Act on Jamf Protect Alerts

Leveraging AI to understand and act on Jamf Protect alerts

In the complex world of endpoint security, teams are often inundated with alerts, making it challenging to separate noise from genuine threats. At JNUC 2025, Michael Levinick, Quality and Safety Engineer for AI initiatives at Jamf, demonstrated how the Jamf AI Assistant acts as a personal security expert, helping teams cut through alert fatigue to triage, respond to and understand Jamf Protect alerts.

• Triage alerts faster: Get AI-powered explanations of complex security events to help prioritize your focus.

• Automate with confidence: Build and execute repeatable, human-approved remediation workflows in Jamf Pro.

• Communicate risk clearly: Use clear, AI-generated summaries to communicate incidents and risk to stakeholders.

How does the AI Assistant analyze a security alert?

Endpoint security specialists can see the true value of the Jamf AI Assistant in its ability to enrich raw alert data. The assistant works with two core solutions: Jamf Protect, the endpoint security tool for macOS backed by Jamf Threat Labs, and Jamf Pro, the platform for Mobile Device Management (MDM). When you ask the assistant about a threat, it fetches the alert JSON from Jamf Protect and offers to pivot to the surrounding telemetry data. Using a sophisticated prompt co-engineered with Jamf Threat Labs, it analyzes this mountain of information — every process execution, network connection and file modification — to build a complete incident timeline and explain it in plain language.

How does the AI Assistant distinguish between testing and a real threat?

The AI Assistant is trained to identify patterns indicative of security testing, which helps prevent false positives and focus teams on legitimate threats. During his JNUC session, Levinick showed how the assistant analyzed two alerts that occurred around the same time. By examining the context, the AI determined they were related and generated by a script named generate-test-alerts.sh. It also recognized the use of the EICAR string, a standard file used for testing anti-malware engines. This proves the assistant looks beyond the alert name to understand the user’s intent, saving analysts from chasing down benign events.

ADVERTISEMENT

How can you build an automated response workflow?

The AI Assistant streamlines the response process from detection to resolution. For a confirmed threat, it can generate a remediation script based on pre-approved parameters provided by Jamf. This script can take specific actions like killing a malicious process, quarantining a file, or removing persistence mechanisms like a suspicious launch agent. Crucially, this process always involves a “human in the loop.” The assistant will propose the remediation, but it will not execute it until an administrator gives explicit approval. Once confirmed, it creates a policy in Jamf Pro scoped to the affected machine and provides a direct link to the policy log to monitor its execution.

Four expert tips for successful AI interaction

To get the most value out of the Jamf AI Assistant, Levinick shared four principles for clear and effective prompting. Following these tips helps avoid common pitfalls and ensures you get the most accurate and helpful responses.

1. Provide context, not conclusions: Avoid leading the AI. Instead of saying, “This looks like a false positive, right?” ask a neutral question like, “What patterns do you see in this alert data?” This allows the AI to analyze the data objectively.

2. Don’t assume possibility: Instead of asking, “How do I use Jamf Protect to block keyboards?” which may not be a feature, ask a broader question like, “What options are available for data loss prevention with Jamf?” This lets the AI search for all available solutions.

3. Feel free to get verbose: More information is almost always better. Providing a detailed scenario about your organization, goals and environment will help the LLM make a better and more relevant decision than just typing a two-word query like “config profiles.”

4. Trust but verify: The AI does an excellent job of aggregating information, but you should always double-check its sources. The assistant provides links to the Jamf documentation it used to form its answer, allowing you to do your own reading and confirm its conclusions.

Key takeaways

• The Jamf AI Assistant acts as a personal security expert, translating complex alert and telemetry data into clear, actionable insights.

• You can accelerate incident response by using AI-generated remediation scripts that are deployed as Jamf Pro policies with human approval.

• The assistant’s analysis, co-engineered with Jamf Threat Labs, helps distinguish real threats from testing, reducing alert fatigue.

• Effective prompting is key to getting the best results; provide neutral context, ask about possibilities, be detailed and always verify the sources.