Announcing Jamf Protect – Jamf’s endpoint security solution purpose-built for Mac

Matt Woodruff, Security Solutions Lead, and Andrew Medearis, Senior Product Manager of Jamf Protect, took the stage at JNUC to dive into everything you need to know about Jamf’s latest addition to its product line and why Jamf is expanding into Mac security.

November 13 2019 by

Matt Woodruff

It’s a big day – today we announced the launch of Jamf Protect, our endpoint security solution purpose-built for Mac.

Matt Woodruff, Security Solutions Lead, and Andrew Medearis, Senior Product Manager of Jamf Protect, took the stage at JNUC to dive into everything you need to know about Jamf’s latest addition to its product line and why Jamf is expanding into Mac security.

Challenges of Mac security today

Today’s endpoint security solutions aren’t built with Mac in mind. The landscape of endpoint security solutions today have difficulties in select areas when it comes to defending macOS. With the number of endpoint solutions today that don’t support macOS updates from day of release, preventing organizations from unlocking the latest features and most secure operating system for their end-users. Many solutions don’t give Information Security professionals the visibility they require to better understand Mac. The lack of visibility into macOS events has created a knowledge gap for Mac-specific detections leaving the enterprise reliant on detections that aren’t purpose-built for macOS.

Enter Jamf Protect. After conversations with customers over the last year and stemming from a demand at JNUC 2018, we knew we had to create a solution that addressed these challenges and removed existing barriers for organizations that wanted to empower their workers with Mac. Here’s why Jamf Protect is different:

1. Kextless agent – After looking at the data that was capable of being gathered from the Mac itself without deploying a kernel extension, it was quickly realized that Apple provides native capabilities that can be highly leveraged. The power that propels user-choice is the same power that is capable of collecting events used for threat intelligence. Jamf Protect can do this without having to install additional support to existing Mac hardware. Most importantly - being kextless creates proactive alignment with Apple as Catalina is the last version of macOS to fully support kernel extensions without compromises.

2. Seamless macOS upgrades on day of release – With Jamf Protect, users will have the ability to receive the latest OS upgrade the moment it is available from Apple; meanwhile, maintaining endpoint protection across the company’s fleet. It is important to provide end-users protection with the most recent security patches while allowing them to use the best technology the newest OS upgrades provide.

3. Enterprise visibility into native Apple security tools – Jamf Protect exposes both built-in frameworks and security tools of macOS which allows the enterprise to inspect what is happening on a Mac from an event-driven perspective. For example, Jamf Protect utilizes OpenBSM to record the activities that happen within the OS itself. Also, Apple’s native security tools such as xProtect & MRT are exposed to provide transparency every time Apple takes action. With this type of monitoring, Jamf Protect will alert when XProtect has blocked a file from executing or when Apple’s Malware Removal Tool (MRT) has identified and removed a file from the system. Jamf Protect is the first endpoint solution for Mac that utilizes Apple’s new Endpoint Security Framework. The new framework allows Information Security professionals to prevent files from executing by blocking based on signatures, Team ID, or Developer ID.

4. Using Apple’s GameplayKit to detect Mac-specific Indicators of Compromise (IOCs) – The native tools built-in to macOS (i.e. XProtect & MRT) are good security mechanisms for an OS and it says a lot about the machine we know and love, but as the attacks are evolving the enterprise requires more. The enterprise benefits from a layered approach to security, but that is only true if the additional layers adopted take the technology they are defending into serious consideration. Jamf Protect focuses on identifying threats intended for the macOS platform only and further leverages Mac’s architecture by using Apple’s game engine to alert on suspicious behaviors as defined by Mac internals.

5. Mitre ATT&CK Framework and importance of Mac-specific detections – The practice of identifying IOCs is common when it comes to threat hunting and requires an understanding of the unique operations of both system and user events of a Mac. By taking a look at the Mitre ATT&CK Framework which details the Tactics, Techniques, and Procedures; one can notice there are mutually exclusive TTP(s) that exist for Mac only. As Apple continues to make its OS more secure, the TTP(s) are evolving. Jamf Protect’s team of Mac experts are dedicated to continuing community contributions that aide the development of this framework and create an understanding of Mac for InfoSec professionals across the enterprise.

6. Insights of the CIS Security Benchmark across your macOS fleet – As many organizations require a quick way to obtain a full view into the state of security across your Apple fleet, Jamf Protect has obtained certification by CIS to measure against the CIS Security Benchmark for macOS across the entire fleet. Also giving InfoSec or IT the ability to disable specific measurements of the benchmark that shouldn’t be scored in their environment. The Jamf Protect Insights dashboard will be a direct view for compliance auditors to quickly obtain the status of the fleet’s macOS security controls.

As was highlighted in the day one keynote, an announcement was made about the Jamf Pro and Jamf Protect integration. Jamf Protect and Jamf Pro work together to automatically remediate security attacks. When a security threat is detected, a policy within Jamf Pro’s Smart Groups can automatically quarantine by restricting access to corporate resources and mitigate risk to the rest of the enterprises’ network.

Jamf Protect announced three deployment options for Jamf Protect: cloud-only, direct to a preferred internal backend (i.e. SIEM) and a hybrid model that allows data to reside in both Jamf Protect’s cloud and an internal backend within the enterprise to collect data. Ultimately, this enables enterprises to collect asset information, logs, and alerts in the locations required for both operational excellence and compliance.

Jamf Protect is available today to commercial organizations within the U.S. Want more information? Check out

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.