Skip to content

Jamf Protect Commands

Jump to bottom
Neil Martin edited this page Apr 16, 2026 · 3 revisions

Jamf Protect Commands

Jamf Protect commands live under the protect namespace. All Protect resources are referenced by name (not by ID). Protect resources use apply as an idempotent upsert — it creates the resource if it does not exist or updates it if it does. The export action produces clean JSON or YAML output suitable for round-tripping back through apply.

For shared CLI patterns (apply, scaffold, pagination, dry-run), see CLI Patterns.

jamf-cli protect <resource> <action> [flags]

Aliases

Command Alias
removable-storage-control-sets rscs
unified-logging-filters ulf
exception-sets es
analytic-sets as
action-configs ac
custom-prevent-lists cpl
api-clients apic
config-freeze cf
computers comp
data-forwarding df
data-retention dr
audit-logs al
insights ins 
jamf-cli protect rscs list       # same as: jamf-cli protect removable-storage-control-sets list
jamf-cli protect ulf list         # same as: jamf-cli protect unified-logging-filters list
jamf-cli protect es list          # same as: jamf-cli protect exception-sets list

Overview

The overview command fetches data from all Protect API endpoints in parallel and displays a consolidated summary of your Jamf Protect instance:

  • Endpoints — Computer count
  • Security Configuration — Plans, analytics, analytic sets, exception sets, action configs, telemetry configs, USB control sets, custom prevent lists, unified logging filters
  • Alerts — Alert counts by status (New, InProgress, Resolved, AutoResolved)
  • CIS Compliance — Fleet CIS compliance score (today's score from Insights)
  • Organization — Config freeze status, data forwarding destinations, identity connections
  • Access — Roles
jamf-cli protect overview              # table format
jamf-cli protect overview -o json      # JSON for scripting

Plans

Plans define the security configuration applied to groups of endpoints. Each plan ties together analytic sets, exception sets, action configs, telemetry settings, and USB control rules.

# List all plans
jamf-cli protect plans list

# Get a plan by name
jamf-cli protect plans get "Default Plan"

# Get full plan detail in JSON
jamf-cli protect plans get "Default Plan" -o json

# Export a plan (strips server-only fields, suitable for re-import)
jamf-cli protect plans export "Default Plan"

# Create or update a plan from a JSON file
jamf-cli protect plans apply --from-file plan.json

# Create or update from stdin (skip confirmation with --yes)
cat plan.json | jamf-cli protect plans apply --yes

# Delete a plan
jamf-cli protect plans delete "Test Plan" --yes

# Download the configuration profile (.mobileconfig) for a plan
jamf-cli protect plans config-profile "Default Plan"

# Download a signed profile, excluding the PPPC payload
jamf-cli protect plans config-profile "Default Plan" --sign --no-pppc

# Save the configuration profile to a specific path
jamf-cli protect plans config-profile "Default Plan" -O /tmp/protect.mobileconfig

config-profile flags

Flag Description
-O, --output Output file path (default: <plan-name>.mobileconfig)
--sign Cryptographically sign the profile
--no-pppc Exclude Privacy Preferences (PPPC) payload
--no-token Exclude bootstrap token payload
--no-ca Exclude root CA certificate payload
--no-csr Exclude CSR certificate payload
--no-websocket Exclude websocket authorizer key payload
--no-system-extension Exclude system extension payload
--no-service-management Exclude service management (login items) payload
--no-xpc Exclude XPC configuration from token
--no-keychain-client-id Exclude keychain client ID from token

Computers (comp)

# List all computers enrolled in Jamf Protect
jamf-cli protect computers list

# List computers in table format
jamf-cli protect computers list -o table

# Get a computer by hostname or serial number
jamf-cli protect computers get "MacBook-Pro.local"
jamf-cli protect computers get "C02X1234ABCD"

# Get full computer detail in JSON
jamf-cli protect computers get "MacBook-Pro.local" -o json

# Delete a computer (removes enrollment record)
jamf-cli protect computers delete "MacBook-Pro.local" --yes

# Assign a plan to a computer
jamf-cli protect computers set-plan "MacBook-Pro.local" "Production Plan"

# Update a computer's label and/or tags
jamf-cli protect computers update "MacBook-Pro.local" --label "Finance Team"
jamf-cli protect computers update "MacBook-Pro.local" --tags "floor3,building-a"

Analytics

Analytics are the detection rules that Jamf Protect evaluates on endpoints. The CLI supports full CRUD, plus YAML import/export for compatibility with the jamf/jamfprotect community repository.

