--- title: "macOS ZTNA Risk Signaling" slug: "macos-ztna-risk-signaling" tags: ["AWS Lambda function", "Device Risk-based Access", "Incident Response", "Jamf Pro", "Jamf Protect", "Jamf Security Cloud", "SOAR", "Trusted Access"] updated: 2026-01-16T15:46:01Z published: 2026-01-16T15:46:01Z --- > ## Documentation Index > Fetch the complete documentation index at: https://trusted.jamf.com/llms.txt > Use this file to discover all available pages before exploring further. # Implement ZTNA Risk Signaling ### 🛡️Jamf Security Integration **Protect | Pro | Connect** This article outlines how to automatically protect organizational data from out-of-compliance or risky macOS devices using the Jamf platform. Specifically, you will see how an on-device threat detected by Jamf Protect can signal an elevated device risk to Jamf Security Cloud, immediately limiting that device's access to the organization's critical SaaS, private cloud, or on-premises infrastructure and data. This integration will dynamically sever and restore access to critical network resources stemming from a macOS threat detected in near real time. Leveraging Jamf Protect macOS Security, Jamf Pro foundations, and Jamf Connect ZTNA's Risk-based Access Control principles of Jamf Security Cloud, the integration provides the resources and configuration playbook for device-based risk signaling and response. This integration pattern may be tailored to any organization's specific requirements, including support for other threat detection and response workflows and even to non-Jamf products. ### Solution Overview An event-driven cloud-compute function serves as the communication framework between applicable Jamf cloud systems - Jamf Protect, Jamf Pro and Jamf Security Cloud (JSC). We will leverage an AWS Lambda function to handle webhook processing for this example. - On-device behavioral threats are detected by Jamf Protect analytics and signaled by Jamf Pro via Webhook for processing. - The macOS device risk level within JSC is elevated to *high*. - SaaS or enterprise app Access Policy within JSC determines if connectivity to resources is allowed or blocked while the elevated risk is present. - Once the threat has been investigated and neutralized, a *secure* device risk state is signaled to JSC. - Once ZTNA is re-established via Jamf Trust, authorized connectivity is restored to organizational resources. ### User Experience Demo The video below shows how this configuration can enable: 1. Requiring managed macOS devices to route traffic to a SaaS application (Dropbox) via the Jamf Security Cloud. 2. Just-in-time and passwordless-ly activate Jamf Trust and secure ZTNA networking with Okta FastPass. 3. Detect and report a malicious download using Jamf Protect. 4. Signal the elevated device risk to Jamf Security Cloud, blocking access to Dropbox on the device. 5. Remediate the threat using a Jamf Self Service-based workflow. 6. Automatically restore access to Dropbox once the threat has been remediated. [Embedded content](https://www.youtube.com/embed/WQVQh-eM0Hg?&wmode=opaque&rel=0) ### macOS Threat Management with Jamf Threat signaling and response can be broadly defined amongst vendors responsible for securing their customers users, devices, and sensitive data. Jamf takes a holistic approach by enabling customers to expand beyond traditional identity-based realms to assess risk by layering insights gleaned across the entire endpoint to inform whether the device meets thresholds for access to critical resources. This is the essence of [*Jamf Trusted Access*](https://trusted.jamf.com/) - a solution built upon a foundation of device management principles and capabilities, integrated with modern identity & access technologies and rounded out with sophisticated endpoint security and threat detection. As a Jamf Protect administrator, you might be aware of the behavioral analytic detections that indicate potentially malicious activity on your system. Detections such as hidden executable files, or the output of curl commands being piped directly to an interpreter are often indicative of potential malicious activities, but they are not definitive proof of a threat. Instead, they serve as valuable signals that warrant further analysis by security professionals. Balancing security and usability is a crucial aspect of any successful endpoint security strategy. By first investigating these events, your team can determine if they are indeed malicious or simply benign activities that are part of your organization's normal operations. Overly aggressive threat responses could lead to a negative user experience or disrupt your organization's workflow. A transparent and open approach to security can help foster trust between users and security teams. By emphasizing both security and usability, you can create an environment in which your organization can thrive, protected from threats without sacrificing productivity. ***Follow along as we put pieces in place for device-based Risk Signaling between Jamf Protect, Jamf Pro and Jamf Security Cloud.