Custom script alerting for device fleets: what IAM teams need

TL;DR: Administrators can turn device commands into alerts for specific conditions such as service crashes, log entries, process presence, registry changes, and file system events, according to JumpCloud. The governance question is not whether monitoring can be customised, but whether alert logic is tied to clear control outcomes instead of noisy exceptions.

NHIMG editorial — based on content published by JumpCloud: custom script-based alerting for managed devices

Questions worth separating out

Q: How should teams design custom alerts for managed endpoints?

A: Start with a single condition that matters to the business or security programme, then build the script so it returns a clear pass or fail result.

Q: When do custom script alerts add more value than standard monitoring templates?

A: They add the most value when the organisation needs to verify a local assumption that default templates cannot see, such as a specific process, registry setting, log event, or file state.

Q: What do security teams get wrong about script-based alerting?

A: They often treat it like a generic monitoring feature instead of a control verification mechanism.

Practitioner guidance

• Define each alert around one control outcome Tie every custom command to a single security or operational state, such as a required service running, a log entry appearing, or a security setting remaining enabled.
• Run scripts in the intended execution context Validate commands as the same account and OS context they will use in production, such as LocalSystem on Windows or root on Linux, so permissions and environment assumptions do not distort results.
• Map alerts to named governance controls Document which policy, hardening requirement, or compliance check each alert supports, then review whether the command still reflects that control after every platform or application change.

What's in the full article

JumpCloud's full how-to covers the operational detail this post intentionally leaves for the source:

• Step-by-step command creation and rule setup in the Admin Portal for device groups and operating systems.
• Examples of PowerShell and Bash checks for Windows Event Log service crashes and macOS Gatekeeper status.
• Guidance on choosing run-as context, exit-code logic, and alert priority for production deployment.
• Practical examples of when a custom command should trigger on a non-zero exit code rather than a template threshold.

👉 Read JumpCloud's guide to custom script alerting for managed devices →

Custom script alerting for device fleets: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →