The Jamf Protect macOS Security threat prevention feature ensures that your macOS endpoints are protected from malicious threats. Threat prevention identifies anomalous behaviors and processes on your computers and can block and notify you about the potential threats via alerts.
Threat prevention is divided into two strategies: managed and custom. Strategies determine how threat prevention processes different types of detections.
The managed strategy ensures that the computers in your fleet are always protected with the most up-to-date engines that are available. This strategy is recommended for the majority of users, due to the high level of protection and the ability to automatically enable new engines.
The custom strategy includes the ability to control exactly which engines are enabled, and the type of protection they each provide. You can decide whether to block events or behaviors, or allow events or behaviors and notify admins by generating alerts.
When configuring strategies, you can also choose the Legacy option. Legacy is technically not a strategy, but the ability to configure the legacy threat prevention options, such as analytic sets and advanced threat controls. For more information see Threat Prevention with Jamf Protect (Legacy).
In addition to the managed and custom strategy options, the threat prevention feature has been restructured into sets of modular threat prevention engines. Each engine represents a specific category of threat prevention detections that are managed by Jamf Threat Labs.
The malware and riskware engine uses a combination of static detections and behavioral detections to identify risky files or behavior on a computer, while the other available engines primarily use behavioral detections.
The engine configuration options may differ depending on the intention of each engine. For example, one engine may offer the option to Report only, while others may not have that ability.
For more information about the threat prevention engines see Threat Prevention for macOS Engines.