What's new in Jamf Protect

matthiasW
New Contributor II
We released a new Jamf Protect agent today (version 3.0.0.366) that overhauls the Jamf Protect Alert UI to better match your workflows and help you prioritize your security response efforts. 
New features
Alert Severity - Security teams are commonly faced with a high incoming count of alerts from various security tools. The concept of alert severity helps these teams prioritize what, if any, investigation they perform against incoming alerts and which to tackle first. 
With this release, alerts will be assigned one of four default severities:
  • High - Known bad malware and behavior that indicates a high confidence of compromise (CVEs, reverse shells, keyloggers, red-team frameworks, etc)
  • Medium - Known adware/grayware and suspicious behavior (SSH as root, Climpli, etc)
  • Low - Potentially unwanted programs and behavior that could be suspicious but also exhibited by legitimate vendors (Crypto-miners, behavior to avoid LittleSnitch, etc)
  • Informational - Interesting events that aid visibility into the environment for investigations and threat hunting(normal launch agent installation, EICAR detections, etc)
 
Note: All the events that had previously been collected in the “Log” section, will now appear in the “Alert” section with a severity of Informational. 
 
To make this information easy to digest and actionable, we’ve overhauled our UI for listing and digging into alerts.
 
All severities are assigned based on the analytic that triggered the alert and can be customized.
 
Note: Any older existing deployed agents will continue to function and severity will be displayed in the Jamf Protect console correctly. However, any events sent to a SIEM, S3 bucket, etc may be missing their severity. 
 
Alert Status and Actions - Jamf Protect alerts now have a status to help teams collaborate.
 
By default, any new alert will have a status of “New.” The status can be changed to “In Progress” or “Resolved” in both the alert detail view and in the alert list. Status can be assigned to alerts in bulk within the UI.
 
Any alerts logged as a result of a Threat Prevention policy will have a status of “Auto Resolved.” 
 
Other UI changes - With all these new alert properties, a number of other areas of the UI were updated to take advantage of them:
  • New detections dashboard
  • New Computer view
  • Action settings
  • Data retention settings
 
A more detailed description of each of these changes can be found in our blog post.
 
Next steps
Any Jamf Protect plans you have deployed with the “Enable AutoUpdate” checkbox selected will have the latest agent deployed to them automatically when it is released. For any other plans, please update the deployments in the Jamf Protect console and push them to devices using Jamf Pro when you are ready.
 
For additional details about this release, see the Jamf Protect Release Notes.
 

Watch and subscribe to this post for future updates when new features or fixes are released for Jamf Protect.

6 REPLIES 6

matthiasW
New Contributor II

Jamf Protect User Roles and Email Notifications are now available!
Today we released new functionality to the Jamf Protect portal:

User Roles and Groups - You can now assign Jamf Protect users specific permissions based on user roles and groups. User roles can be assigned directly in the Jamf Protect web app or by mapping groups from your cloud identity provider (IdP). To configure roles and groups for users, go to the Accounts page.
Email Notifications for Alerts - You can now configure Jamf Protect to send email notifications to select users when new alerts are raised.

More insights into these features can be found on our blog.

For additional details about this release, see the Jamf Protect Release Notes.

matthiasW
New Contributor II

A new Jamf Protect agent was released today

This agent fixes customer reported issues and reduces false positives for certain analytics.

Updated analytics:
- Reduced false positive alerts from the SuspiciousChromeActivity analytic.

Fixes:
- The Login Window Banner insight correctly reports when a PolicyBanner file contains non-ASCII characters, such as embedded images.
- The Sudo Timeout Reduced insight now correctly validates when a timeout value is entered with quotes.
- On M1 based devices, USB events are now consistently tracked.

For additional details about this release, see the Jamf Protect Release Notes.

matthiasW
New Contributor II
Today (August 30, 2021) is the day we release the Jamf Protect agent version 2.0. On computers with macOS 10.15 or later it will now attempt to run as a System Extension by default and only fall back to running as Launch Daemon if necessary. Running as a System Extension gives us two big advantages:
  • Apple’s model to allow for security monitoring, prevention and remediation actions assumes that System Extensions are used. By aligning with this deployment model we ensure that Jamf Protect is always capable of taking advantage of the latest enhancements and releases of macOS.
  • System Extensions are protected by SIP. As a result it becomes harder for an attacker to tamper with Jamf Protect.
 
With this shift in how the Jamf Protect agent is deployed, users now see a Jamf Protect app in their Applications folder (Jamf Protect.app). We strongly urge all of our customers to run Jamf Protect as a System Extension. Future capabilities or features in Jamf Protect may rely on the agent running as a System Extension.
 
Those of you that already have worked to deploy other System Extensions know that they do introduce some new requirements during deployment:
  • To run the Jamf Protect agent as a System Extension, the agent has to be deployed with a PPPC payload. 
  • In Jamf Pro 10.31, you should make sure the PPPC payload is enabled for Jamf Protect in Settings→Security. This will automatically result in Jamf Protect launching as a System Extension when this agent release is deployed to a device.
  • If you are running an older version of Jamf Pro (10.30 or earlier) or are deploying Jamf Protect without Jamf Pro, the Jamf Protect agent will continue to run as a Launch Daemon by default. A Profile is available for download within the Jamf Protect console for manual deployment that includes the PPPC payload. If you deploy it to your devices, the Jamf Protect agent will launch as a System Extension when this agent release is installed.
 

matthiasW
New Contributor II
We released a new Jamf Protect agent today (9/13/2021 - version 2.0.1.343) to address some customer reported issues. This release:
  • Fixed an issue that caused the Jamf Protect agent to report the install type as a daemon, even for system extension installations.
  • Added a mitigation for incorrectly defined PPPC configuration profile payloads, which had the potential to result in Jamf Protect running as a launch daemon instead of a system extension.
  • Fixed an issue that caused a memory leak in the Jamf Protect agent processes.

Alyoung
New Contributor III

Should this be updated that 2.0.1.343 released 09/13 and not 10/13?

Jamf Protect now running version 3.0.0.366 as of 10/11

matthiasW
New Contributor II

Fixed! Thank you.