Mac endpoint telemetry with Jamf

The complexities of macOS security

Macs are essential to today’s workplace, but keeping them secure and compliant often presents unique challenges.

That’s where Jamf’s next-generation Mac endpoint telemetry comes in. In this post, we’ll explore how this powerful update helps organizations gain critical visibility into macOS activity. This in turn assists organizations in meeting compliance standards, accelerating security investigations, and improving IT operations—without adding complexity.

What is endpoint telemetry?

At its core, telemetry is the logging and collection of key activity on a device to create a detailed audit trail for Security and IT teams.

Put simply, it’s your record of what’s happening on each endpoint, helping you answer important questions like:

• Who accessed this computer, when and from where?
• What changes did they make to the system?
• What software did they run?
• Which processes executed and with what privileges?
• What other systems did that computer connect to?

Think of it as a way to shine a light into every corner of your Mac fleet, ensuring nothing slips through the cracks.

Mac endpoint telemetry with Jamf

When it comes to endpoint visibility, not all solutions are created equal. Jamf telemetry is built specifically for macOS and backed by over 20 years of Apple expertise. It’s curated to provide meaningful, actionable insights—not just raw data.

Here’s how Jamf telemetry makes a difference:

• Compliance audits: Track user logins, authentications and system changes to meet stringent logging mandates like HIPAA or NIS2.

• Investigations: Reconstruct timelines to quickly pinpoint what happened during an incident with confidence.

• Threat hunting: Detect stealthy attackers with visibility into rare events, anomalous behaviors and macOS-specific techniques.

• IT operations: Provide a seamless experience for your end users while you:
  • Monitor app usage
  • Uncover shadow IT
  • Proactively resolve performance issues with app metrics and crash logs

Whether you’re managing compliance frameworks, investigating security incidents or streamlining IT workflows, Jamf provides the visibility and control you need—without adding unnecessary complexity.

What’s new in telemetry?

Jamf’s updated Mac endpoint telemetry capability is now available.

You may have previewed it during the keynote at the Jamf Nation User Conference in October.

The latest version of Jamf’s Mac endpoint telemetry capability represents a major leap forward: it delivers more accurate, reliable and actionable insights to meet your compliance, security and IT needs.

Here’s what’s improved and why it matters:

Modern and secure foundation

We’ve transitioned from OpenBSM to Apple’s Endpoint Security API, providing:

• New and enriched insights purpose-built for modern security needs, curated and enriched by Jamf
• A lightweight, high-performance design that minimizes system impact and preserves the end-user experience
• Tamper-resistant auditing to ensure logs are reliable and secure

Actionable insights for real-world use

We listened carefully to your feedback and refined existing telemetry with:

• Improved process logging that enhances audits with complete traceability, parent-child relationships and contextualization at every step.
• Expanded visibility into critical activities that help organizations gain richer insights into authentication events, local and remote access, user management and more.
• Easy to set up configurations with new telemetry categories, granular exceptions and built-in optimizations to tune telemetry with your organization’s specific needs—reducing data overhead and analysis costs.

New insights

Uncover new risk with unprecedented visibility into macOS activity like:

• User behaviors for tracking events like privilege escalations, sudo command execution, user substitutions and other critical actions.
• Sensitive system operations including unmanaged configuration profile installs and third-party extension loading.
• Persistence mechanisms for detecting commonly abused persistence techniques like LaunchDaemons and LaunchAgents from background task management.

Seamless integration, faster value

We know onboarding new tools can feel daunting, so we’ve made it as easy as possible.

• Enhanced SIEM add-ons for Splunk and Elastic with updated parsers ensure quick adoption.
• Pre-configured optimizations by Jamf Threat Labs help you see value immediately.
• Comprehensive resources make onboarding straightforward whether you’re an IT admin or a seasoned security pro.

Check out Jamf’s telemetry technical documentation for a list of real-world workflows using telemetry.

Already using telemetry with Jamf Protect?

Here's what you need to know.

If you’re among the many customers already using Jamf Protect’s telemetry capability, know that the new telemetry data model documentation provides detailed examples and object dictionaries to help you adapt your workflows with ease.

Here are some important details to help you plan your migration to the new version:

• Transition period: The previous telemetry version has been deprecated but will remain available for a limited time, giving you the flexibility to transition at your own pace.
• Deployment modes: The changes to telemetry described in this blog are relevant for both full Jamf Protect and Jamf Protect Offline Deployment Mode customers.
• Unsupported Workflows: Support for Microsoft Sentinel data forwarding integrations and Offline Deployment Mode agent configuration in Jamf Pro is coming soon.
• SIEM Integrations: Add-ons for Splunk and Elastic have already been updated, with similar updates for Microsoft Sentinel and Google Security Operations available soon.
• Changing Visibility: While the move to the Endpoint Security API provides richer, more accurate logging, some activities like process forks and network connections are temporarily unavailable. These will be addressed in future updates.

What’s next for telemetry?

We’re thrilled to deliver these enhancements, but this is just the beginning.

Over the coming weeks and months, we’ll be introducing even more features and improvements, including:

• Expanded SIEM support: updated add-ons and parsers for Google Security Operations and Microsoft Sentinel SIEMs
• Enhanced Apple security telemetry: new insights into when users override Gatekeeper protections, a common attack vector on macOS
• Offline agent configuration with Jamf Pro: Offline Deployment Mode agent configurations for the new version of telemetry
• Network telemetry: new visibility into inbound and outbound network traffic, helping teams identify suspicious activity, like data exfiltration or unexpected communications from compromised systems

We value your feedback

We’re always listening to your feedback to shape the future of Jamf Protect. Let us know how we can continue to improve, and stay tuned for even more enhancements coming your way.

Get started with Jamf

For over 20 years, Jamf has been the leader in Apple-first management and security, helping organizations with an Apple-first platform to hunt threats, remediate incidents and achieve compliance. With this updated release, organizations can gain complete visibility into Mac endpoints by collecting and analyzing telemetry with Jamf.