Skip to main content
Site Search
  1. Home
  2. Blog
  3. From custom to built-in: how telemetry simplifies macOS auditing

From custom to built-in: how telemetry simplifies macOS auditing

Learn how to get deep insight into your fleet out of the box with Jamf's Mac Endpoint Telemetry feature.

June 13 2025 by

Matt Taylor

For years, Jamf customers have used custom analytics and unified log filters to gain deeper visibility into macOS activity — from privileged commands and remote access to user creation and external device usage. These tools helped teams extend visibility and meet compliance or security goals, but they often required careful tuning, upkeep and deep platform knowledge.

Now, many of the most popular use cases those tools were built for are available natively with Jamf's Mac Endpoint Telemetry feature.

In this blog, we’ll walk through the most widely used custom filters, discussing why teams rely on them and how those same insights are now captured out of the box with telemetry. You’ll get the same visibility, but with less effort, better performance, and richer context for investigation or automation.

Identity and access

System, process and policy visibility

What is telemetry in Jamf Protect?

Included with Jamf for Mac, Jamf Protect’s Mac telemetry feature gives your team the visibility needed to stay ahead — capturing rich, native macOS data you can send to your SIEM, cloud storage, or local logs. Whether you're proving compliance, investigating a security event or supporting IT operations, telemetry gives you the context to move faster and make smarter decisions. Built on Apple’s Endpoint Security API, Mac Endpoint Telemetry offers efficient, detailed insight into system, user and process activity across your Mac fleet.

Why use telemetry instead of custom filters?

  • No extra tuning required: You don’t need to build or maintain custom predicates. Jamf handles the monitoring on your behalf, including ongoing improvements and updates over time.
  • Streamlined analysis and correlation: Telemetry provides structured, standardized event data that’s easy to work with — enabling better enrichment, correlation across system activity and faster investigation.
  • Performance and efficiency: Events are collected through Apple’s Endpoint Security API — a trusted, tamper-resistant data source purpose-built for security and optimized for low overhead.
  • SIEM-ready integrations: Telemetry is supported by Jamf’s SIEM add-ons and parsers for tools like Splunk, Microsoft Sentinel and more.
  • Built for scale: Whether you manage 50 Macs or 50,000, telemetry helps you operationalize visibility with less friction.

Built-in telemetry for identity and access

Privileged execution with sudo

  • Why it matters: Sudo commands grant elevated privileges and are a key indicator of administrative activity. They’re often used in legitimate workflows, but also in post-compromise scenarios for persistence or data access.
  • Telemetry category: access and authentication
  • Event: sudo
  • Key fields of interest:
    • User who invoked sudo
    • Command executed
    • Result (success/failure)
  • Tip: Correlate with exec events to see exactly what process was launched. This gives security teams full traceability across privilege escalation attempts.

User substitution

  • Why it matters: Switching users can be a sign of internal misuse, misconfiguration or lateral movement. Monitoring su events helps build a full picture of account transitions on shared or sensitive devices.
  • Telemetry category: access and authentication
  • Event: su
  • Key fields of interest:
    • From user and target user
    • Result (success/failure)
  • Tip: Combine with process telemetry to understand what actions were taken after a user switch — especially useful in investigations.

SSH login and logout

  • Why it matters: SSH access is commonly used for remote management — but also targeted in brute force attacks and lateral movement. Visibility into who accessed a device, from where and when is essential for security and audit.
  • Telemetry category: access and authentication
  • Events: openssh_login, openssh_logout
  • Key fields of interest:
    • Source IP address
    • Username and UID
    • Authentication result
  • Tip: Pair with MDM policy to restrict SSH where not needed, and use telemetry to validate access controls.

Password changes

  • Why it matters: Changing the root password is rare in managed environments — and often a red flag. Monitoring these changes helps ensure that any modification is intentional and approved.
  • Telemetry category: users and groups
  • Event: od_modify_password
  • Key fields of interest:
    • Affected account
    • Change result/error code
    • Instigating process
  • Tip: Monitor password changes for the root user to be alerted to unexpected enablement.

