Endpoint Threat Prevention with Jamf Protect
- Last UpdatedJan 30, 2025
- 2 minute read
Endpoint threat prevention monitors process execution to prevent known malware and threats on macOS. Endpoint threat prevention uses the Jamf Protect threat database to monitor computers for processes that match entries. When matches occur, Jamf Protect automatically blocks the matching process and quarantines the associated file.
The threat database is continuously updated by Jamf Threat Labs. For more information about updates, see the Jamf Protect Threat Prevention Changelog.
When Jamf Protect detects a process that matches the database, the following endpoint threat prevention measures occur:
By default, the process is blocked.
A prompt about the blocked process similar to the following is displayed to end users:
The associated file is assigned a unique event identifier and quarantined in the following location:
Library/Application Support/JamfProtect/Quarantine/<EVENT_UUID>/<ITEM>An alert entry is created in the Alerts page in the Jamf Protect web app or reported to any remote collection endpoints, if configured.
You can use the Endpoint Threat Prevention Options setting in a plan to do any of the following in response to a database match:
- Block and report—
Blocks and quarantines any process that matches the threat database. This is enabled by default for new plans.
- Report only—
Disable process blocking and file quarantine, but report database matches as an alert in the macOS Security portal.
- Disable—
Disable all process blocking, file quarantines, and reporting in response to a threat database match.
The following are known limitations of endpoint threat prevention that will not be blocked by Jamf Protect:
DMG quarantine
Primary zip detection, DMG detection, PKG detection, Safari plug-ins