If you’re running Jamf Protect, you’re already blocking threats across your Mac fleet. But are you truly understanding what’s happening in your environment? That’s exactly the gap that Jamf Protect Telemetry is designed to fill.
In this post, I’ll walk you through what Telemetry is, what it can do for your organization, and how to get started.
Topics
- What Is Jamf Protect Telemetry?
- What Can Telemetry Do for Your Organization?
- Getting Started
- Understanding Event Categories
- Smart Data Management: Why You Won’t Drown in Data
- Bringing It All Together
What Is Jamf Protect Telemetry?
Think of Telemetry as a sophisticated security camera system, but for digital events. Rather than simply blocking threats, Telemetry gives you deep, continuous visibility into your Mac environment by capturing:
- What applications are running
- What processes are executing
- How users and systems are behaving
- Potential security incidents before they escalate
The key mindset shift here is from reactive to proactive. You’re not just protecting against threats, you’re gaining real intelligence about your entire environment.
What Can Telemetry Do for Your Organization?
Threat Hunting & Incident Investigation
When something suspicious occurs, Telemetry gives you the forensic data you need to act. You can trace the origin of a security incident, understand its full scope, and answer critical questions like: What else did this user access? or Where did this malware come from?
Compliance & Governance
Many industries require demonstrable proof of security monitoring and audit trails. Telemetry helps you meet requirements for frameworks like SOC 2, HIPAA, and GDPR by maintaining detailed audit logs, proving due diligence, and satisfying data retention obligations.
Operational Intelligence
Beyond security, Telemetry surfaces valuable operational insights: application usage patterns, system performance data, shadow IT discovery, and user behavior trends that directly inform IT decisions.
Faster Incident Response
When an alert fires, the right context makes all the difference. Telemetry helps you quickly determine whether an alert is a real threat or a false positive, understand the timeline of events, and reduce your Mean Time to Resolution (MTTR).
Getting Started
The setup process is straightforward and follows these steps:
- Enable your SIEM integration within Jamf Protect
- Set up Jamf Protect (add-on or forwarding) with your SIEM
- Create a Telemetry configuration and assign the event categories and log files to monitor
- Assign the configuration to one or more plans and deploy to target computers
- Review collected data in your SIEM and identify what’s useful vs. excessive
- Implement exception sets where needed to reduce noise
Full documentation is available at https://learn.jamf.com/en-US/bundle/jamf-protect-documentation/page/Getting_Started_with_Telemetry.html.
Supported SIEM Integrations
Telemetry supports both direct integrations and data forwarding:
Direct integration (via Jamf Protect add-on): Datadog, Elastic, Google SecOps, Splunk, Sumo Logic (in most cases, this integration is set up through a Jamf Protect add-on, and logs are sent directly from the endpoints to the SIEM)
Data forwarding: Microsoft Sentinel, AWS S3 bucket (for SIEMs not directly supported) (logs are forwarded from Jamf Protect to Microsoft Sentinel or an AWS S3 bucket)
Understanding Event Categories
Telemetry organizes data into eight logical categories, each covering a different layer of your environment:
| Category | What It Captures |
|---|---|
| Process Execution | Every time a program runs |
| Network Activity | Connections made by applications |
| File System Events | File creation, modification, deletion |
| Authentication Events | Login attempts, privilege escalation |
| USB & Removable Media | External device connections |
| Application Events | Software installation and updates |
| Kernel Extensions | Low-level system modifications |
| Script Execution | Shell scripts, Python, JavaScript, etc. |
Why Each Category Matters
Each category addresses a specific security or compliance concern:
- Process Execution: Detects malicious executables and unauthorized software
- Network Activity: Identifies data exfiltration and C2 communications
- File System Events: Tracks ransomware behavior and unauthorized data access
- Authentication Events: Monitors for credential abuse and compromised accounts
- USB & Removable Media: Prevents data theft and enforces device policies
- Application Events: Maintains software inventory and detects shadow IT
- Kernel Extensions: Identifies potentially malicious system changes
- Script Execution: Catches malicious scripts commonly used in attacks
Choosing the Right Categories for Your Organization
Not every organization needs everything from day one. Here’s a practical starting framework:
- Security-focused: Process Execution, Network Activity, Authentication Events
- Compliance-driven: File System Events, Authentication Events, Application Events
- High security environments: All categories for full visibility
- Resource-conscious deployments: Start with Process Execution and Authentication Events, then expand
Smart Data Management: Why You Won’t Drown in Data
One of the most common concerns about telemetry-style solutions is data volume. Jamf Protect addresses this directly through intelligent Event Summarization.
How It Works
When Jamf Protect detects materially similar, repetitive events (like an application checking for updates every five minutes) it groups them rather than storing each instance individually. Instead of 100 identical entries, it records: “This event occurred 100 times between 9:00 AM and 10:00 AM.”
Unique or suspicious events are always captured in full detail, with no summarization and no compromise on security value.
What Gets Summarized
- Routine, repetitive system operations
- Regular application behavior
- Frequent, benign network connections
- Predictable file system operations
What Never Gets Summarized
- Security alerts and threats
- Unusual or anomalous behavior
- First-time events (new processes, new connections)
- Events matching threat detection rules
The Business Impact
This intelligent approach delivers real, measurable benefits:
- 60-80% reduction in data volume, meaning lower storage costs
- Faster search and analysis with less noise to filter through
- Complete security visibility with no threats missed
- Scalable deployment across thousands of endpoints, efficiently managed
- Better signal-to-noise ratio so real threats are easier to spot
Bringing It All Together
Telemetry gives you eyes and ears across your entire Mac fleet. It’s not just about blocking threats. It’s about understanding your environment, meeting compliance requirements, and making informed security decisions.
The value proposition is straightforward: proactive threat hunting, thorough incident investigation, auditor-ready compliance evidence, and operational intelligence, all while keeping data volumes manageable through intelligent summarization.
Getting started doesn’t have to mean going all-in from day one. Start with a focused deployment, pick the event categories that match your priorities, roll out to a pilot group, and scale as you see value.
Have questions about Jamf Protect Telemetry or want to discuss implementation? Feel free to reach out.
Leave a Reply