# List all analytics
jamf-cli protect analytics list

# Get an analytic by name
jamf-cli protect analytics get "Suspicious Login"

# Export an analytic to YAML (community schema)
jamf-cli protect analytics export "Suspicious Login"

# Export to YAML and save to a file
jamf-cli protect analytics export "Suspicious Login" > suspicious-login.yaml

# Create or update an analytic from JSON
jamf-cli protect analytics apply --from-file analytic.json

# Import a single YAML file
jamf-cli protect analytics import --file suspicious-login.yaml

# Import a directory of YAML files (creates new, updates existing)
jamf-cli protect analytics import --dir ./analytics/

# Delete an analytic
jamf-cli protect analytics delete "Old Rule" --yes

Note: The import command uses the community YAML schema from the jamf/jamfprotect repository. Existing analytics (matched by name) are updated; new analytics are created.

Analytic Sets (as)

Analytic sets group analytics together for assignment to plans.

# List all analytic sets
jamf-cli protect analytic-sets list

# Get an analytic set by name
jamf-cli protect analytic-sets get "macOS Threat Detection"

# Export an analytic set
jamf-cli protect analytic-sets export "macOS Threat Detection"

# Create or update an analytic set
jamf-cli protect analytic-sets apply --from-file set.json --yes

# Add an analytic to a set
jamf-cli protect analytic-sets add-analytic "macOS Threat Detection" --analytic "Suspicious Login"

# Remove an analytic from a set
jamf-cli protect analytic-sets remove-analytic "macOS Threat Detection" --analytic "Old Rule"

# Delete an analytic set
jamf-cli protect analytic-sets delete "Test Set" --yes

Exception Sets (es)

Exception sets define exclusions applied to analytics, reducing false positives.

# List all exception sets
jamf-cli protect exception-sets list

# Get an exception set by name
jamf-cli protect exception-sets get "Developer Tools"

# Export an exception set
jamf-cli protect exception-sets export "Developer Tools"

# Create or update an exception set
jamf-cli protect exception-sets apply --from-file exceptions.json --yes

# Add a path exception to a set
jamf-cli protect exception-sets add-exception "Developer Tools" \
  --type Path \
  --value "/usr/local/bin/my-tool" \
  --ignore-activity IGNORE_ACTIVITIES

# Remove an exception from a set
jamf-cli protect exception-sets remove-exception "Developer Tools" \
  --type Path \
  --value "/usr/local/bin/my-tool"

# Delete an exception set
jamf-cli protect exception-sets delete "Stale Exceptions" --yes

add-exception flags

Flag Description
--type Exception type (e.g., Path) (required)
--value Exception value (e.g., /usr/bin/foo) (required)
--ignore-activity Ignore activity setting (e.g., IGNORE_ACTIVITIES)

Removable Storage Control Sets (rscs)

USB/removable storage control sets define rules governing how external storage devices are mounted.

# List all removable storage control sets
jamf-cli protect removable-storage-control-sets list

# Get a set by name
jamf-cli protect removable-storage-control-sets get "Corporate USB Policy"

# Export a set
jamf-cli protect removable-storage-control-sets export "Corporate USB Policy"

# Create or update a set
jamf-cli protect removable-storage-control-sets apply --from-file usb-policy.json --yes

# Add a vendor rule to block all USB storage
jamf-cli protect removable-storage-control-sets add-rule "Corporate USB Policy" \
  --type vendor \
  --mount-action Prevented \
  --vendors "SanDisk,Kingston"

# Add an encryption rule to allow only encrypted volumes
jamf-cli protect removable-storage-control-sets add-rule "Corporate USB Policy" \
  --type encryption \
  --mount-action ReadWrite

# Remove a rule by type
jamf-cli protect removable-storage-control-sets remove-rule "Corporate USB Policy" --type vendor

# Delete a set
jamf-cli protect removable-storage-control-sets delete "Test Policy" --yes

add-rule flags

Flag Description
--type Rule type: vendor, serial, product, encryption (required)
--mount-action Mount action: ReadWrite, ReadOnly, Prevented (required)
--apply-to Apply to: All, Encrypted, Unencrypted (default: All)
--vendors Comma-separated vendor identifiers (for vendor rules)
--serials Comma-separated serial numbers (for serial rules)
--yes Skip confirmation when replacing an existing rule of the same type

Action Configs (ac)

Action configurations define what happens when an analytic triggers a detection — e.g., alerts, notifications, or webhook integrations.

