Anyone else see "sentry.pub.jamf.build" in their computer traffic

usd230it
New Contributor

Our Macs are reaching out to "sentry.pub.jamf.build" on the regular. Anyone know what is being sent there? Resolves to an AWS host stateside. "jamf.build" owned by Jamf, llc.

That's all I can find.

5 REPLIES 5

tycrocker
New Contributor

No idea what it is, but i see it hitting my firewall too.

bradtchapman
Valued Contributor II

I also saw this when I launched Composer—thanks Little Snitch! According to the logs, actually, it has been going on since at least September 2020 (I don't usually launch Composer on this Mac).

I decided to try using Charles Proxy as a MITM. Decoding was successful.

This is the conversation that Composer had with Jamf:

API CALL

:method: POST
:scheme: https
:path: /api/10/store/
:authority: sentry.pub.jamf.build
accept: */*
content-type: application/json
accept-language: en-us
accept-encoding: br, gzip, deflate
content-encoding: gzip
user-agent: sentry-cocoa
content-length: 0
x-sentry-auth: Sentry sentry_version=7,sentry_client=sentry-cocoa/5.0.4,sentry_timestamp=1616088163,sentry_key=78ddbb873d634ed1a509b2af040cfe10

DATA SENT TO JAMF

{
    "extra": {},
    "message": "Startup completed",
    "timestamp": "2021-03-18T17:22:43Z",
    "release": "com.jamfsoftware.Composer@10.24.2+10.24.2-t1600451425",
    "dist": "RELEASE",
    "tags": {
        "DURATION": "00:00:04"
    },
    "breadcrumbs": [{
        "message": "Breadcrumb Tracking",
        "timestamp": "2021-03-18T17:22:32Z",
        "level": "info",
        "type": "debug",
        "category": "started"
    }],
    "level": "info",
    "platform": "cocoa",
    "sdk": {
        "name": "sentry.cocoa",
        "version": "5.0.4"
    },
    "contexts": {
        "os": {
            "build": "18G8022",
            "rooted": false,
            "kernel_version": "Darwin Kernel Version 18.7.0: Tue Jan 12 22:04:47 PST 2021; root:xnu-4903.278.56~1/RELEASE_X86_64",
            "name": "macOS",
            "version": "10.14.6"
        },
        "device": {
            "free_memory": 2798387200,
            "arch": "x86",
            "family": "macOS",
            "memory_size": 17179869184,
            "storage_size": 499963174912,
            "model": "MacBookPro14,2",
            "boot_time": "2021-03-14T18:14:09Z",
            "timezone": "PDT",
            "usable_memory": 16489644032
        },
        "app": {
            "app_id": "91DC99E0-6763-3012-A760-402590FC88C7",
            "app_version": "10.24.2",
            "app_identifier": "com.jamfsoftware.Composer",
            "app_start_time": "2021-03-18T17:22:32Z",
            "device_app_hash": "f23c56b26ad6e8801daf5116a3ebaa7e0a866114",
            "app_build": "10.24.2-t1600451425",
            "build_type": "unknown",
            "app_name": "Composer"
        }
    },
    "event_id": "c8b1586a31fa488cbdd9f89cdcf747db"
}

It appears to be sending analytics about the Mac that is running Composer. Nothing more.

@scafide , a little light on this one please?

bradtchapman
Valued Contributor II

There is a similar POST when Self Service is launched:

{
    "extra": {},
    "message": "Self Service Launched",
    "timestamp": "2021-03-18T22:42:43Z",
    "release": "com.jamfsoftware.selfservice.mac@10.26.1+10.26.1-t1606923553",
    "dist": "RELEASE",
    "tags": {},
    "breadcrumbs": [{
        "message": "Breadcrumb Tracking",
        "timestamp": "2021-03-18T22:42:43Z",
        "level": "info",
        "type": "debug",
        "category": "started"
    }],
    "level": "info",
    "platform": "cocoa",
    "sdk": {
        "name": "sentry.cocoa",
        "version": "5.2.2"
    },
    "contexts": {
        "os": {
            "build": "18G8022",
            "rooted": false,
            "kernel_version": "Darwin Kernel Version 18.7.0: Tue Jan 12 22:04:47 PST 2021; root:xnu-4903.278.56~1/RELEASE_X86_64",
            "name": "macOS",
            "version": "10.14.6"
        },
        "device": {
            "free_memory": 283066368,
            "arch": "x86",
            "family": "macOS",
            "memory_size": 17179869184,
            "storage_size": 499963174912,
            "model": "MacBookPro14,2",
            "boot_time": "2021-03-14T18:14:09Z",
            "timezone": "PDT",
            "usable_memory": 15576420352
        },
        "app": {
            "app_id": "C38BD1AA-8B7E-30F3-808B-2B629B04D672",
            "app_version": "10.26.1",
            "app_identifier": "com.jamfsoftware.selfservice.mac",
            "app_start_time": "2021-03-18T22:42:43Z",
            "device_app_hash": "e78a4fc34f8af9527fbfb72c3f30a8835e80a136",
            "app_build": "10.26.1-t1606923553",
            "build_type": "unknown",
            "app_name": "Self Service"
        }
    },
    "event_id": "6bad52a64f6249a090d5c522bd2feed6"
}

bradtchapman
Valued Contributor II

There doesn't appear to be any data tying this app to any specific customer. Perhaps we've stumbled upon one of the ways that Jamf measures the number of devices using its applications?

atomczynski
Valued Contributor

I was tasked to help configure EDR and thought of getting Little Snitch with the idea to utilize it on a clean machine to help establish a baseline. It has been a while since I used the app (previously licensed for version 3)

I too have noticed calls to that domain when Self Service is launched and wanted to add my notes to this thread, however I see you have already posted an update.

IMHO need to trust your MDM (or switch to a different platform). I'm not super concerned with the data gathered with this method, but Jamf should be more transparent about the fact and I expect them to be more transparent.

9eb2fa75f70f4cd894b001dedb8a88d0

048f6eb7c40c44eeb5aa3945223096ae