User creation

  • Why it matters: Local user creation may be part of provisioning, but can also signal persistence, misconfiguration or unauthorized access.
  • Telemetry category: users and groups
  • Event: od_create_user
  • Key fields of interest:
    • Username and UID
    • Operation result
    • Instigating process
  • Tip: Audit process ancestry to determine whether users were created via expected workflows (like automated setup, System Settings and Jamf Connect) or manually through Terminal or third-party scripts.

Built-in telemetry for system, process and policy visibility

Removable media and network shares

  • Why it matters: External storage and mounted shares are common vectors for data exfiltration. Real-time visibility helps enforce acceptable use policies, detect risky activity and meet compliance requirements around removable storage.
  • Telemetry category: hardware and volumes
  • Events: mount, unmount, remount
  • Key fields of interest:
    • Device serial number, vendor/product ID
    • Volume name and path
    • Filesystem type, writable status, encryption state
  • Tip: Use this telemetry to validate device control policies and spot unmanaged or unsanctioned access to external or network storage.

LaunchDaemons and LaunchAgents

  • Why it matters: These mechanisms are one of the most common ways attackers gain persistence on macOS. Tracking when launch items are added or removed helps security teams spot suspicious changes before they’re used to maintain access or evade detection, or IT teams wrangle unmanaged persistence.
  • Telemetry category: persistence
  • Events: btm_launch_item_add, btm_launch_item_remove
  • Key fields of interest:
    • Path to the launch item or executable
    • Instigating process
    • Metadata: managed status, file location, owner UID
  • Tip: The Persistence category offers visibility into other built-in mechanisms, while Jamf Protect’s analytics detect legacy or uncommon persistence for investigation.

Configuration profile monitoring

  • Why it matters: Profiles define your organization’s network access and security baselines but can also enable users to install unsafe configurations like rogue certificates or unauthorized VPN access.
  • Telemetry category: system
  • Events: profile_add, profile_remove
  • Key fields of interest:
    • Profile name or identifier
    • Type of change
    • Instigating process
  • Tip: Use telemetry to validate whether changes originated from your MDM or were applied manually outside expected workflows.

Process, script and command-line visibility

  • Why it matters: Process execution is one of the most valuable telemetry signals for both IT operations and security. Whether it’s a user launching an app, a background system process or a shell script, this visibility helps you catch risky behavior, spot unmanaged tools and investigate post-event activity.
  • Telemetry category: applications and processes
  • Event: exec
  • Key fields of interest:
    • Executable path and signing information
    • Command-line arguments
    • Process ancestry
    • Script flag (indicates script execution)

High-risk or suspicious executables commonly monitored:

  • Script interpreters like python, osascript, ruby and perl are frequently used in phishing payloads or persistence techniques.
  • Unsigned/ad-hoc binaries, especially from /tmp, Downloads or removable volumes, may indicate unvetted or malicious execution.
  • System tampering tools like security, spctl and xattr are often used to dump credentials, bypass Gatekeeper or strip quarantine flags.
  • Command-line utilities like:
    • curl — download payloads or exfiltrate data
    • caffeinate — prevent sleep to keep long-running processes active
    • brew, installer— signal provisioning or unauthorized installs

Tip: Not all use is bad. But unexpected usage of these tools outside known workflows should raise an eyebrow.

What’s next

To be clear: custom analytics and unified log filters aren’t going anywhere. They remain essential tools for building advanced detections or monitoring niche workflows. But for the most common use cases? Built-in telemetry makes visibility easier, more reliable, and ready to scale.

Want more details? Check out the Jamf Protect telemetry data model documentation for full event and field breakdowns (requires Jamf ID sign-in).

Try out custom filters in Jamf's Mac Endpoint Telemetry.

Request Trial
Tags:
Related Resources
An aerial photograph of a large broadcast satellite dish pointed toward the sky.
  • Blog
Using Mac Endpoint Telemetry for Compliance with Regulatory Frameworks
Magnifying glass over computer screen showing code, with
  • Blog
Mac endpoint telemetry with Jamf