SOARin with Jamf Protect & Pro

Now, this is not about the best ride at Epcot. In this article, I am going to walk you through using Jamf Protect and Jamf Pro together to create customized remediation workflows. This will allow you to create Security Orchestration, Automation, and Response (SOAR)-like functionality for your Mac fleet by leveraging policies created in Jamf Pro to remediate detections based on Jamf Protect.

April 29 2021 by

Kelli Conlin

Orchestra conductor's hands demonstrate Security Orchestration with Jamf Pro and Jamf Protect

Below, you will find three different remediation workflows to illustrate how this functionality works. The workflows are set using a threat level classification to determine the method of remediation or response, which allows for easier management of different remedial workflows.

DISCLAIMER: These are sample workflows and should be properly tested before being implemented in your production environment.

Jamf Protect setup

Identify the analytics that you would like to set up responses for:

  1. Open the Jamf Protect console
  2. Select “Analytics”
  3. Identify the chosen analytic
  4. Select the “Update Actions” tab
  5. Check “Add to Jamf Pro Smart Group”
  6. In the text pop-up displayed, choose a text value. This will be the extension attribute written to the device by the Jamf Protect agent when detection occurs. (ex. low, medium, high, malware)

Jamf Pro initial setup

I. Extension attribute script:

  1. Open the Jamf Pro Settings > “Computer Management” > “Extension Attributes”
  2. Select “New from Template”
  3. Open the “Jamf” Section
  4. Select “Jamf Protect Smart Groups”
  5. Select “Save” at the bottom of the page

II. Smart Group creation:

  1. Select “Computers”
  2. Then select “Smart Computer Groups”
  3. Select on “+ New” button at the top right
  4. Enter a name for this Smart Computer Group. (Ex. “Security: Jamf Protect low threat”)
  5. Select “Criteria” tab
  6. Select “Add” button, then select “Show Advanced Criteria”
  7. Find the “Jamf Protect Smart Groups” attribute, select “Choose”
  8. Enter the text of the extension attribute value (the one created above in the Jamf Protect setup section)
  9. Select “Save”

NOTE: Once the extension attribute is written to the device by the Jamf Protect agent, the extension attribute must be removed for the device to fall out of the Smart Group. This can be performed by using the script below to clear all extension attributes created by Jamf Protect.

III. Policy Event Trigger:

  1. Select “Computers”
  2. Select “Policies”
  3. Select “New” button
  4. In the General area, enter a name for this policy and insert a custom trigger of “protect." This will allow the policy to run when the Jamf Protect agent has a detection
  5. Set the execution frequency to “Ongoing”

Low-level threat:

In this workflow, you will prompt your end-user with a pop-up message from Jamf Helper, explaining what has occurred on their device. This response is informational only and non-invasive (ie. no file deletion or isolation). This workflow will automatically clear the extension attribute after prompting the end-user.

Jamf Helper policy:

  1. Create a new policy (follow the policy steps from the Jamf Pros setup section above)
  2. Add a “Script” configuration. (Sample script found below must first be added to Jamf Pro > Settings > Computer Management > Scripts)
  3. Select the “Scope” tab
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a low-level alert
  6. Select “Save”

End result example:

Medium-level threat:

A medium-level threat refers to an occurrence that is unwanted but has minimal impact. For this workflow, when a detection is triggered, the Jamf Helper pop-up message will inform the end-user of what has happened to their device. They will also be required to select “OK” to open Self Service, which will immediately launch a policy-based script that moves items added in the last 24 hours from the Downloads folder to the Trash. This workflow will automatically clear the extension attribute after executing the script.

Jamf Helper Policy:

  1. Create a new policy
  2. Add a “Script” configuration (sample script found below)
  3. Select the “Scope” tab
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a medium level alert
  6. Select “Save”

Self Service command:

  1. Create a new policy
  2. Set the execution frequency to “Ongoing”
  3. Add a “Script” configuration (sample script found below)
  4. Select the “Self Service” tab
  5. Check “Make the policy available in Self Service”
  6. Select the “Scope” tab
  7. Select “Computer Group” > “Add”
  8. Select the new Smart Computer Group that was created for a medium level alert
  9. Select “Save”

End result example:

Example of the alert triggering a policy to execute on low level threat detection.

