This article covers how Red Canary integrates with Jamf, initial setup instructions, and questions related to Jamf data.

Red Canary and Jamf are partnering to bring the first Managed Detection and Response (MDR) solution solely focused on Apple devices. 

Jamf partners exclusively with Apple to ensure the highest development of new features and product support aligned to Apple’s development cycles. Red Canary partnered with Jamf to create a focused detection and monitoring solution, giving you the ability to protect data generated on Apple platforms. Jamf and Red Canary provide a level of security assurance to Apple endpoints that is unmatched in today's industry. 

How it works

Red Canary and Jamf use several integration points to implement exceptional security operations. 

The Jamf Protect agent, which focuses on endpoint security, runs on macOS computers and monitors your real-time event driven activity generated on macOS. In addition, Jamf Protect analyzes events using the highly optimized built-in game engine on Apple products. Jamf then forwards your telemetry to Red Canary’s cloud-based detection engine.

From here, Red Canary analyzes, triages, and investigates potential threats continuously with unique threats specific to macOS and your overall environment. Your enterprise includes more than just macOS devices and the Red Canary Platform monitors across all ingested data correlating threats beyond any one operating system.

Getting started

To connect your Jamf Protect deployment to Red Canary follow the steps below:

1. Set up a data export from your Jamf Protect instance to Red Canary. This configuration instructs the Jamf platform to begin sending your telemetry to Red Canary for processing.
   • Red Canary will provide you with the Amazon S3 Bucket Name, Prefix pattern, and IAM Role information to complete the data forwarding configuration
     
2. Create service accounts in the Jamf Pro and Jamf Protect platform for Red Canary teams, including:
   • An Engineering account in Jamf Pro to allow for API connectivity.
   • Accounts for Customer Security Organization (CSO) in Jamf Protect to facilitate investigative actions necessary

What kind of Jamf data does Red Canary process?

We receive all of the data collected by your Jamf sensors, as well as a number of system events generated by the Jamf platform.

Can I export the data collected by Jamf?

Absolutely. You can use the Canary Exporter to export Jamf telemetry from Red Canary into your Security Information and Event Management (SIEM), long-term storage, or other processing pipeline. Learn more about exporting telemetry from Red Canary.