Jamf Blog
August 24, 2020 by Kelli Conlin

Jamf Protect Remediation Workflows

This post will help admins implement the workflows learned during the "How to Remediate a macOS Security Incident" webinar. These workflows are set using a threat-level classification to determine the method of remediation or response; this can allow for easier management of various remediation workflows.

Did you attend the Jamf Protect Incident Response webinar? This post will help you to implement the workflows you learned. These workflows are set using a threat level classification to determine the method of remediation or response; this can allow for easier management of various remediation workflows.

DISCLAIMER: If you have not viewed the webinar, you will want to do so. This post contains primarily supplemental materials that you’ll want to reference when implementing the ideas presented in the webinar. These are example workflows and should be properly tested before being implemented in your production environment.

Jamf Protect setup

Identify the analytics in Jamf Protect that you would like to set up a response to.

  1. Open the Jamf Protect console
  2. Select “Analytics”
  3. Identify the chosen analytic
  4. Select the “Update Actions” tab
  5. Check “Add to Jamf Pro Smart Group”
  6. Choose a text value from the text pop-up. This will be the extension attribute written to the device by the Jamf Protect agent when it discovers a security incident. (For example: low, medium, high; malware.)

Jamf Pro initial setup steps

Extension attribute script

  1. Open the Jamf Pro Settings > “Computer Management” > “Extension Attributes”
  2. Select “New from Template”
  3. Open the “Jamf” section
  4. Select “Jamf Protect Smart Groups”
  5. Select “Save” at the bottom of the page

Smart Group creation

  1. Select “Computers”
  2. Then select “Smart Computer Groups”
  3. Select on “+ New” button at the top right
  4. Enter a name for this Smart Computer group such as “Security: Jamf Protect Low Threat”
  5. Select “Criteria” tab
  6. Select “Add” button, then select “Show Advanced Criteria”
  7. Find the “Jamf Protect Smart Groups” attribute, select choose
  8. Enter the text of the extension attribute value (See the above Jamf Protect setup)
  9. Select “Save”

*NOTE: Once the extension attribute is written to the device by the Jamf Protect agent, the extension attribute must be removed for the device to fall out of the Smart Group. This can be done by script of command.

  • This will clear all extension attributes created by Jamf Protect:
 rm /Library/Application\ Support/JamfProtect/groups/*

Policy event trigger

  1. Select “Computers”
  2. Select “Policy”
  3. Select “New” button
  4. In the General area, enter a name for this policy, and insert a custom trigger of “protect.” This will allow the policy to run when the Jamf Protect agent has a detection.
  5. Set the execution frequency to “Ongoing”

Low-level threat

In this workflow you will prompt your end user with a pop-up message from Jamf Helper of what has taken place on their device. This response if very light and not invasive (ie. no file deletion or isolation).

*NOTE: This workflow will automatically clear the extension attribute after prompt to end user.

Jamf Helper policy:

  1. Create a new policy (follow the policy steps from the Jamf Pro setup section)
  2. Add a “Script” configuration, add the script below

*NOTE: The script must first be added to Jamf Pro Settings > “Computer Management”> “Scripts”

Select the “Scope” tab

  1. Select “Computer Group” > “Add”
  2. Select the new Smart Computer Group that was created for a low alert
  3. Select “Save”

Low-level Jamf Helper script

 #!/bin/bash

# Jamf Helper Script for Jamf Protect

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Header for Pop Up

heading="IT Security Notification"

#Description for Pop Up

description="Your machine has possibly been compromised. Please report to IT."

#Button Text

button1="Ok"

#Path for Icon Displayed

icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -icon "$icon")

#Remove Jamf Protect Extension Attribute

rm /Library/Application\ Support/JamfProtect/groups/*

#Update Jamf Inventroy

jamf recon

Medium-level threat

A medium-level threat is an unwanted security event with minimal impact. For this workflow, once there is a detection, a Jamf Helper pop-up message displays to the end user telling them what has happened to their device and instructing them to select “Ok” to open Self Service. Once Self Service launches, it will immediately open a policy that will run a command to move items from the downloads folder that have been added in the last 24 hours to the trash.

*NOTE: This workflow will automatically clear the Extension Attribute in the clearing script.

