Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=jamf-overview

Jamf Protect integration

API Endpoint

You can integrate Jamf Protect with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Jamf Protect product overview

Jamf Protect is an endpoint security tool designed to enhance and safeguard Apple device environments. It provides real-time threat detection, incident response, and security compliance tailored specifically for macOS systems.

Sophos documents

Integrate Jamf Protect

What we ingest

Sample alerts seen by Sophos:

  • Reverse shell creation attempted
  • A process deleted its own binary
  • LaunchAgent created for persistence
  • Application used deprecated elevation API
  • Process sent synthetic click to system

Alerts ingested in full

We make a call to the endpoint with an appropriate GraphQL query.

https://<organisation-name>.protect.jamfcloud.com/graphql

Filtering

We filter only to confirm data returned is in the correct format.

Sample threat mappings

{"alertType": "A process deleted its own binary", "threatId": "T1070.004", "threatName": "Indicator Removal on Host: File Deletion"}
{"alertType": "LaunchDaemon created for persistence", "threatId": "T1543.004", "threatName": "Create or Modify System Process: Launch Daemon"}
{"alertType": "Gatekeeper blocked execution of application", "threatId": "TA0002", "threatName": "Execution"}

Vendor documentation

Jamf Protect API