Aftermath Incident Response for macOS
  • 12 Apr 2024
  • 2 Minutes to read
  • Dark
  • PDF

Aftermath Incident Response for macOS

  • Dark
  • PDF

Article summary

Incident Response on macOS

As the Mac footprint grows across organizations of all sizes, attackers are increasingly focusing their efforts on exploiting macOS. For endpoint security, InfoSec teams look to Jamf for device configuration, threat detection & prevention, and telemetry data they require for defending the Mac.

However, there has been a need for toolsets available to defenders to deploy on-device, post-incident to aide with an investigation when a breach or infection does manage to occur in the fleet.

Forensically analyzing data that surrounds events as they took place on a compromised host is imperative for discovering infection vectors – and a critical component of an incident response plan that aims to limit the consequences a malicious attack could have for your organization.

Parsing out factors such as the files involved, when they were created, accessed, or modified alongside a compelling storyline with browser info, database changes and file metadata are all critical to gain insight. Keeping the time that passes between attack and investigation to a minimum is vital for data integrity and successful mitigation of similar threats in the future.


Identifying this need, the Jamf Threat Labs team created Aftermath, a Swift-based, open-source incident response framework tailor-made for macOS.

After a security incident has occurred, rapid collection can take place with Aftermath running a series of modules, creating an output archive ready to be analyzed.

You now have the critical incident data needed to perform a detailed investigation.

Aftermath can be run independently from an endpoint’s command line but was built to be deployed via a device management system to collect results at scale.

SOAR Workflows

Aftermath automation workflows via Jamf Pro open the door for responsive orchestration in concert with Jamf Protect having initially detected a threat.

The Jamf Security Consulting Engineering team have created SOAR collection playbooks for Aftermath that leverage your cloud storage provider’s solutions as a destination for the endpoint archive (Amazon S3, Azure Files, Google Cloud Storage). These playbooks ensure the sensitive data collected by Aftermath is securely stored, and accessible only by you.

To get started, check out the Aftermath and SOAR Playbook repositories on the Jamf GitHub.

Check back soon for a detailed workflow configuration guide and tips on analyzing the data collected by Aftermath!


Please note that all resources contained within this page are provided as-is and are not officially supported by Jamf Support.

The Aftermath framework and corresponding SOAR playbooks are free-to-use add-on utilities for Jamf customers.

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.