Jamf Pro
Jamf Pro is an enterprise mobility management (EMM) tool that provides unified endpoint management for Apple devices.
Use cases the adapter solves
Jamf Pro is a powerful endpoint management solution that provides a robust inventory of our managed Apple devices in Axonius. More importantly, by combining Jamf Pro with network/infrastructure data coming from additional adapters, Axonius can identify unmanaged or even rogue devices on the network.
Data retrieved by Jamf Pro
Axonius collects common device information such as hostname, IPs, MAC address, and serial number. It also collects information unique to Jamf such as device policies, profiles, and groups. The adapter can be configured to collect additional information, such as user data and mobile devices.
Note:
Official Jamf recommendation is to limit the number of fetches for the Jamf Pro adapter to one fetch per day, in order to preserve the stability of the Jamf cloud.
Asset Types Fetched
- Devices, Users, Software, Accounts/Tenants, Application Settings
Resources Required by Asset Type
The following connection parameters, advanced settings, permissions, and configurations are required to fetch each asset type.
Search by Asset Type to find the resources required for your specific needs.
Note
When fetching Users, different permissions are required for the Jamf Classic API and the Jamf Pro API because each API fetches different data about users.
Asset Type | Permissions | Additional Configuration | ||
|---|---|---|---|---|
Devices |
| Fetch mobile devices (to fetch mobile devices in addition to standard devices) | API: Pro/Classic Read Computers When fetching mobile devices: API: Pro/Classic Read Mobile Devices | |
Users |
| Fetch Users | API: Pro
API: Classic Read Users When fetching department and building information: API: Pro
| |
Software |
| No specific setting is required | No specific permission is required | |
Accounts/Tenants |
| No specific setting is required | No specific permission is required | |
Application Settings |
| No specific setting is required |
|
Additional Requirements for Fetching Application Settings
When using Client Credentials to fetch Application Settings, the following configurations are required:
- Access to the following API endpoints:
- /api/v3/sso
- /api/v2/sso/cert
- /api/v1/device-communication-settings
- /api/v4/enrollment
- /api/v2/smtp-server
- /api/v1/log-flushing
- An API role with specific Read permissions for your Jamf Pro instance, depending on the API you're using.
- When using the Jamf Pro API, the following Read permissions are required:
- SSO Settings: Read
- Enrollment Settings: Read
- SMTP Server Settings: Read
- When using Jamf Classic API, the following Read permissions are required:
- Device Communication Settings: Read
- Log Flushing: Read
- When using the Jamf Pro API, the following Read permissions are required:
Permissions for Enforcement Actions
To successfully run Enforcement Actions with this adapter, the following permission is required (for both API types):
- Update - Smart Computer Groups
APIs
Axonius supports the Jamf Classic API and Jamf Pro API.
Note
This adapter supports token-based authentication for Jamf Pro API access.
Creating a User by Connecting to the Jamf Admin Panel
Before connecting the adapter, you need to create a new user on Jamf Pro and assign it the relevant permissions.
- Log in to the Jamf Pro admin panel and navigate to the Settings panel.
- Select Jamf Pro User Accounts & Groups.
- Click New to create a new user and then select Create Standard Account
>Next.
- Fill in the details for this account. Make sure to select Custom from the Privilege Set dropdown, and select Full Access from the Access Level dropdown.
- Navigate to the Privileges tab. Under Jamf Pro Server Objects, select the Read option for each object displayed.
- Click Save.
Connecting the Adapter in Axonius
To connect the adapter in Axonius, provide the following parameters:
Required Parameters
-
Jamf Domain - The hostname of the Jamf Pro server. This field format is 'https://[instance].jamfcloud.com'.
-
Either of the following credential pairs:
- User Name and Password - The credentials for a user account that has the required permissions to fetch assets via the API.
- Use Client Credentials - Enable this option to authenticate with a Client ID and Client Secret. For more information about obtaining a Client ID and Client Secret, see API Roles and Clients.
-
If you access Jamf Pro through an SSO solution that requires 2-factor authentication, the following parameters are required to fetch Application Settings (only):
-
2FA Secret Key - Generate a secret key within the SSO solution you're using and paste it here. For example, see Set Up Google Authenticator for the Okta adapter.
-
Bypass SSO (default: switched off) - Select it if the newly created user account is allowed to bypass SSO according to the Jamf instance settings. Note that Bypass SSO follows the Failover URL.
Optional Parameters
The following parameters are optional:
- Tenant Tag - Specify a tag name to tag all devices fetched from this adapter connection.
- HTTP Proxy and HTTPS Proxy - A proxy to use when connecting to the value supplied in Jamf Domain.
To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.
Advanced Settings
Note:
Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.
- Fetch Devices - This adapter fetches devices by default. Clear this option to not fetch devices.
- Fetch device from Advanced Computer Search with the following name (optional) - Enter the name of an Advanced Computer Search endpoint to fetch devices from. If you don’t provide an endpoint, all devices will be fetched from the standard API.
- Parse device hostnames from Extension Attributes - Select this option to override each device's host name with the value found in Extension Attributes, if provided.
- Fetch Users (default: true) - Select this option to fetch users - for both Classic and Pro API connections. If this setting is disabled, the adapter will not fetch users at all.
- Fetch department of users - Select whether to fetch the names of buildings and departments of users for this adapter connection.
- Fetch history of applied policies for devices - Select whether to fetch the history of policies that were applied to devices.
- Fetch mobile devices (required, default: true) - Select whether to fetch mobile devices in addition to standard devices for this adapter connection.
- Fetch Enrollment Devices - Select this option to fetch enrollment devices.
- Use pro API - Select this option to use JAMF Pro API. Clear this option to use the JAMF Classic API. Note that On-prem Jamf servers require the Pro API.
- Async chunks in parallel - The number of chunks to fetch in parallel when working with the Classic API. Note that for Jamf Pro cloud instances (not on-prem), the maximum number of async requests is 5. Even if a higher value is entered, the value of 5 is used. This is per Jamf official recommendation. Higher values are possible only for Jamf Pro on-prem.
- Items to not fetch - Select one or more fields to exclude from the Devices fetch. This option only applies to devices fetched from the Pro API.
- Enrich software with version info - Select this option to enrich software with the following fields: 'Current version release date', 'Next version release date', 'Newer version count'.
- List of Device IDs to filter - Enter a comma-separated list of device IDs for specific devices that you want to fetch.
- Fetch application usage - Enable this option to applications' usage history.
- Number of days to look back - Set the number of days to look back when fetching usage history.
Note:
To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.
Related Enforcement Actions
- Jamf Pro - Add or Remove Assets to/from Group
- Jamf Pro - Lock Device
- Jamf Pro - Delete Device
- Jamf Pro - Update Device
Updated 3 days ago