Jamf Connect Privilege Monitor v2.4.0

A comprehensive monitoring and automated remediation system for Jamf Connect privilege elevation events with legitimate elevation tracking, enterprise Configuration Profile management, and real-time detection capabilities.

🎯 v2.4.0 - Webhook Platforms, Elevation Tracking & Enhanced Monitoring

✨ New in v2.4.0

• 💬 Webhook Platform Selection - Native support for Slack and Microsoft Teams with proper formatting
• 🔍 Legitimate Elevation Tracking - Distinguish between authorized Jamf Connect elevations and unauthorized admins
• 📊 Elevation Analytics - Track elevation frequency, duration, and reasons with new elevation-report command
• 🎯 MonitorJamfConnectOnly - Event-driven monitoring that only checks after Jamf Connect elevations
• 📧 SMTP Improvements - Fixed authentication, auto-configuration, and required From Address
• 📝 Enhanced Context - Violations show legitimate elevations for better security decisions

✅ PLATFORM AWARE: Slack and Teams webhooks with native formatting
✅ COMPLIANCE READY: Full audit trail of all legitimate privilege elevations
✅ SECURITY CONTEXT: Clear distinction between authorized and unauthorized admin access
✅ RESOURCE OPTIMIZED: Optional event-driven monitoring reduces unnecessary checks

🚀 What's New in v2.4.0

Webhook Platform Support

• WebhookType Selector - Choose between Slack and Microsoft Teams in Configuration Profile
• Native Formatting - Messages formatted specifically for each platform
• Enhanced Templates - security_report, detailed, and simple templates per platform
• Automatic Detection - Platform detected from webhook URL if not specified

Elevation Tracking Features

• Legitimate Elevation Log - Separate audit log for all Jamf Connect elevations
• Elevation Statistics - Track total, daily, per-user, and per-reason counts
• Duration Tracking - Calculate and log how long users remain elevated
• Reason Capture - Record why users elevated for compliance reporting
• Current Elevation Status - Real-time tracking of who's currently elevated and why

Enhanced Monitoring Control

• MonitorJamfConnectOnly - New setting to only check after Jamf Connect events
• Event-Driven Mode - Reduces resource usage by checking only when needed
• Always Monitor Option - Can still check continuously if preferred

SMTP Improvements

• Fixed Authentication - Credential extraction now works reliably with awk
• Fixed From Address - Correctly reads SMTPFromAddress from Configuration Profile
• Provider Auto-Config - Automatically configures based on selected provider
• Required Fields - SMTP From Address now required for proper delivery

New Commands

• sudo jamf_connect_monitor.sh elevation-report - View comprehensive elevation statistics and history

Enhanced Notifications

• Platform-specific webhook formatting (Slack vs Teams)
• Legitimate elevation context in all alerts
• Shows who has authorized elevation vs unauthorized admin
• Provides elevation reasons in security alerts

Includes All Previous Features

• ✅ SMTP Provider Selection - Gmail, Office 365, SendGrid, AWS SES, and more
• ✅ ACL Clearing - Eliminates @ symbols in file permissions
• ✅ Configuration Profile Integration - Centralized management
• ✅ Extension Attribute Auto-Detection - Version displays automatically
• ✅ Smart Group Compatibility - Enhanced data format
• ✅ Future-Proof Architecture - Works with all v2.x+ releases

🌟 Features

• Legitimate Elevation Tracking - Full audit trail of authorized privilege elevations
• Real-time & Periodic Monitoring - Choose immediate or 5-minute interval detection
• Configuration Profile Management - No more hardcoded credentials in scripts
• Automated Remediation - Instantly removes unauthorized admin privileges
• Enterprise Notifications - Slack/Teams webhooks and email with professional templates
• Comprehensive Logging - Detailed audit trails of all elevation and violation events
• Jamf Pro Integration - Extension Attributes, Smart Groups, and automated policies
• Zero User Interaction - Silent deployment and operation across your fleet
• Production Verification - Built-in tools to validate deployment success

Log Files and Monitoring Data

Primary Log Files

• /var/log/jamf_connect_monitor/monitor.log - Main monitoring activity and system events
• /var/log/jamf_connect_monitor/admin_violations.log - Unauthorized admin detections with full context
• /var/log/jamf_connect_monitor/legitimate_elevations.log - Jamf Connect elevation audit trail
• /var/log/jamf_connect_monitor/elevation_history.log - Complete elevation/demotion history
• /var/log/jamf_connect_monitor/jamf_connect_events.log - Jamf Connect integration events
• /var/log/jamf_connect_monitor/daemon.log - LaunchDaemon execution and scheduling logs