Jamf Helper policy

  1. Create a new policy (follow the policy steps from the Jamf Pro setup section)
  2. Add a “Script” configuration, add the script below

*NOTE: The script must first be added to Jamf Pro Settings > “Computer Management”> “Scripts”

  1. Select the “Scope” tab
  2. Select “Computer Group” > “Add”
  3. Select the new Smart Computer Group that was created for a medium alert
  4. Select “Save”

Medium-level Jamf Helper script

 jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Header for Pop Up

heading="IT Security Notification"

#Description for Pop Up

description="You have tried to open an application that is unauthorized on Corporate Computers. Please click Ok to open Self Service and move all files downloaded in the last 24 hours to the trash. Contact Corporate IT for further assistance"

#Button Text

button1="Ok"

#Policy ID for policy in Self Service

policyID="59"

#Path for Icon Displayed

icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -icon "$icon")


if [[ $userChoice == 0 ]]; then

echo "user clicked $button1"

open "jamfselfservice://content?entity=policy&id=$policyID&action=view"

fi

Self Service command

  1. Create a new policy
  2. Set the execution frequency to “Ongoing”
  3. Add a “Script” configuration, add the script below

*NOTE: The script must first be added to Jamf Pro Settings > “Computer Management”> “Scripts”

  1. Select the “Self Service” tab
  2. Check “Make the policy available in Self Service”
  3. Select the “Scope” tab
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a medium alert
  6. Select “Save”

Clearing downloads folder script

 #!/bin/bash

# Move all files downloaded in the last 24 hours to the trash

#Move the files from Downloads to the Trash

find ~/Downloads/ -type fd -mtime 0 -exec mv {} ~/.Trash \;

#Remove Jamf Protect Extension Attribute

rm /Library/Application\ Support/JamfProtect/groups/*

#Update Jamf Inventroy

jamf recon

High-level threat

A high-level threat is when something malicious has occurred but the impact is still unknown. For this workflow, once there is a detection a Jamf Helper pop-up message displays to the end user telling them what has happened to their device and that they have lost network access. Then the device will be excluded from the network configuration profile.

*NOTE: This workflow will NOT automatically clear the Extension Attribute. And there is a risk of the configuration profile exclusion happening before the Jamf Helper script can run.

Jamf Helper policy

  1. Create a new policy (follow the policy steps from the Jamf Pro setup section)
  2. Add a “Script” configuration, add the script below

*NOTE: The script must first be added to Jamf Pro settings > “Computer Management”> “Scripts”

  1. Select “Before” under Priority
  2. Select the “Scope” tab
  3. Select “Computer Group” > “Add”
  4. Select the new Smart Computer Group that was created for a high alert
  5. Select “Save”

High-level Jamf Helper script

 jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"

#Header for Pop Up

heading="IT Security Notification"

#Description for Pop Up

description="Your computer may be infected with malware. Your network connection has been disabled. Please power down your Mac and call your IT administrator immediately at 888-867-5309"

#Button Text

button1="Ok"

#Path for Icon Displayed

icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"

userChoice=$("$jamfHelper" -windowType utility -heading "$heading" -description "$description" -button1 "$button1" -icon "$icon")


if [[ $userChoice == 0 ]]; then

echo "user clicked $button1"

exit 0

fi

Smart Group exclusion

  1. Find your network configuration profile
  2. Select the “Scope” tab
  3. Select “Exclusions”
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a high alert
  6. Select “Save”

DEPNotify Workflow

DEPNotify allows for customization compared to Jamf Helper, but does require a separate package to be installed. In this workflow, when there is a detection of a known threat (or malware) from Jamf Protect’s Threat Prevention feature, the end user will be locked in full screen by DEPNotify while an additional script runs to clean up the detected threat.

*NOTE: This workflow requires a custom analytic in Jamf Protect to go beyond the native Block and Quarantine functionality. Also, this workflow will automatically clear the extension attribute after DEPNotify runs and delete the DEPNotify application.

Jamf Protect custom analytic

*NOTE: This is considered advanced level administration. Please see this section of the Jamf Protect admin guide for more information on Creating Analytics.

  1. Open the Jamf Protect console
  2. Select “Analytics”
  3. Select “Create Analytic”
  4. Add the name “Threat Prevention File Quarantined”
  5. Add the category “Known Malware”
  6. Paste “Monitoring for when a process is moved to quarantine from Threat Prevention” into the description field
  7. Set Sensor Type to “GPFSEvent”
  8. Switch to “Filter Text View”
  9. Paste the NSPredicate below
  10. Under Analytic Actions
  11. Check “Log”
  12. Check “Add to Jamf Pro Smart Group”
  13. In the text pop displayed choose a text value, this will be the Extension Attribute written to the device by the Jamf Protect Agent when a detection occurs. (ex. malware)
  14. Scroll to the top and Select “Save”
  15. Select “Plans”
  16. Select your desired plan
  17. Select the “Analytics” tab (this is the tab next to “Summary”)
  18. Check the new Analytic for “Threat Prevention File Quarantined”
  19. Scroll to the top and Select “Save Plan Analytics”

*Note: At next check-in the device will receive the updated plan with the newly added analytic.

NSPredicate for Jamf Protect analytic

 $event.isNewFile == 1 AND $event.path MATCHES [c] "/Library/Application Support/JamfProtect/Quarantine/.*/.*"

Add DEPNotify to Jamf Pro

Upload the latest DEPNotify package into Jamf Pro from the link below. (Jamf Pro Settings > “Computer Management” > “Packages”).