# List all action configurations
jamf-cli protect action-configs list

# Get an action configuration by name
jamf-cli protect action-configs get "Alert Config"

# Export an action configuration
jamf-cli protect action-configs export "Alert Config"

# Create or update an action configuration
jamf-cli protect action-configs apply --from-file action-config.json --yes

# Delete an action configuration
jamf-cli protect action-configs delete "Old Config" --yes

Telemetry

Telemetry configurations control which endpoint telemetry data Jamf Protect collects — log files, performance metrics, file hashing, and Endpoint Security events.

# List all telemetry configurations
jamf-cli protect telemetry list

# Get a telemetry configuration by name
jamf-cli protect telemetry get "Standard Telemetry"

# Export a telemetry configuration
jamf-cli protect telemetry export "Standard Telemetry"

# Create or update a telemetry configuration
jamf-cli protect telemetry apply --from-file telemetry.json --yes

# Delete a telemetry configuration
jamf-cli protect telemetry delete "Test Config" --yes

Custom Prevent Lists (cpl)

Custom prevent lists let you block specific hashes, paths, or other indicators.

# List all custom prevent lists
jamf-cli protect custom-prevent-lists list

# Get a prevent list by name
jamf-cli protect custom-prevent-lists get "Blocked Hashes"

# Export a prevent list
jamf-cli protect custom-prevent-lists export "Blocked Hashes"

# Create or update from a JSON file
jamf-cli protect custom-prevent-lists apply --from-file prevent-list.json --yes

# Create or update from inline flags
jamf-cli protect custom-prevent-lists apply \
  --name "Blocked Hashes" \
  --type HASH \
  --list "abc123,def456,789ghi"

# Delete a prevent list
jamf-cli protect custom-prevent-lists delete "Old List" --yes

Unified Logging Filters (ulf)

Unified logging filters collect entries from the macOS Unified Logging system matching a predicate expression.

# List all unified logging filters
jamf-cli protect unified-logging-filters list

# Get a filter by name
jamf-cli protect unified-logging-filters get "Auth Events"

# Export a filter to YAML (community schema)
jamf-cli protect unified-logging-filters export "Auth Events"

# Create or update a filter from JSON
jamf-cli protect unified-logging-filters apply --from-file filter.json --yes

# Import a single YAML file
jamf-cli protect unified-logging-filters import --file auth-events.yaml

# Import a directory of YAML files (creates new, updates existing)
jamf-cli protect unified-logging-filters import --dir ./ulf-filters/

# Delete a filter
jamf-cli protect unified-logging-filters delete "Old Filter" --yes

Note: Like analytics, the import command uses the community YAML schema. Existing filters (matched by name) are updated; new filters are created.

Alerts

View and manage Jamf Protect security alerts.

# List all alerts
jamf-cli protect alerts list

# Get an alert by UUID
jamf-cli protect alerts get "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

# Show alert counts by status
jamf-cli protect alerts status-counts

# Bulk-update alert status (New, InProgress, or Resolved)
jamf-cli protect alerts update-status \
  --uuid "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" \
  --uuid "yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy" \
  --status Resolved

Insights (ins)

CIS benchmark insights track per-control compliance across your fleet.

# List all CIS benchmark insights
jamf-cli protect insights list
jamf-cli protect insights list

# Enable or disable an insight by label
jamf-cli protect insights enable "CIS 1.1 Software Updates"
jamf-cli protect insights disable "CIS 5.2.3 Password Policy"

# List computers affected by a specific insight
jamf-cli protect insights computers "CIS 1.1 Software Updates"

# Get today's fleet CIS compliance score
jamf-cli protect insights compliance-score

# Get historical compliance score for a specific date
jamf-cli protect insights compliance-score --date 2026-03-12

Audit Logs

View the Jamf Protect audit log — records of API operations, user actions, and configuration changes.

# List audit logs (defaults to last 7 days)
jamf-cli protect audit-logs list

# Filter by date range (RFC3339 format, max 7-day window)
jamf-cli protect audit-logs list \
  --start 2026-04-06T00:00:00Z \
  --end 2026-04-13T00:00:00Z

# Machine-readable output for log ingestion
jamf-cli protect audit-logs list -o json --no-input

Permissions

Show the RBAC permissions granted to the current API client.