Statistics and Analytics

• /var/log/jamf_connect_monitor/elevation_statistics.json - Elevation analytics data
• /var/log/jamf_connect_monitor/.stats_* - Per-user and per-reason counter files
• /var/log/jamf_connect_monitor/.current_elevation_* - Active elevation tracking files

External Dependencies

• /Library/Logs/JamfConnect/UserElevationReasons.log - Jamf Connect elevation reasons (read by monitor)

📋 Requirements

• macOS 10.14 or later
• Jamf Connect 2.33.0 or later with privilege elevation enabled
• Jamf Pro 10.19 or later (for Configuration Profile JSON Schema support)
• Root/administrator access for installation

🔧 Quick Installation

Option 1: Package for Jamf Pro (Recommended)

1. Download the latest .pkg from Releases
2. Upload to Jamf Pro and deploy via policy
3. Deploy Configuration Profile using included JSON Schema
4. CRITICAL: Update Extension Attribute script in Jamf Pro for v2.4.0 features
5. IMPORTANT: Configure SMTP settings in Configuration Profile with provider selection
6. Verify deployment with included verification script
7. See Jamf Pro Deployment Guide for details

Option 2: Manual Build and Deploy

# Clone the repository
git clone https://github.com/MacJediWizard/jamf-connect-monitor.git
cd jamf-connect-monitor

# Build deployment package
sudo ./scripts/package_creation_script.sh build

# Install the generated package
sudo installer -pkg output/JamfConnectMonitor-2.4.0.pkg -target /

# Verify installation
sudo ./tools/verify_monitoring.sh

Post-Installation Verification

# Verify all components are working correctly
sudo ./tools/verify_monitoring.sh

# Expected output includes:
# ✅ Main script installed: Version 2.4.0
# ✅ Permissions correct: -rwxr-xr-x (no @ symbols)
# ✅ Extension Attribute runs successfully
# ✅ Version detected: Version: 2.4.0, Periodic: Running
# ✅ Company name: [Your Company Name] (from Configuration Profile)

📱 Configuration Profile Deployment

Jamf Pro Application & Custom Settings

1. Navigate: Computer Management → Configuration Profiles → New
2. Add Payload: Application & Custom Settings
3. Source: Custom Schema
4. Preference Domain: com.macjediwizard.jamfconnectmonitor
5. Upload Schema: Use jamf_connect_monitor_schema.json from package
6. Configure Settings: Webhook URLs, email recipients, monitoring modes

Example Configuration

{
  "NotificationSettings": {
    "WebhookURL": "https://hooks.slack.com/services/YOUR/WEBHOOK",
    "EmailRecipient": "[email protected]",
    "NotificationTemplate": "security_report"
  },
  "MonitoringBehavior": {
    "MonitoringMode": "realtime",
    "AutoRemediation": true,
    "GracePeriodMinutes": 5
  },
  "JamfProIntegration": {
    "CompanyName": "Your Company",
    "ITContactEmail": "[email protected]"
  }
}

Configuration Profile Verification

# Test Configuration Profile integration
sudo jamf_connect_monitor.sh test-config

# Expected output shows your actual settings:
# Company Name: Your Company (not "Your Company" fallback)
# Webhook: Configured
# Email: [email protected]
# Monitoring Mode: realtime

🛠️ Usage

Command Line Interface

# Check current status with Configuration Profile info
sudo jamf_connect_monitor.sh status

# Test Configuration Profile settings (v2.x feature)
sudo jamf_connect_monitor.sh test-config

# Manage approved admins
sudo jamf_connect_monitor.sh add-admin username
sudo jamf_connect_monitor.sh remove-admin username

# Force immediate violation check
sudo jamf_connect_monitor.sh force-check

# Verify all components (v2.x tool)
sudo ./tools/verify_monitoring.sh

Monitoring Modes

• Periodic - Traditional 5-minute interval checking
• Real-time - Immediate violation detection using log streaming
• Hybrid - Both periodic and real-time monitoring for maximum coverage

📊 Jamf Pro Integration

Extension Attribute (Enhanced in v2.x)

Creates comprehensive reporting in Jamf Pro computer records:

• Auto-Version Detection - Shows "Version: 2.4.0" automatically
• Configuration Profile Status - "Profile: Deployed" with actual company names
• Monitoring Mode Display - "Mode: periodic" (fixed in v2.x)
• Violation History - Current unauthorized admins with detailed tracking
• Jamf Connect Integration - Status monitoring and health metrics
• System Health - ACL clearing verification and permission validation

Smart Groups (Future-Proof Design)

Automatic device grouping with flexible criteria:

