Skip to content

Jamf Pro

Jamf

About

Jamf is the only Apple Enterprise Management solution of scale that remotely connects, manages and protects Apple users, devices and services.

Product Details

Vendor URL: Jamf

Product Type: MDM

Product Tier: Tier III

Integration Method: Custom

Integration URL: Jamf

Log Guide: Sample Logs by Log Type

Parser Details

Log Format: Json

Expected Normalization Rate: near 100%

Data Label: JAMF_PRO

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
event.computer.alternateMacAddress security_result.about.asset.mac
event.computer.department, event.department principal.user.department
event.computer.deviceName, event.deviceName principal.hostname
event.computer.emailAddress principal.user.email_addresses
event.computer.macAddress principal.asset.mac
event.computer.model, event.model principal.asset.hardware.model
event.computer.osBuild, event.osBuild principal.asset.platform_software.platform_patch_level
event.computer.osVersion, event.osVersion principal.asset.platform_software.platform_version
event.computer.position, event.position principal.user.title
event.computer.realName, event.realName principal.user.user_display_name
event.computer.reportedIpAddress principal.asset.ip
event.computer.serialNumber, event.serialNumber principal.asset.hardware.serial_number
event.description principal.asset.category
event.trigger metadata.product_event_type
event.username principal.user.userid
json.event.computer.ipAddress principal.asset.nat_ip
webhook.name observer.application
webhook.webhookEvent metadata.product_event_type

Product Event Types

Event UDM Event Classification
Added GENERIC_EVENT
all others STATUS_HEARTBEAT
ComputerAdded STATUS_UPDATE

Log Sample

{"webhook": {"id": 16, "name": "hookname", "webhookEvent": "ComputerCheckIn", "eventTimestamp": 1639645543943}, "event": {"trigger": "CLIENT_CHECKIN", "username": "john.doe", "computer": {"udid": "udid", "deviceName": "acmedomain\u2019s MacBook Pro", "model": "MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)", "macAddress": "00:00:00:00:00:00", "alternateMacAddress": "00:00:00:00:00:00", "serialNumber": "serial", "osVersion": "11.6.1", "osBuild": "20G224", "userDirectoryID": "-1", "username": "", "realName": "John Doe", "emailAddress": "john.doe@domain.com", "phone": "", "position": "", "department": "Engineering", "building": "KC", "room": "", "ipAddress": "10.10.165.207", "reportedIpAddress": "10.10.0.114", "jssID": 555}}, "lambda-timestamp": "2021-12-16T09:05:44Z"}

Sample Parsing

metadata.event_timestamp = "2021-12-16T09:06:04.955355Z"
metadata.event_type = "STATUS_HEARTBEAT"
metadata.vendor_name = "JAMF"
metadata.product_event_type = "CLIENT_CHECKIN"
metadata.ingested_timestamp = "2021-12-16T09:06:04.955355Z"
principal.hostname = "userfirst’s MacBook Pro"
principal.user.userid = "john.doe"
principal.user.user_display_name = "John Doe"
principal.user.email_addresses = "john.doe@domain.com"
principal.user.department = "Engineering"
principal.asset.ip = "10.10.0.114"
principal.asset.mac = "00:00:00:00:00:00"
principal.asset.hardware.serial_number = "serial"
principal.asset.hardware.model = "MacBook Pro (13-inch, 2020, Four Thunderbolt 3 ports)"
principal.asset.platform_software.platform_version = "11.6.1"
principal.asset.platform_software.platform_patch_level = "20G224"
principal.asset.nat_ip = "10.10.165.207"
observer.application = "hookname"
security_result.about.asset.mac = "00:00:00:00:00:00"