*** --- ### ⚠️ Before We Begin The following configuration guide is intended to provide the base technical framework and guidance for a method of data exchange between Jamf management, endpoint security and network security platforms. Prior to implementing this solution outside controlled testing environments careful U/X consideration with internal stakeholder alignment is advised for effective incident response (IR) planning. ### Known Issues ⛔️ Device risk level ***must*** be returned from **high** to **secure** via [this automation](https://github.com/jamf/jamfprotect/tree/main/third_party_integrations/ZTNA_Risk_Signaling) (or similarly scripted manually via cmd line shell) Currently, there is no GUI method available within Jamf Security Cloud for managing macOS device risk elevated via the API, such as in this workflow. ### Pre-requisites for Success - All systems configured to minimum viable functionality to support the solution. - Ability to fully Administer all system components is required. - At minimum, Intermediate experience with macOS management, systems and components involved is recommended. ### Core Solution Components: Roles & Requirements | **Cloud Compute Platform** | **managed macOS Device** | **Cloud Identity Provider** | **Jamf Pro** | **Jamf Security Cloud** | **Jamf Protect** | | --- | --- | --- | --- | --- | --- | | | | | | | | | AWS Lambda function with API Gateway trigger (Other platforms forthcoming) | Jamf Pro - Managed | Okta, Azure | Device Management | Network threat detection | Endpoint behavioral threat detection | | [python requests module](https://github.com/jamf/jamfprotect/blob/main/third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/requests.zip) | Jamf Protect - Plan profile and agent [deployed via Jamf Pro](https://trusted.jamf.com/docs/macos-corporate-owned#deploying-jamf-protect) | Jamf Trust ZTNA activation | Workflow configuration & signaling | ZTNA access policy | Threat signal to Jamf Pro | | [lambda_function.py](https://github.com/jamf/jamfprotect/tree/main/third_party_integrations/ZTNA_Risk_Signaling) | [Jamf Trust.app](https://trusted.jamf.com/docs/macos-corporate-owned#deploying-jamf-trust) - ZTNA Activation profile deployed via Jamf Pro | User Identity | Response & Remediation | Threat risk access policy | Security event reporting | ### Other Resources | **Jamf Protect Github** - [ZTNA Risk Signaling](https://github.com/jamf/jamfprotect/tree/main/third_party_integrations/ZTNA_Risk_Signaling) - [macOS IR Aftermath Collection](https://github.com/jamf/jamfprotect/tree/main/soar_playbooks/aftermath_collection) - [Custom Analytic Detections](https://github.com/jamf/jamfprotect/tree/main/custom_analytic_detections) | **Jamf Threat Labs** - [About](https://www.jamf.com/blog/category/jamf-threat-labs/) - [Blog](https://www.jamf.com/blog/category/jamf-threat-labs/) | | --- | --- | ### 🛠️ Build the Components For this example we will leverage an AWS Lambda function, python layer and script to process the webhook risk signals. Jamf Security Cloud configuration will use a predefined SaaS app (Dropbox). We’ll be utilizing portions of the Jamf Protect Evaluation Guide and Jamf Protect Documentation to setup the behavioral analytics that will trigger the risk elevation for your test Mac devices. This will simulate a real-world detection that’s built-in to the product while lessening the possibility of harm for more advanced threats. ### 1️⃣ AWS Lambda Function AWS Lambda server is an event-driven, server-less compute platform provided by Amazon Web Services. It is a cloud service that runs code in response to events. Computing resources required by that code are automatically managed by AWS. Completing this step will result in a Lamba function running a `python` layer responsible for processing the webhook signals sent from Jamf Pro. This component is required for enabling a secure pathway for threat signaling messaging between Jamf cloud systems. --- 1. Login to the AWS Management Console - Select the Region where you’d like to host the Lambda function (AWS console, top right) - N. Virginia is selected for this example![aws_lambda-search](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_lambda-search.png) 2. Navigate to and select: `Services > Compute > Lambda` (or search `Lambda` ) - Select `Layers` within Lambda (from left navigation) - A python `requests` module (AWS calls this a *Layer*) is required to run the `aws_lambda.py` [webhook processing