Jamf Pro

Jamf Pro is an enterprise mobility management (EMM) tool that provides unified endpoint management for Apple devices.

Use cases the adapter solves

Jamf Pro is a powerful endpoint management solution that provides a robust inventory of our managed Apple devices in Axonius. More importantly, by combining Jamf Pro with network/infrastructure data coming from additional adapters, Axonius can identify unmanaged or even rogue devices on the network.

Data retrieved by Jamf Pro

Axonius collects common device information such as hostname, IPs, MAC address, and serial number. It also collects information unique to Jamf such as device policies, profiles, and groups. The adapter can be configured to collect additional information, such as user data and mobile devices.

📘
Note:
Official Jamf recommendation is to limit the number of fetches for the Jamf Pro adapter to one fetch per day, in order to preserve the stability of the Jamf cloud.

Asset Types Fetched

Devices, Users, Software, Accounts/Tenants, Application Settings

Resources Required by Asset Type

The following connection parameters, advanced settings, permissions, and configurations are required to fetch each asset type.

Search by Asset Type to find the resources required for your specific needs.

📘
Note
When fetching Users, different permissions are required for the Jamf Classic API and the Jamf Pro API because each API fetches different data about users.

Asset Type	Connection Parameters	Advanced Settings	Permissions	Additional Configuration
Devices	Jamf Domain User Name and Password or User Client Credentials	Fetch mobile devices (to fetch mobile devices in addition to standard devices)	API: Pro/Classic Read Computers When fetching mobile devices: API: Pro/Classic Read Mobile Devices	Creating a User by Connecting to the Jamf Admin Panel Obtaining a Client ID and Client Secret
Users	Jamf Domain User Name and Password or User Client Credentials	Fetch Users	API: Pro Read Accounts Read Jamf Pro User Accounts & Groups Read Users API: Classic Read Users When fetching department and building information: API: Pro Read Buildings Read Departments	Creating a User by Connecting to the Jamf Admin Panel Obtaining a Client ID and Client Secret
Software	Jamf Domain User Name and Password or User Client Credentials	No specific setting is required	No specific permission is required	Creating a User by Connecting to the Jamf Admin Panel Obtaining a Client ID and Client Secret
Accounts/Tenants	Jamf Domain User Name and Password or User Client Credentials	No specific setting is required	No specific permission is required	Creating a User by Connecting to the Jamf Admin Panel Obtaining a Client ID and Client Secret
Application Settings	Jamf Domain User Name and Password 2FA Secret Key Bypass SSO	No specific setting is required	The Jamf Pro user must have Read permissions to all items under Jamf Pro Server Settings and access to the Admin Portal (granted by default) If you are using Bypass SSO, you must have Update permission over ‘SSO setting’ configured in Jamf.	Creating a User by Connecting to the Jamf Admin Panel

Additional Permissions

To successfully run Enforcement Actions with this adapter, the following permission is required (for both API types):

Update - Smart Computer Groups

APIs

Axonius supports the Jamf Classic API and Jamf Pro API.

📘
Note
This adapter supports token-based authentication for Jamf Pro API access.

Creating a User by Connecting to the Jamf Admin Panel

Before connecting the adapter, you need to create a new user on Jamf Pro and assign it the relevant permissions.

Log in to the Jamf Pro admin panel and navigate to the Settings panel.
Select Jamf Pro User Accounts & Groups.
Click New to create a new user and then select Create Standard Account > Next.
Fill in the details for this account. Make sure to select Custom from the Privilege Set dropdown, and select Full Access from the Access Level dropdown.
Navigate to the Privileges tab. Under Jamf Pro Server Objects, select the Read option for each object displayed.
Click Save.

Connecting the Adapter in Axonius

To connect the adapter in Axonius, provide the following parameters:

Required Parameters for Fetching Cybersecurity Assets

Jamf Domain - The hostname of the Jamf Pro server. This field format is 'https://[instance].jamfcloud.com'.
Either of the following credentials:
1. User Name and Password - The credentials for a user account that has the required permissions to fetch assets via the API.
2. Use Client Credentials - Enable this option to authenticate with a** Client ID** and Client Secret. For more information about obtaining a Client ID and Client Secret, see API Roles and Clients.

Required Parameters for Fetching Application Settings

User Name and Password - The credentials for a user account that has the required permissions to fetch assets via the API.
2FA Secret Key - If you access Jamf Pro through an SSO solution that requires 2-factor authentication, you need to generate a secret key in that solution and paste it here. For example, see Set Up Google Authenticator for the Okta adapter.
Bypass SSO (default: switched off) - Select it if the newly created user account is allowed to bypass SSO according to the Jamf instance settings. Note that Bypass SSO follows the Failover URL.

Optional Parameters

The following parameters are optional:

Tenant Tag - Specify a tag name to tag all devices fetched from this adapter connection.
HTTP Proxy and HTTPS Proxy - A proxy to use when connecting to the value supplied in Jamf Domain.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Advanced Settings

📘
Note:
Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

Fetch Devices - This adapter fetches devices by default. Clear this option to not fetch devices.
Fetch device from Advanced Computer Search with the following name (optional) - Enter the name of an Advanced Computer Search endpoint to fetch devices from. If you don’t provide an endpoint, all devices will be fetched from the standard API.
Fetch Users (default: true) - Select this option to fetch users - for both Classic and Pro API connections. If this setting is disabled, the adapter will not fetch users at all.
Fetch department of users - Select whether to fetch the names of buildings and departments of users for this adapter connection.
Fetch history of applied policies for devices - Select whether to fetch the history of policies that were applied to devices.
Fetch mobile devices (required, default: true) - Select whether to fetch mobile devices in addition to standard devices for this adapter connection.
Fetch Enrollment Devices - Select this option to fetch enrollment devices.
Use pro API - Select this option to use JAMF Pro API. Clear this option to use the JAMF Classic API. Note that On-prem Jamf servers require the Pro API.
Async chunks in parallel - The number of chunks to fetch in parallel when working with the Classic API. Note that for Jamf Pro cloud instances (not on-prem), the maximum number of async requests is 5. Even if a higher value is entered, the value of 5 is used. This is per Jamf official recommendation. Higher values are possible only for Jamf Pro on-prem.
Items to not fetch - Select one or more fields to exclude from the Devices fetch. This option only applies to devices fetched from the Pro API.
Enrich software with version info - Select this option to enrich software with the following fields: 'Current version release date', 'Next version release date', 'Newer version count'.
List of Device IDs to filter - Enter a comma-separated list of device IDs for specific devices that you want to fetch.

📘
Note:
To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

Related Enforcement Actions

Jamf Pro - Add or Remove Assets to/from Group

Jamf Pro - Lock Device