When Jamf Protect detects a process that matches the database, the following endpoint threat prevention measures occur:
By default, the process is blocked.
A prompt about the blocked process similar to the following is displayed to end users:
The associated file is assigned a unique event identifier and quarantined in the following location:
Library/Application Support/JamfProtect/Quarantine/<EVENT_UUID>/<ITEM>An alert entry is created in the Alerts page in the Jamf Protect web app or reported to any remote collection endpoints, if configured.