script](https://github.com/jamf/jamfprotect/blob/main/third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/aws_lambda.py) - Use the prebuilt [python 3.9 requests module](https://github.com/jamf/jamfprotect/blob/main/third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/requests.zip) available in the Protect Github Repository 3. Click `Create Layer`![aws_create-layer](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_create-layer.png) - Assign a name and description for the layer - Select Upload a requests.zip file - Comptable runtime - Choose runtime corresponding to the python version from the requests package (ie. Python 3.9) - ***Save*** Layer 4. Navigate to Functions within AWS Lambda (from left navigation menu) - Click *Create Function* - Select *Author from scratch* - Assign a *Function Name* - Select Runtime: *Python 3.9* - Select Architecture: *x86_64* - Click ***Create function*** (will take a few moments to spin up)![aws_create-function](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_create-function.png) - Add a Layer to the Function - Within the*Function overview*, click *Layers![aws_add-layer-to-function](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_add-layer-to-function.png)* - Click *Add a layer![aws_add-layer-to-function-2](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_add-layer-to-function-2.png)* - Select *Custom Layers*, choose *request_layer* created in previous steps - Select *Version 1![aws_choose-custom-layer](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_choose-custom-layer.png)* - Click ***Add*** - Add aws_lambda.py contents to Lambda Function - Within the *Code source*of the Lambda Function.. - *Select All* default code content and delete the default code - Copy the raw *aws_lambda.py* code from [Jamf Protect Github](https://github.com/jamf/jamfprotect/blob/main/third_party_integrations/ZTNA_Risk_Signaling/aws_lambda/aws_lambda.py) - Paste the raw *aws_lambda.py* code into the *Code source* - Click ***Deploy![aws_code-source_deploy](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_code-source_deploy.png)***Now that we’ve created the Lambda Function, let’s make it accessible to the internet by creating an API Gateway. AWS calls this a Trigger. A trigger is a service or resource that invokes your function when contacted. The trigger enables the lambda function to communicate device risk signals between Jamf Security clouds. 5. Enable Internet connectivity for the Lambda Function - Click ***+ Add trigger*** under API Gateway in the Function overview![add_trigger](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/add_trigger.png) - Select Source from the dropdown: ***API Gateway*** - Choose *Create a new API* - Choose *REST API*for type - Select *Open from*the Security dropdown - Note: An API key could be configured if desired - Click ***Add*** - you will be presented with the API endpoint on the Function overview - Save the API endpoint URL. This will be the Webhook URL used in Jamf Pro in upcoming steps![aws_api-gateway](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/aws_api-gateway.png) ##### **AWS Lambda Function Setup Complete** --- ### 2️⃣ Jamf Security Cloud Config The Jamf Security Cloud portal (JSC) is a web application that is used to configure and manage Jamf network connectivity policy, applications, settings, and integrations for Jamf security services such as ZTNA and secureDNS which are a part of this solution. JSC also includes dashboards and reports about the connected devices in your environment. #### **Risk API** Completing this step will result in enabling the JSC Risk API, which can be used to programmatically audit or change a device's security risk level. Ultimately, the device risk level will be used to gate access to network resources configured for access control. Full documentation for the JSC Risk API can be accessed within the portal, or [clicking here](https://radar.wandera.com/risk-api-documentation) (requires authentication). 1. Login to the [Jamf Security Cloud portal](https://radar.wandera.com/) - From the Left Navigation, select: - *Integrations > Risk API* 2. Enable JSC Risk API by toggling the setting slider - Click ***Generate API Key***![jsc_RiskAPI_enable](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/jsc_RiskAPI_enable.png) - In the New API Key window that appears, enter a Name for the Risk API key - Click ***Generate API Key![jsc_new-api-key](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/jsc_new-api-key.png)*** - Once the API Key has been created save the details in a safe place for reference. These values will be used for the webhook in later steps - Important: Ensure the Application Secret value has been saved, this is the only time it will be visible![jsc_API-key-success-blurred](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/jsc_API-key-success-blurred.png) --- #### Access Policy **Device Risk-based Access Control** JSC Access Policy is where we'll define the security posture level a device needs to satisfy before the user is allowed access to SaaS and Enterprise application resources critical to your organization. See the [JSC Access Policy documentation](https://learn.jamf.com/bundle/jamf-security-documentation/page/Access_Policies.html) for adding predefined or custom SaaS application, and/or an on-premises or private cloud application hosted by your organization. 