of sensitive configurations against an MDM solution, such as VPN settings or certificates.
Audit third-party software with authorized kernel access.
Meet compliance requirements with logging of host firmware information and system configuration changes.
Monitor TCC changes to detect permission escalations and audit any unauthorized access.
Diagnostic and crash reports
Includes diagnostic and crash report information collected from computers when generated by the system.
Identify patterns of recurring crashes tied to malicious binaries or exploitation attempts.
Proactively identify and investigate recurring crashes to minimize user disruptions and improve digital experience.
Provide evidence of endpoint stability and operational readiness to support compliance audits.
Performance metrics
Includes reports for auditing system resource utilization and application efficiency, including CPU usage and energy impact.
Detect anomalies in CPU, memory, or energy usage that could be an indication of a malware infection, such as crypto-jacking, or a hardware issue.
Demonstrate operational stability and resource efficiency for compliance audits.
Proactively resolve or optimize resource utilization by identifying and addressing poorly performing applications or processes.