• Critical Violations - Extension Attribute like "*Unauthorized:*" AND not like "*Unauthorized: 0*"
• v2.x Installations - Extension Attribute like "*Version: 2.*" (catches all v2.x versions)
• Configuration Status - Extension Attribute like "*Profile: Deployed*"
• Real-time Monitoring - Extension Attribute like "*Mode: realtime*"
• Health Status - Extension Attribute like "*Daemon: Healthy*"

Automated Workflows

• Violation Detection → Smart Group Membership → Policy Triggers → Automated Response
• Configuration Updates → Immediate Application → Inventory Updates → Reporting
• Version Updates → Automatic Smart Group Population → Zero Maintenance Required

📈 Monitoring

Log Locations

• Main Activity: /var/log/jamf_connect_monitor/monitor.log
• Violations: /var/log/jamf_connect_monitor/admin_violations.log
• Real-time Events: /var/log/jamf_connect_monitor/realtime_monitor.log
• Jamf Connect Events: /var/log/jamf_connect_monitor/jamf_connect_events.log

Real-time Monitoring

# Watch main activity
tail -f /var/log/jamf_connect_monitor/monitor.log

# Monitor real-time violations
tail -f /var/log/jamf_connect_monitor/realtime_monitor.log

# Check Extension Attribute output
sudo /usr/local/etc/jamf_ea_admin_violations.sh

⚙️ Configuration

Configuration Profile Management (v2.0.0+)

All settings managed centrally via Jamf Pro Configuration Profiles:

• Notification Settings - Webhook URLs, email recipients, templates
• Monitoring Behavior - Real-time vs periodic, auto-remediation, grace periods
• Security Settings - Violation reporting, log retention, excluded accounts
• Jamf Pro Integration - Company branding, inventory updates, policy triggers

Legacy Configuration (v1.x compatibility)

# Manual approved admin management (still supported)
sudo nano /usr/local/etc/approved_admins.txt

🔐 Security Features

• ✅ Configuration Profile Encryption - Secure credential management via Jamf Pro
• ✅ Real-time Detection - Immediate response to unauthorized elevations
• ✅ Audit Trail - Complete logging of all elevation events and violations
• ✅ Tamper Resistant - Root privilege requirement with protected configurations
• ✅ SIEM Ready - Structured logging for security information systems
• ✅ Automated Response - Zero-touch violation remediation
• ✅ ACL Security - Extended Attribute clearing prevents permission bypass

📈 What Happens During Violations

1. Detection - Real-time or periodic detection of unauthorized admin account
2. Grace Period - Configurable wait time for legitimate temporary elevation
3. Remediation - Automatic removal of admin privileges (if enabled)
4. Notification - Immediate alerts via configured Slack/Teams/email channels
5. Logging - Detailed violation report with system context and user information
6. Jamf Pro Update - Extension Attribute updates for Smart Group automation
7. Policy Triggers - Optional additional policy execution for incident response

🔧 Production Verification Tools

Comprehensive Deployment Validation

# Run complete verification after installation
sudo ./tools/verify_monitoring.sh

# What it tests:
✅ Main script installation and version detection
✅ Extension Attribute script execution and permissions  
✅ ACL clearing verification (no @ symbols in permissions)
✅ Configuration Profile integration and company name display
✅ Version auto-detection functionality
✅ Monitoring mode detection accuracy

Verification Output Example

🔍 JAMF CONNECT MONITOR VERIFICATION v2.4.0
✅ Main script installed: Version 2.4.0
✅ Permissions correct: -rwxr-xr-x
✅ Extension Attribute script installed: Version 2.4.0
✅ EA permissions correct: -rwxr-xr-x (no @ symbols)
✅ Extension Attribute runs successfully
✅ Version detected: Version: 2.4.0, Periodic: Running
✅ Monitoring mode detected: Mode: periodic
✅ Company name: [Your Company Name] (from Configuration Profile)
🎉 MONITORING APPEARS TO BE WORKING CORRECTLY

🗑️ Complete Uninstallation

Quick Uninstall

# Download and run enhanced uninstall script
curl -o uninstall_script.sh https://github.com/MacJediWizard/jamf-connect-monitor/releases/latest/download/uninstall_script.sh
sudo chmod +x uninstall_script.sh

# Interactive uninstall with configuration backup
sudo ./uninstall_script.sh

# Silent uninstall for mass deployment
sudo ./uninstall_script.sh --force

# Verify complete removal
sudo ./uninstall_script.sh verify

Enhanced Uninstall Features

• ✅ Complete Component Removal - All scripts, daemons, logs, and configurations
• ✅ Configuration Backup - Approved admin lists preserved with .uninstall_backup suffix
• ✅ Log Archiving - All monitoring logs archived before removal
• ✅ ACL Cleanup - Extended Attributes and permissions fully restored
• ✅ Package Receipt Cleanup - All installer receipts removed from system database
• ✅ Jamf Pro Integration - Inventory update triggered after removal
• ✅ Verification Mode - Confirm complete removal with detailed validation