# List read and write permissions for the authenticated API client
jamf-cli protect permissions
jamf-cli protect permissions -o json

Useful for verifying that your API client has the correct privileges before running commands that require specific permissions.

Roles

Roles define access permissions for users, groups, and API clients in Jamf Protect.

# List all roles
jamf-cli protect roles list

# Get a role by name
jamf-cli protect roles get "Analyst"

# Export a role
jamf-cli protect roles export "Analyst"

# Create or update a role
jamf-cli protect roles apply --from-file role.json --yes

# Delete a role
jamf-cli protect roles delete "Temp Role" --yes

Users

# List all users
jamf-cli protect users list

# Get a user by email
jamf-cli protect users get admin@company.com

# Export a user
jamf-cli protect users export admin@company.com

# Create or update a user
jamf-cli protect users apply --from-file user.json --yes

# Delete a user
jamf-cli protect users delete admin@company.com --yes

Groups

# List all groups
jamf-cli protect groups list

# Get a group by name
jamf-cli protect groups get "Security Analysts"

# Export a group
jamf-cli protect groups export "Security Analysts"

# Create or update a group
jamf-cli protect groups apply --from-file group.json --yes

# Delete a group
jamf-cli protect groups delete "Old Group" --yes

API Clients (apic)

# List all API clients
jamf-cli protect api-clients list

# Get an API client by name
jamf-cli protect api-clients get "CI Pipeline"

# Export an API client
jamf-cli protect api-clients export "CI Pipeline"

# Create or update an API client
jamf-cli protect api-clients apply --from-file api-client.json --yes

# Delete an API client
jamf-cli protect api-clients delete "Unused Client" --yes

Data Forwarding (df)

Data forwarding is a singleton configuration controlling where Protect sends event data (S3, Sentinel, etc.).

# Get current data forwarding settings
jamf-cli protect data-forwarding get

# Update data forwarding settings
jamf-cli protect data-forwarding update --from-file data-forwarding.json
cat data-forwarding.json | jamf-cli protect data-forwarding update

Data Retention (dr)

Data retention is a singleton configuration controlling how long Protect stores event data.

# Get current data retention settings
jamf-cli protect data-retention get

# Update data retention settings
jamf-cli protect data-retention update --from-file data-retention.json

Downloads

Download installer packages, configuration profiles, and certificates from your Protect tenant.

# Show download metadata (version, URLs, availability)
jamf-cli protect downloads summary

# Download the Jamf Protect installer package
jamf-cli protect downloads installer

# Download to a specific path
jamf-cli protect downloads installer -O /tmp/JamfProtect.pkg

# Download the uninstaller package
jamf-cli protect downloads uninstaller

# Download configuration profiles
jamf-cli protect downloads pppc-profile
jamf-cli protect downloads tamper-prevention-profile

# Download certificates
jamf-cli protect downloads root-ca
jamf-cli protect downloads csr
jamf-cli protect downloads websocket-auth

Config Freeze (cf)

Config freeze prevents changes to the Protect configuration from the console.

# Get config freeze status
jamf-cli protect config-freeze get

# Enable config freeze
jamf-cli protect config-freeze enable

# Disable config freeze
jamf-cli protect config-freeze disable

Connections

Identity provider connections are read-only.

# List all identity provider connections
jamf-cli protect connections list

Auth Token

Print a valid Jamf Protect access token. The token is automatically refreshed if expired. Useful for debugging API calls with curl or feeding a token into another tool without managing the OAuth2 flow yourself.

# Print token as JSON (includes expiry)
jamf-cli protect auth token

# Extract just the token string for scripting
jamf-cli protect auth token --field token

# Force a fresh token exchange (ignores cache)
jamf-cli protect auth token --refresh

Output:

{
  "token": "eyJhbGciOi...",
  "expires_at": "2026-04-15T15:30:00Z"
}
Flag Description
--refresh Force a new token exchange, ignoring any cached token

Repository · Issues · Releases

jamf-cli Wiki

Products

  • Jamf Pro — jamf-cli pro
  • Jamf Platform API — jamf-cli pro (platform commands)
  • Jamf Protect — jamf-cli protect
  • Jamf School — jamf-cli school

Clone this wiki locally