Jamf Protect: Enhanced Parsing for New macOS Security Events and Process Audit Fields

What Changed

Jamf Protect solution updated to version 3.3.0 with comprehensive parser enhancements across all five parser functions:

• Added support for four new event types: TCC_Modify, Network_Connect, Pty_grant, Pty_close
• Enhanced process audit tokens with additional fields for richer telemetry
• Updated event type mappings and categorization logic

Parser Impact

Enhanced data fidelity for macOS endpoint monitoring:

• TCC_Modify Events: Now captures Transparency Consent and Control permission changes, critical for detecting privacy permission abuse
• Network_Connect Events: Provides network session establishment visibility for endpoint network monitoring
• Pseudoterminal Events: Tracks terminal access grants and closures, important for detecting suspicious interactive access
• Enhanced Process Tokens: Additional audit fields improve process execution context and attribution

Queries referencing these new event types previously returned no results — this update unlocks visibility into previously unmonitored macOS security events.

Security Impact (Visibility & Fidelity)

Customer-requested enhancement addresses specific blind spots in macOS endpoint monitoring:

• Privacy permission manipulation attempts now visible through TCC events
• Network connection patterns trackable at endpoint level
• Terminal access patterns captured for forensic analysis
• Richer process execution context for attribution and correlation

Affected Files

• Solutions/Jamf Protect/Parsers/JamfProtectTelemetry.yaml (major event type additions and field mappings)
• Solutions/Jamf Protect/Parsers/JamfProtectAlerts.yaml, JamfProtectNetworkTraffic.yaml, JamfProtectThreatEvents.yaml, JamfProtectUnifiedLogs.yaml (version updates)
• (packaging artefacts updated: mainTemplate.json, 3.3.0.zip, Solution json, ReleaseNotes.md, SolutionMetadata.json)