Complete removal guide: Uninstall Guide

📖 Documentation

• Installation Guide - Complete deployment instructions with v2.4.0 verification
• Jamf Pro Deployment Guide - Enterprise deployment strategies
• Configuration Profile Guide - Centralized management setup
• CLI Reference - Command line interface documentation
• Troubleshooting Guide - Common issues and solutions including UI cache
• Forensics & Investigation Guide - Post-remediation investigation procedures
• Smart Groups Guide - Jamf Pro automation setup with future-proof criteria
• Migration Guide - v1.x to v2.x upgrade instructions

🚀 Migration to v2.4.0

⚠️ Breaking Change - SMTP Required

# 1. CONFIGURE SMTP in Configuration Profile (REQUIRED for email)
# 2. Upload v2.4.0 package to Jamf Pro
# 3. Update Extension Attribute script for version display
# 4. Deploy to existing systems
# 5. Run verification: sudo ./tools/verify_monitoring.sh

From Previous Versions

The v2.4.0 package automatically handles upgrades with:

• Clean Installation: Removes old files before installing new ones
• ACL Clearing: Cleans extended attributes to prevent permission issues
• Configuration Preservation: Keeps approved admin lists and logs
• Automatic Migration: Preserves all existing settings and data

New Configuration Profile Features

After upgrade, deploy Configuration Profile to enable:

• Centralized webhook/email management
• Real-time monitoring capabilities
• Enhanced notification templates
• Advanced security settings

See Migration Guide for detailed upgrade instructions.

🎯 Enterprise Deployment Checklist

Critical Steps for v2.4.0 Production Deployment

• Configure SMTP - REQUIRED: Set up SMTP in Configuration Profile for email
• Upload Package - Deploy JamfConnectMonitor-2.4.0.pkg to Jamf Pro
• Update Extension Attribute - Apply v2.4.0 script for proper version display
• Deploy Configuration Profile - Use included JSON Schema for centralized management
• Create Smart Groups - Use future-proof criteria: Extension Attribute like "*Version: 2.*"
• Test on Pilot Group - Deploy to 2-3 test systems first
• Run Verification - Use sudo ./tools/verify_monitoring.sh on pilot systems
• Force Inventory Update - Run sudo jamf recon on pilot systems
• Verify Extension Attribute - Check Jamf Pro computer records show correct v2.4.0 data
• Full Fleet Deployment - Deploy to production after pilot validation

Expected Results After Deployment

# Extension Attribute Data in Jamf Pro:
Version: 2.4.0, Periodic: Running, Real-time: Not Running
Configuration: Profile: Deployed, Webhook: [Configured/Not Configured], Email: [your-email], Mode: periodic, Company: [Your Company Name]
Violations: Total: 0, Recent: 0, Last: None, Unauthorized: 0
Admin Status: Current: [admin,user1], Approved: [admin,user1]
Jamf Connect: Installed: Yes, Elevation: Yes, Monitoring: Yes
Health: Last Check: [timestamp], Daemon: Healthy, Logs: [size], Config Test: OK

🤝 Contributing

We welcome contributions! Please see our Contributing Guidelines for details.

1. Fork the repository
2. Create a feature branch (git checkout -b feature/amazing-feature)
3. Commit your changes (git commit -m 'Add amazing feature')
4. Push to the branch (git push origin feature/amazing-feature)
5. Open a Pull Request

📝 Changelog

See CHANGELOG.md for a detailed history of changes and upgrade notes.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🆘 Support

• Issues: GitHub Issues
• Documentation: Complete Guides
• Production Support: Use included tools/verify_monitoring.sh for immediate diagnostics

⭐ Acknowledgments

• Jamf Community for Extension Attribute examples and Configuration Profile best practices
• Apple System Administrators community for security monitoring guidance
• Open source contributors and beta testers from the macOS enterprise community
• Enterprise environments for production testing and validation

🏷️ Project Status

🎉 Production Ready Status

✅ v2.4.0 WEBHOOK PLATFORMS & ELEVATION TRACKING - PRODUCTION READY

• Enterprise Tested: enterprise production environment
• All Critical Fixes Applied: ACL clearing, Configuration Profile integration, auto-version detection
• Verification Tools Included: Complete diagnostic and validation scripts
• Future-Proof Design: Works automatically with all future v2.x+ versions
• Zero Maintenance: Smart Groups and Extension Attributes update automatically

---

Made with ❤️ for the macOS Administrator community

Enterprise-grade security monitoring with Configuration Profile management, real-time detection capabilities, and production-verified reliability.

---

Created with ❤️ by MacJediWizard