Jamf Mobile Forensics Explained

Defending high-risk users

Sophisticated attacks like mercenary spyware, zero-click exploits, advanced persistent threats (APTs) and nation-state attacks target users based on who they are, the type of work they conduct, or the data they can access. Since these types of attacks require ample resources and funding to execute, they more often target high-risk users and organizations.

Both Apple and Google notify users about potential spyware attacks and publish guidance for users like ‘journalists, activists, politicians, and diplomats who have received threat notifications. CISA cites individuals like government and political officials are commonly targeted, and according to the U.K.’s NCSC, you are considered a high-risk, “individual if your work or public status means you have access to, or influence over, sensitive information that could be of interest to nation state actors.”

But it is not only for employees with ties to government, media or politics. Organizations in industries like Technology, Logistics & Transportation, Natural Resources and Oil & Gas, Manufacturing, Financial Services and more are vulnerable because of the high-value data their users hold or where they conduct business.

To find sophisticated attacks and ensure the integrity of mobile devices in their fleet, security teams (for example SOC, forensic, InfoSec, or IT) need device insights from deeper depths of data analysis.

That’s where Jamf Mobile Forensics comes in.

Jamf Mobile Forensics

Jamf Mobile Forensics fills the advanced detection, forensic and analysis gap for sophisticated attacks targeting mobile devices. Its threat intelligence and automated analysis capabilities remove the heavy lifting for security teams, enhancing digital forensic investigations and enabling teams to speed up mitigation and remediation steps.

How does Jamf Mobile Forensics work?

The combination of deep, automated log collection and a natural user experience simplifies the analysis process, helping security teams quickly understand and respond to sophisticated attacks. The Jamf Mobile Forensics rules engine, with Jamf Threat Labs proprietary behavioral analytics technology, automates analysis of each scan using known intelligence, anomalies and suspicious behaviors to detect malicious activity and zero-day threats.

This enables security teams to:

• Identify zero-click, one-click attacks and APTs before they enter the network

• Detect unknown exploits and payloads that evade security controls

• Analyze Indicators of Compromise (IoCs) to identify malicious activity

• Detect and respond to mercenary spyware and advanced threats without exposing PII

Scanning end-user devices

Device scans are what enable teams to detect if and when a device was attacked, how the attack occurred and its impact. Scans with Jamf Mobile Forensics take minutes instead of weeks.

For end users, Jamf Mobile Forensics includes a mobile app called Threat Protect that proactively scans devices at intervals set by the organization. The app helps security teams continuously analyze device integrity, without disrupting users or exposing PII. To perform its inspections, the app collects and analyzes endpoint telemetry like system logs, kernel logs, certificates, crashes, software and more to detect known and unknown threats.

Based on organizational workflows and best practices, it also provides an option for cable-based scans (typically for on-premises customers). These scans are performed by connecting a mobile device directly to a workstation (like a Mac) computer.

During log collection, it does not collect PII like passwords, photos and videos, text messages (including iMessage), contacts, call data and data in applications and more.

Expert guidance and intelligence

Jamf Mobile Forensics is backed by Jamf Threat Labs, our internal team of security researchers, analysts, and engineers. The team regularly publishes research on advanced mobile malware and sophisticated attack techniques. They also develop and drive continuous improvements to the Jamf Mobile Forensics rules engine.

Simplifying forensic analysis workflows

Security teams that use Jamf Mobile Forensics are armed with various capabilities to help with threat detection and forensic analysis:

• Security Operations Center: Simplify investigation workflows by automatically grouping events into unified incidents. Teams can monitor and manage their entire fleet against advanced attacks, including incidents at different time intervals, along with additional, contextual information about a specific incident.

• Rules engine: Tag, allow list or block list different types of indicators of attacks and compromise. Complex rules can be built based upon many attributes including YARA, bundle identifiers and process names.

• AI Analysis: An AI research assistant that reduces manual research required to analyze device crashes and anomalies. It provides teams with rapid, expert-level insight into potential device compromises. For example, if a device shows a targeted, remote attack against an app, AI Analysis provides a complete summary of the incident, including unusual app behaviors, if the device was hacked or code execution occurred, and recommendations for next steps.

• MDM deployment: Streamline mobile app deployment for corporately-owned or BYOD iOS, iPadOS, and Android devices.

• Integrations: Leverage powerful APIs to integrate with SIEM/SOARs, IdPs, MDMs, and more.

Common use-cases for Jamf Mobile Forensics

Pre- and post-travel
Employees traveling to countries with heightened espionage risk require fast, in-depth analysis to determine risk, search for IoCs and respond to threats before damage spreads. For example, government organizations that need to protect employees with high-risk profiles working across the world face different types of threats.

Digital forensics and incident response
Analyze devices to quickly assess device integrity, uncover anomalies and implement containment measures that go from weeks to minutes.

Mobile threat hunting
Proactively scan iOS and Android devices to analyze logs (including at the OS level), inspect devices for IoC or write rules to detect malicious attacks before they can cause damage.

How are Jamf Mobile Forensics and Jamf for Mobile different?

Jamf for Mobile is our foundational mobile platform that combines device management and compliance, mobile security (e.g., phishing protection, app risk monitoring, web content filtering and more) and secure application access. Organizations implement Jamf for Mobile to scale the vast mobile use cases at work, with a solution that prioritizes the user experience, integrates IT systems and extends business workflows.

Jamf Mobile Forensics adds an advanced forensic layer to defend high-risk users from targeted attacks. It’s designed to investigate anomalous behaviors, suspicious activity and advanced threats on mobile devices.

What types of advanced threats does Jamf Mobile Forensics protect against?

• Mercenary spyware: Designed for targeted attacks, these commercial surveillance tools such as Predator, Pegasus, Graphite, Spyrtacus and more infiltrate iOS and Android devices through vulnerabilities.

• Advanced Persistent Threats (APTs): According to CISA, ‘APT actors are well-resourced and engage in sophisticated malicious cyber activity that is targeted and aimed at prolonged network/system intrusion.’ These types of attacks often evade initial defense systems and remain on a device for extended periods of time.

• Nation-state attacks: Performed by government actors, these attacks include the use of both APTs and mercenary spyware.

• Zero-click attacks: Used by threat actors to infect mobile devices without any user interaction. Zero-click exploits and network-based attacks are a common strategy of mercenary spyware tools

Mobile forensics challenges

• Device visibility: Foundational security capabilities like endpoint management, mobile threat defense and VPN/ZTNA prevent common attacks but lack the deep data and threat analysis needed to detect advanced threats

• Manual forensics: Hiring outside forensic consultant requires specific knowledge, leads to higher costs, takes more time to complete and runs the risk of exposing PII.

• ‘Burner’ devices: Introduces not just poor user experience and extra hardware, but also Shadow IT.

At Jamf, we put the user at the center — including those at highest risk of targeted attacks.