Integrating SailPoint with Jamf Using SSF

Revised Date: 30 October 2025

The Shared Signals Framework (SSF) is a security architecture that allows different security solutions to share and consume security events and alerts. This integration allows real-time sharing of security events related to Apple devices. For more information about SSF, refer to Shared Signals Framework.

In this architecture:

  • Jamf acts as the Transmitter, monitoring the security state of managed Apple endpoints.

  • The Identity Security Cloud (ISC) serves as the Receiver, enforcing access policies based on device trust signals.

By leveraging the SSF Receiver, organizations can significantly reduce the time it takes to detect, respond to, and remediate identity-related threats. Jamf sends security events to ISC, which correlates them with identity data, providing comprehensive visibility and triggering workflow based on the received signals.

Key benefits of integrating Jamf with SailPoint include:

  • Device State Monitoring (Jamf – Transmitter)

    Jamf continuously monitors all managed devices for compliance with your organization’s security baseline. This includes checks for:

    • Operating system updates and patch level

    • FileVault disk encryption

    • Firewall and Gatekeeper configurations

    • Presence and status of required security tools

  • Compliance Deviation Detection

    If a device falls out of compliance, when a required setting is disabled or unauthorized software is detected, Jamf immediately flags this change.

  • Real-Time Signal Transmission

    Upon detecting a compliance change, Jamf generates a Security Event Token (SET). This token contains:

    • Subject Identifier

    • Device Identifier

    • Previous and current compliance status

    • Timestamp and contextual metadata

    • Jamf transmits this SET in real time to the ISC’s SSF endpoint.

  • Receiver-Side Workflow: Policy Enforcement

    The ISC (Receiver) evaluates the incoming device-compliance-change signal and initiates appropriate policy response based off predefined Workflows.
    For example, if the device status changes to non-compliant, a Workflow would initiate the following:

    • Notify the device owner’s manager

    • Admin alerts via a ticketing systems

    • Disable access to accounts or sensitive entitlements

This real-time, event-driven architecture supports Zero Trust principles by enabling dynamic access decisions based on the current compliance state of a user’s device. It eliminates reliance on periodic polling or manual intervention—delivering a scalable, automated, and secure model for device-aware access control.

This guide provides specific information about configuring Jamf and Identity Security Cloud using Shared Signal Framework.