Threat Prevention Categories Reference
- Last UpdatedOct 16, 2025
- 9 minute read
The following tables outline the threat categories covered by threat prevention policies.
| Threat Category | Threat Subcategory | Severity (default) | Supported Platforms | Threat Description |
|---|---|---|---|---|
Phishing | 5 |
| A site designed to deceive the end user into submitting sensitive personal or corporate information through a seemingly trusted web form | |
Data leaks | App data leak: credit card | 4 |
| An app-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
Data leaks | Web data leak: credit card | 4 |
| A browser-based communication that includes a credit card number in an unencrypted (or easily decrypted) format |
Data leaks | App data leak: password | 3 |
| An app-based communication that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise |
Data leaks | Web data leak: password | 3 |
| A browser-based communication to a network service that includes a password in an unencrypted (or easily decrypted) format, significantly increasing the risk of compromise |
Data leaks | App data leak: email | 2 |
| An app-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format |
Data leaks | App data leak: location | 2 |
| An app-based communication that includes the device's physical geolocation in an unencrypted (or easily decrypted) format |
Data leaks | App data leak: user identity | 2 |
| An app-based communication that includes an identifiable service username in an unencrypted (or easily decrypted) format |
Data leaks | Web data leak: email | 2 |
| A browser-based communication transmitted across the Internet that includes an email address in an unencrypted (or easily decrypted) format |
Data leaks | Web data leak: location | 2 |
| A browser-based communication that includes the device's physical geolocation in an unencrypted (or easily decrypted) format |
Data leaks | Web data leak: user identity | 2 |
| A browser-based communication that includes an identifiable username for access to a service in an unencrypted (or easily decrypted) format |
Malware network traffic | 4 |
| Network access from an app to a web service that is known to demonstrate malicious behavior. This can include downloading unauthorized software to a device, disrupting normal operation or gathering sensitive information. | |
Cryptojacking | 3 |
| A site designed to secretly hijack the target's device to mine cryptocurrencies | |
Spam | 3 |
| Irrelevant or unsolicited content that is disseminated for the purposes of advertising, phishing or spreading malware | |
Third-Party app store traffic | 2 |
| A connection was made to a third-party app store. These stores often contain apps that may pose security risks. |
| Threat Category | Threat Subcategory | Severity (default) | Supported Platforms | Threat Description |
|---|---|---|---|---|
Malware | Adware | 5 |
| Malware that aggressively displays ads, negatively affecting user productivity and device performance |
Malware | Banker | 5 |
| Malware that steals bank credentials |
Malware | Generic malware | 5 |
| A malicious application that demonstrates harmful behavior and disrupts the device |
Malware | Ransomware | 5 |
| Malware that blocks access to a device until a ransom is paid |
Malware | Rooting | 5 |
| Malware that attempts to obtain escalated system privileges |
Malware | SMS | 5 |
| Malware that causes SMS-related charges |
Malware | Spyware | 5 |
| Malware that is monitoring and collecting information about a user and the device |
Malware | Trojan | 5 |
| Malware that obtains unauthorized access to your device |
Malware | Potentially unwanted application | 4 |
| A potentially unwanted application that can cause harm to your device |
Device admin app installed | 3 |
| Unauthorized apps with device admin privileges pose a security risk in an organization | |
Sideloaded app installed | 3 |
| Apps that are not installed through official channels, such as through official app stores or a UEM service, are unlikely to have gone through the rigorous quality checks expected of an app store release and may be poorly written or malicious. | |
Third-party app stores installed | 2 |
| Third-party application stores are applications that can download and install other applications and they might distribute malicious applications because those apps are not diligently tested against malicious behavior. | |
Vulnerable app installed | 2 |
| An application that has a critical vulnerability identified by the CVE system. You can find these details in Jamf Security Cloud by navigating to , Device view, or Vulnerability management, and then viewing the details of individual security events. Vulnerable applications should be updated or removed immediately. |
The app must be running to detect the attack.