1. Login to the [Jamf Security Cloud portal](https://radar.wandera.com/) - From the Left Navigation, select: - *Policies > Access > Access Policies* 2. In this example we'll be configuring the Dropbox application, which is a predefined app in JSC. - Edit the Dropbox application (If not added previously, add the Dropbox app and define other settings per Access Policy Documentation![jsc_access-policy1](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/jsc_access-policy1.png) - Click the ***Security***tab - Enable slider for *Device Risk-based Access Control* - Deny access to the devices with at least the following risk level: Medium - Toggle slider for *Device push notifications* - Enable slider for*Restrict access when Jamf Trust is disabled* - Toggle slider for *Device push notifications![jsc_access-policy2](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/jsc_access-policy2.png)* - Click****Save** Once these settings are enforced as part of the Access Policy, if the Device Risk Posture does not satisfy the “Device Risk-based access control” risk level, the user will be prevented from accessing the resource and a push notification is sent to the Device to inform the user of the reason. Additionally, Jamf Pro Policies can be leveraged as part of a Response workflow to further notify a user of the policy action resulting from the Mac threat detected by Jamf Protect. ##### **JSC Access Policy Setup Complete** --- ### 3️⃣ Jamf Protect Analytics A Jamf Protect analytic is a rule that detects suspicious user behavior and malicious system activity on macOS computers. Jamf Protect includes over 150 Jamf-managed analytics for you to deploy in your environment, with more added regularly as the Jamf Threat Lab team hunts down the latest Mac threats. Additionally, you can create custom analytics to detect activity specific to your security needs. For building and testing this solution, Jamf recommends using a safe real-world analytic detection built-in to Jamf Protect. Once configured to signal to Jamf Pro in the next step, the [FlashDownloadNotSignedByAdobe](https://learn.jamf.com/bundle/jamf-protect-evaluation-guide/page/FlashDownloadNotSignedByAdobe.html) analytic will kick-off the risk elevation for your test Mac devices. This threat uses Defense Evasion and Masquerading, common MITRE ATT&CK Tactic and Techniques. Check out the Jamf Protect documentation for [detailed Analytic configuration](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Analytics.html). --- ### 4️⃣ Jamf Pro & Protect: Response Configuration It's likely that Jamf Pro wears many hats for device management and security within your organization. Settings configuration and app deployment are two tentpoles that have already been leveraged up to this point when both Jamf Trust and Protect and their configuration profiles were deployed to your Mac. Next, we'll setup Jamf Pro with Smart Group logic and a Webhook to process the Jamf Protect threat detection, and serve as the cross-system communication to Jamf Security Cloud that's needed to achieve device-risk-based ZTNA. #### Analytic-based Response Between Jamf Protect and Jamf Pro, you can configure an analytic action to change the membership of a smart computer group in response to an analytic detection. Once configured, Jamf Protect will populate an extension attribute when a threat is detected, which a smart group in Jamf Pro will read and then change the membership of the smart group. Jamf Protect documentation contains detailed instructions for [Setting Up Analytic Remediation With Jamf Pro](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Setting_Up_Analytic_Remediation_With_Jamf_Pro.html). Following these configuration steps will involve: - Configuring analytic action Settings in Jamf Protect - Creating a Jamf Protect extension attribute in Jamf Pro - Creating a smart computer group using the extension attribute in Jamf Pro - Creating an end user alert dialog script and policy - Resetting the analytic detection on computers --- #### Jamf Pro Webhook Risk Signaling The Webhooks setting in Jamf Pro allows you to create outbound webhooks for any event in the [Jamf Pro Events API](https://developer.jamf.com/developer-guide/docs/webhooks). We'll