DEPNotify Policy:

  1. Create a new Policy (follow the Policy steps from the Jamf Pro Setup Section)
  2. Add a “Script” configuration, add the script below

*NOTE: The script must first be added to Jamf Pro Settings > “Computer Management”> “Scripts”

  1. Select “After” under Priority
  2. Add a “Packages” configuration, add the DEP Notify package
  3. Select the “Scope” tab
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a malware alert
  6. Select “Save”

DEPNotify Script

 #!/bin/bash

# Version 1.0.0

##########################################################################################################

# Script by Sean Rabbitt, Jamf Senior Sales Engineer and Kelli Conlin, Jamf Security Solutions Specialist

##########################################################################################################

# DEP Notify for Jamf Protect

if [ -f "/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify" ]; then

/Applications/Utilities/DEPNotify.app/Contents/MacOS/DEPNotify -fullScreen &

else

echo "DEP Notify Not Present.. Exiting"

exit 1;

fi

#Icon

echo "Command: Image: /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns" >> /var/tmp/depnotify.log

#Title

echo "Command: MainTitle: Jamf Protect Remediation" >> /var/tmp/depnotify.log

#Main Text Body

echo "Command: MainText: Malicious activity on this computer has been detected by Jamf Protect.\nIf this screen appears for longer than 5 minutes, call the IT Department on the back of your badge to create a help desk ticket.\n \nControl will return when the malicious software has been isolated." >> /var/tmp/depnotify.log

#Status Message

echo "Status: Isolating malicious software..." >> /var/tmp/depnotify.log

echo "Command: Determinate: 2" >> /var/tmp/depnotify.log

# Here's where you would put your Jamf policy command

jamf policy -event clearing

sleep 2

# Here's where you would put your Jamf policy command

#jamf policy -event protectrocks

#sleep 2

#Completed Status Message

echo "Status: The malicious software has been isolated." >> /var/tmp/depnotify.log

echo "Command: DeterminateManualStep" >> /var/tmp/depnotify.log

sleep 2 # Optional sleeps...

#Completed Title

echo "Command: MainTitle: Remediation Complete" >> /var/tmp/depnotify.log

#Completed Icon

echo "Command: Image: /Library/Application Support/JamfProtect/JamfProtect.app/Contents/Resources/AppIcon.icns" >> /var/tmp/depnotify.log

#Completed Text Body

echo "Command: MainText: The malicious software has been isolated. Reboot is recommended.\n \nSave your work and reboot your computer.\n\nPhishing attempts are the biggest risk to organization data. If you receive any unusual emails or phone calls asking for access to your user name, password, requests to install software, or start screen sharing to your computer, contact the IT Security Department by calling the number on the back of your badge. \nHave your Employee ID ready when you call." >> /var/tmp/depnotify.log

echo "Command: DeterminateManualStep" >> /var/tmp/depnotify.log

echo "Status: " >> /var/tmp/depnotify.log

echo "Command: ContinueButton: Continue" >> /var/tmp/depnotify.log

# Alternative Command to force a restart:

#echo "Command: ContinueButtonRestart: Restart" >> /var/tmp/depnotify.log

rm /var/tmp/depnotify.log

#rm /var/tmp/com.depnotify.provisioning.done

# If forcing a restart

#rm /var/tmp/com.depnotify.provisioning.restart

#Remove Jamf Protect Extension Attribute

rm /Library/Application\ Support/JamfProtect/groups/*

#Update Jamf Inventroy

jamf recon

#Remove DEPNotify

rm -R /Applications/Utilities/DEPNotify.app

Policy command

  1. Create a new policy
  2. In the General area, enter a name for this policy, and insert a Custom Trigger of “clearing.” This will allow the policy to run from the DEPNotify script.
  3. Set the execution frequency to “Ongoing”
  4. Add a “Script” configuration, add the script below
    *NOTE: The script must first be added to Jamf Pro Settings > “Computer Management”> “Scripts”
  5. Scope to "All Computers and Users"
  6. Select “Save”

Malware extraction script

 #!/bin/bash

# Malware Cleanup for Jamf Protect

#Zip Malware

cd /Library/Application\ Support/JamfProtect/Quarantine/*; zip -r -X "../Malware-$(date +%Y_%m_%d-%H_%M_%S).zip" *

#Move Malware to a new location, Default is /Users/Shared

cd /Library/Application\ Support/JamfProtect/Quarantine/; mv Malware*.zip /Users/Shared

#Remove the Malware

rm -R /Library/Application\ Support/JamfProtect/Quarantine/*

Learn more about remediating a macOS security incident

Kelli Conlin
Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.