JAMF Application source tracking

jkingqc
New Contributor II

I'm trying to determine if this is possible. I know Jamf can keep track of what applications are installed. Is it possible for it to track when an application is installed via a 3rd party app store or cli and not from the official app store or self service app? Maybe via an extension attribute or something. I'm still researching this outside of this post as well. If i do find an answer outside of this forum. I will update this post to include those instructions for anyone that may need it in the future. 

2 REPLIES 2

jamf-42
Valued Contributor II

what are you expecting as an output and how would you collate the data?

If you've given people admin rights they need to install apps, they must be trusted? If not, they should not have admin rights. 

While I could be possible. Not sure JAMF / EAs are the best method. 

Better to provide all the apps people need in Self Service via Apple App Store and JAMF Mac Apps. 

as for 'cli' apps, if you mean Homebrew, thats a whole different game.. 

 

AJPinto
Honored Contributor III

Beyond telling if an app came from the App Store or not, there is not a direct way to get the information you are wanting. Unless a developer chose to bake something into the app bundle that tells you where the application came from (which would not be reliable anyway), you would have to dig through OS event logging to know where the source files came from.

  • Mac App Store - To tell if an App came from the AppStore you need to check the Application Contents of the .app and see if there is a folder called _MASReceipt in the directory. If there is, its an AppStore App. 
  • Jamf Self Service - Unless you deploy a flag (text file) to the devices in the policy or package that can be picked up with an EA.
    • The "flag" can also yield a false positive if the user originally installed the application from SS and later reinstalled it from a 3rd party source.
    • Jamf does have a receipts directory in /Library/Application Support/Jamf/Receipts that tells you what Jamf has installed in the past, you can cross reference this and make assumptions but there is no way to prove the source of the existing install.
    • /var/log/jamf.log will also tell you what Jamf has installed, but again you cannot prove the existing install came from Jamf or somewhere else, just that Jamf has installed the thing at some point.
  • Identify install Source - The source of an application will be logged in /var/log/install.log
    • Jamf Pro is not able to parse install.log with an extension attribute as that would break device check-in due to how long it takes to parse the install log
    • Tools like Jamf Protect can redirect macOS event logs to Splunk which you can write dashboards and reports based on install source.
  • You can try application Hashing; with this you can at least ensure the copy of an application on a device matches the exact package that Jamf is deploying. 

 

TL;DR: To do what you are wanting; you need to redirect macOS event logs to SIEM and write dashboards based on the data. This is not something Jamf Pro is designed to do.