High-level threat:

A high-level threat is used where a malicious action has occurred but lacks context for what the impact may be. For this workflow, when a detection is triggered, a Jamf Helper pop-up message will inform the end-user of what has happened to their device, additionally stating that their device is being isolated from accessing the network. The device will then be quarantined by excluding it from the network configuration profile. This workflow will NOT automatically clear the extension attribute. Also, there is a risk of the configuration profile exclusion processing before the Jamf Helper script can run.

Jamf Helper policy:

  1. Create a new policy
  2. Add a “Script” configuration (sample script found below)
  3. Select “Before” under Priority
  4. Select the “Scope” tab
  5. Select “Computer Group” > “Add”
  6. Select the new Smart Computer Group that was created for a high-level alert
  7. Select “Save”

Smart Group exclusion:

  1. Find your network configuration profile
  2. Select the “Scope” tab
  3. Select “Exclusions”
  4. Select “Computer Group” > “Add”
  5. Select the new Smart Computer Group that was created for a high-level alert
  6. Select “Save”

End result example:

DEPNotify workflow:

Similar to Jamf Helper, DEPNotify allows for customization of alerts and does require a separate package to be installed. In this workflow, when there is a detection of a known threat (or malware) from Jamf Protect’s Threat Prevention feature, the end-users will be locked in fullscreen mode by DEPNotify while a policy-based script runs to clean up the detected threat, sanitizing the device. This workflow requires a custom analytic in Jamf Protect to go beyond the native block and quarantine functionality. Also, this workflow will automatically clear the extension attribute after DEPNotify runs, deleting the DEPNotify application once it is completed.

Jamf Protect custom analytic:

NOTE: This is considered an advanced level administration practice. Please see this section of the Jamf Protect Administrator’s Guide for more information on creating analytics. Upon successfully creating a new analytic, the device will receive the updated plan with the newly added analytic upon subsequent check-in with Jamf.

  1. Open the Jamf Protect console
  2. Select “Analytics”
  3. Select “Create Analytic”
  4. Add the name “Threat Prevention File Quarantined”
  5. Add the category “Known Malware”
  6. Paste the following into the description field “Monitoring for when a process is moved to quarantine from Threat Prevention”
  7. Set Sensor Type to “GPFSEvent”
  8. Switch to “Filter Text View”
  9. Paste the NSPredicate below
  10. Under Analytic Actions
    • Check “Log”
    • Check “Add to Jamf Pro Smart Group”
    • In the text pop-up displayed choose a text value, this will be the extension attribute written to the device by the Jamf Protect agent when detection occurs. (ex. Malware)
  11. Scroll to the top and select “Save”
  12. Select “Plans”
  13. Select your desired plan
  14. Select the “Analytics” tab
  15. Check the new Analytic for “Threat Prevention File Quarantined”
  16. Scroll to the top and select “Save Plan Analytics”

Add DEPNotify to Jamf Pro:

Upload the latest version of the DEPNotify package into Jamf Pro from the link below. (Jamf Pro Settings > “ComputerManagement” > “Packages.")

DEPNotify policy:

  1. Create a new policy
  2. Add a “Script” configuration (sample script found below)
  3. Select “After” under Priority
  4. Add a “Packages” configuration, add the DEP Notify package
  5. Select the “Scope” tab
  6. Select “Computer Group” > “Add”
  7. Select the new Smart Computer Group that was created for a malware alert
  8. Select “Save”

Policy command:

  1. Create a new policy
  2. In the General area, enter a name for this policy, and insert a custom trigger of “clearing." This will allow the policy to run from the DEPNotify script.
  3. Set the execution frequency to “Ongoing”
  4. Add a “Script” configuration (sample script found below)
  5. Scope to “All Computers and Users”
  6. Select “Save”

End result example:

Example of the alert triggering a notification screen warning the user of malware detected.

Contact Jamf to learn more about how integrating Jamf Pro and Jamf Protect can help your incident response and remediation team SOAR higher.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.