| Threat Category | Threat Subcategory | Severity (default) | Supported Platforms | Threat Description |
|---|---|---|---|---|
Dangerous certificate | 5 |
| A suspicious third-party root certificate that could compromise the authenticity of trusted SSL connections by enabling the stealthy interception of encrypted communications | |
Adversary-in-the-Middle (formerly Man-in-the-Middle) | Adversary-in-the-Middle (compromised trust store) | 5 |
| The device has been manipulated to fully trust unauthorized third-party certificates. |
Adversary-in-the-Middle | Adversary-in-the-Middle (SSL strip) | 5 |
| An intermediate server is using advanced techniques to impose as a genuine service. |
| Adversary-in-the-Middle | Adversary-in-the-Middle (targeted certificate spoof) | 4 |
| An intermediate server is actively attempting to impose as a genuine service. |
Risky hotspots | 3 |
| SSL interception is taking place, but using an untrusted certificate (common for paid hotspots). |
| Threat Category | Severity (default) | Supported Platforms | Threat Description |
|---|---|---|---|
Jailbreak | 5 |
| A modified build of an operating system (OS) that has removed original manufacturer limitations, leaving the device and its data more vulnerable to attack |
Vulnerable OS (major) | 4 |
| An operating system (OS) that has an exploitable critical vulnerability identified by the CVE system. Jamf recommends that you investigate these CVEs and upgrade to a more recent OS version if possible. You can find these details in Jamf Security Cloud by navigating to , Device view, or Vulnerability management and then viewing the details of individual security events. Major vulnerabilities should be resolved immediately. |
App inactivity | 3 |
| Jamf Trust has been inactive on the device for a specified amount of time. |
Device encryption disabled | 3 |
| On Android devices, if device encryption is disabled, the device can become susceptible to data exfiltration attacks. |
Lock screen disabled | 3 |
| Once the lock screen is disabled, including disabling Touch ID or Face ID, the device encryption is rendered useless against physical attacks. |
Risky iOS profile | 3 | iOS, iPadOS and visionOS | Device configurations that may put corporate and personal data at risk |
Vulnerable OS (minor) | 3 |
| An operating system (OS) that has a critical vulnerability identified by the CVE system. Jamf recommends that you investigate these CVEs and upgrade to a more recent OS version if possible. You can find these details in Jamf Security Cloud by navigating to , Device view, or Vulnerability management and then viewing the details of individual security events. Even if minor vulnerabilities are not exploitable, they should still be considered risky. |
Android security patches missing | 2 |
| Devices missing security patches for more than 3 months become vulnerable. |
Out-of-date OS | 2 |
| An older version of an OS (operating system) that does not contain the latest features and bug fixes |
Unrecognized sources enabled | 2 |
| Applications installed from unknown sources do not pass vigorous security tests performed by official app marketplaces. |
USB app verification disabled | 2 |
| Apps installed through USB do not get checked for harmful behavior. |
User password disabled | 2 | macOS | A device without a password set compromises the physical security of the device and/or data, as anyone with physical access can log in. |
Developer mode enabled | 1 |
| Once developer mode is enabled, side-loading from unknown sources, USB debugging and other configurations that can lead to security risks can be enabled. |
USB debugging enabled | 1 |
| Lower level access to the Android device through the USB channel can pose a security risk. |
The App Inactivity threat category indicates when the Jamf Trust app is inactive on a device, thus posing a potential risk. An application is considered inactive if Jamf has not received an application status from a user for a specified amount of time, or if the application was never activated at all. You can enable this feature and use it in combination with conditional access policies to encourage your users to fully enroll into Jamf.
A device may have an inactive app for various reasons, but is often due to users not completing the activation process. It is also possible that some users have activated the app, but have later removed it. Notifying or restricting users without an active app on their devices helps you ensure that devices are adequately protected.
- Active—
Threat occurrences are reported in the or Device View, and notifications (if set up) are sent.
- Log-Only—
Threat occurrences are only visible in the Event Log, and are not reported on the Threat View or Device View. Users and admins are not notified.
While all other threat categories are active by default and can be changed, the App Inactivity threat category is in Log-Only mode mode by default.
To view the App Inactivity threat category in Jamf Security Cloud, select , then scroll down to the Device list.
The severity of a threat affects the Device Risk Level. If you enable the App inactivity threat category, the threat will affect device risk posture and reporting. Select the Settings icon to adjust the threshold for when a device should be considered inactive. If the threshold is set to 7 days, the default setting, the risk level and any UEM conditional access policies will be applied to devices that have not sent a status update to Jamf for 7 days.
If your method of device enrollment allows, you can encourage your users to complete the app activation process by selecting Alert User.
Conditional Access Policy
To enforce the activation of the Jamf Trust app, you can set a UEM conditional access policy so that users without an active app will not be able to access some of your company resources, such as emails or internal portals. This can be done by using the Signal UEM column for most UEM solutions, or by letting the threat affect the Risk Level for Microsoft Intune.
For more information, see Configuring Signal UEM Using Jamf Security Cloud.
The Out-Of-Date OS threat category feature detects whether the OS of the device needs to be updated. Keeping devices up to date with the latest OS as promptly as possible can help minimize the impact of security vulnerabilities.
With this threat category, you can configure how frequently administrators receive summary email notifications, and also trigger a notification for end users to receive, informing them that they need to upgrade their device to the latest OS version.
With this threat category, you can configure:
Admin summary email notifications
Out-of-Date OS end-user notifications
To configure Out-Of-Date OS threat detection in Jamf Security Cloud, select , then scroll down to the Device list.
Admin Summary Email Notifications
These email notifications are a summary of threats across the organization's devices, and aggregate the threat data to provide a comprehensive overview of the exposure to a certain risk.
The summary email notifications are sent once for each defined period, so admins do not receive an excessive number of emails.
The content of the summary email notifications is set by Jamf and so cannot be customized by admins.
An OS upgrade should only be triggered if a newer version is available for the device model, on the same carrier, and for the same territory.
After you have enabled the Admin Summary for a threat category, you can set the frequency for the notifications.
Out-of-Date OS End User Notification
You can trigger an in-app notification for end users to receive when their OS version is out of date. This informs them that they need to upgrade to the latest OS version for their device by specifying the number of days after a new version has been released.
SSL Strip is a sophisticated type of Adversary-in-the-Middle (formerly Man-in-the-Middle) attack that forces a victim's browser into communicating with an adversary in plain text over HTTP. This allows the attacker to intercept all unencrypted traffic, steal sensitive information, and manipulate communication between the two parties.
As part of SSL Strip detection, you can configure custom settings for this type of threat. These threats are reported under the Adversary-in-the Middle threat category in the Threat View and Device View pages.
Configure SSL Strip in Jamf Security Cloud on the page.