be using the [SmartGroupComputerMembershipChange](https://developer.jamf.com/developer-guide/docs/webhooks#smartgroupcomputermembershipchange) event, which is triggered when a managed computer joins or leaves the membership of a smart computer group in Jamf Pro. When smart computer group change event occurs, an HTTP POST payload is sent to a specified URL. For this workflow, the URL will be the AWS Lambda Gateway API URL. 1. Log-in to your Jamf Pro Server and navigate to: - *Settings > Global > Webhooks![Webhooks](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/Webhooks.png)* - Click ***New*** - Input the following details - Display Name for the Webhook - The Webhook URL (Lambda Function API URL) - Authentication Type: *Header Authentication* - The Webhook Authentication Header will communicate device UIDs, risk levels, and API credentials between Jamf Pro and Jamf Security Cloud - Header contents described below - Content Type: *JSON* - Webhook Event: - *SmartGroupComputerMembershipChange* - Target Smart Computer Group: - Choose the Smart Computer Group you configured in the Analytic-based Response step[![webhook_details](https://cdn.document360.io/e5d71abd-07b9-46d0-8876-03cc9073df6b/Images/Documentation/webhook_details.png)](/v1/docs/macos-ztna-risk-signaling#analyticbased-response%20%20) 2. Use this template for your Webhook Header Authentication, inputting your org-specific values where required ```plaintext ``` Webhook Header TemplateWebhook Header Template `{ "jamf_pro_url":"https://jamfpro.jamfcloud.com", "jamf_pro_username":"apiuser", "jamf_pro_password":"apipassword", "private_access_application_id":"risk_api_app_id", "private_access_application_secret":"risk_api_secret", "set_risk_level":"MEDIUM", "clear_risk_level":"SECURE" } ` #### Description of Header values | jamf_pro_url | The URL of the Jamf Pro Instance | | --- | --- | | jamf_pro_username | Jamf Pro API User account with computer read permissions only | | jamf_pro_password | Jamf Pro API User password | | private_access_application_id | The Application ID of the Risk API Key generated in Jamf Security Cloud Portal | | private_access_application_secret | The Application Secret of the Risk API Key generated in Jamf Security Cloud Portal | | set_risk_level | Set Risk level can be one of the following: ***HIGH, MEDIUM or LOW*** - This value will be sent to the JSC Risk API when the Mac device becomes a member of the selected smart group | | clear_risk_level | Clear Risk level can be one of the following: ***SECURE, MEDIUM, LOW*** - This value will be sent to the JSC Risk API when the Mac device falls out of the selected smart group. | Tip You can configure multiple Jamf Pro Webhooks that can respond to numerous logic-based conditions within Jamf Pro. For instance, if a device violates your [Compliance Baseline](https://learn.jamf.com/en-US/bundle/jamf-compliance-benchmarks-configuration-guide/page/Compliance_Benchmarks_Configuration_Guide.html) policy, it can be moved into a smart group that can signal if the device should be treated as High, Medium, or Low risk when it comes to accessing organizational data. **Jamf Pro Webhook Setup Complete** --- ### 5️⃣ Testing and Implementing the Workflow *Thoroughly testing this workflow prior to deploying in production environments is strongly recommended*. There is high potential for mis-configuring a threat response without careful attention. *Any corrective remediation* action as a result of a Mac behavioral detection should be treated on a case-by-case basis as a result of careful consideration and planning. Only threats that are understood to cause direct harm or loss to user or organizational data should utilize this solution, otherwise you may unnecessarily impact end-user productivity. [As referenced previously](/v1/docs/macos-ztna-risk-signaling#before-we-begin%20%20), it's best to start with targeted precision for any behavior analytic hits you choose to take action against via this response workflow. A well-planned communication initiative with organizational stakeholders and leadership is recommended so that employees, staff or students understand what's happening and why. #### Risk Level Reset Please refer to the [Jamf Protect Documentation](/v1/docs/macos-ztna-risk-signaling#analyticbased-response%20%20) as referenced for best understanding how the *Jamf Protect <> Jamf Pro* threat classification is enabled and disabled via extension attributes and smart groups. Pay close attention to the [Resetting Analytic Detections on Computers](https://learn.jamf.com/bundle/jamf-protect-documentation/page/Setting_Up_Analytic_Remediation_With_Jamf_Pro.html#ariaid-title7). [this automation](https://github.com/jamf/jamfprotect/tree/main/third_party_integrations/ZTNA_Risk_Signaling)