Jamf Pro

Prev Next

Jamf Pro is an enterprise mobility management (EMM) tool that provides unified endpoint management for Apple devices.

Note:

Official Jamf recommendation is to limit the number of fetches for the Jamf Pro adapter to one fetch per day, in order to preserve the stability of the Jamf cloud.


Related Enforcement Actions

Types of Assets Fetched

This adapter fetches the following types of assets:

  • Devices
  • Users
  • Software
  • Application Settings (To fetch this info you need to configure the User Name and Password fields. If 2FA is required for this application, the 2FA key must be provided.)
  • SaaS Applications
  • Accounts/Tenants

About Jamf Pro

Use cases the adapter solves

Jamf Pro is a powerful endpoint management solution that provides a robust inventory of our managed Apple devices in Axonius. Even more importantly, by combining Jamf Pro with network/infrastructure data coming from additional adapters, Axonius can identify unmanaged or even rogue devices on the network.

Data retrieved by Jamf Pro

Axonius collects common device information such as hostname, IPs, MAC address, and serial number. It also collects information unique to Jamf such as device policies, profiles, and groups. The adapter can be configured to collect additional information, such as user data and even mobile devices.

Enforcements

With the Jamf Pro adapter configured, Axonius can add devices to Jamf Pro computer groups directly in the Enforcement Center. Jamf Pro - Add Assets to Computer Group

Axonius SaaS Applications Adapter Configuration

If the adapter has already been setup and you want to configure it to fetch application settings from SaaS data, make sure to add the following connection parameters:

  • Username
  • Password
  • 2FA Secret Key (if your organization configured 2FA for login authentication)

Also, ensure that the Jamf Pro user has read permissions to all items under Jamf Pro Server Settings and access to the Admin Portal (granted by default).

Parameters

  1. Jamf Domain (required) - The hostname of the Jamf Pro server. This field format is 'https://[instance].jamfcloud.com'.
  2. User Name and Password (Required to fetch SaaS Applications Settings) - The credentials for a user account that has the Required Permissions to fetch assets via the API.
  3. Use Client Credentials (optional) - Toggle on to authenticate using client credentials.
    • Client ID and Client Secret (optional) - When the authentication method is via client credentials, specify the Client ID and Client Secret to be used to authenticate the request. For more information about obtaining a Client ID and Client Secret, see API Roles and Clients.
Note:

These parameters are only displayed when you toggle on the Use Client Credentials option.

  1. HTTP Proxy and HTTPS Proxy (optional) - A proxy to use when connecting to the value supplied in Jamf Domain.
  2. Tenant Tag (optional) - Specify a tag name to tag all devices fetched from this adapter connection.
  3. Bypass SSO (Only for accounts with Axonius SaaS Applications) (required, default: switched off) - Select it if the newly created user account is allowed to bypass SSO according to the Jamf instance settings.
  4. 2FA Secret Key (Required to fetch SaaS Applications Settings) - If you access Jamf Pro through an SSO solution that requires 2-factor authentication, you will need to generate a secret key in that solution and paste it here. For example, see Set Up Google Authenticator for the Okta adapter.

To learn more about common adapter connection parameters and buttons, see Adding a New Adapter Connection.

Jamf%20Pro

Advanced Settings

Note:

Advanced settings can either apply to all connections for this adapter, or to a specific connection. Refer to Advanced Configuration for Adapters.

  1. Fetch Devices (Cybersecurity Assets Management only) - This adapter fetches devices by default. Clear this option to not fetch devices.
  2. Fetch Users (default: true) (Cybersecurity Assets Management only) - Select this option to fetch users for both Classic and Pro API connections.
  3. Fetch department of users - Select whether to fetch the names of buildings and departments of users for this adapter connection.
  4. Fetch policies (required, default: true) - Select whether to fetch policies associated with devices for this adapter connection. This field is ignored when Use pro API is selected.
  5. Fetch mobile devices (required, default: true) - Select whether to fetch mobile devices in addition to standard devices for this adapter connection.
  6. Fetch Enrollment Devices - Select this option to fetch enrollment devices.
  7. Use pro API - Select this option to use JAMF Pro API (selected by default). Clear this option to use the JAMF Classic API. On-prem Jamf servers require the Pro API.
  8. Async chunks in parallel (required, default: 5) - The number of chunks to fetch in parallel when working with the Classic API.
Note:

The maximum number of async requests on Jamf Pro cloud instances (not on-prem) is 5. Even if a higher value is entered, the value of 5 is used. This is per Jamf official recommendation. Higher values are possible for Jamf Pro on-prem.

  1. Items to not fetch (optional) - Select one or more fields to exclude from the device fetch. This option only applies to devices fetched from the Pro API.
  2. Enrich software with version info (Cybersecurity Asset Management only) - Select this option to enrich software with the following fields: 'Current version release date', 'Next version release date', 'Newer version count'.
  3. List of Device IDs to filter - Enter a comma-separated list of device IDs for specific devices that you want to fetch.
Note:

To learn more about Adapter Configuration tab advanced settings, see Adapter Advanced Settings.

APIs

Axonius supports the Jamf Classic API and Jamf Pro API.

Note:

Note that this adapter supports token-based authentication for Jamf Pro API access.


Creating a User by Connecting to the Jamf Admin Panel

  1. Log in to the Jamf Pro admin panel and navigate to the Settings panel. Click Jamf Pro User Accounts & Groups.
    image.png

  2. Click New to create a new user and select Create Standard Account > Next.
    image.png

  3. Fill in the details for this account. Make sure to select Custom from the Privilege Set dropdown, and select Full Access from the Access Level dropdown.
    JamfNewAccount.png

  4. Navigate to the Privileges tab. Under Jamf Pro Server Objects, select the Read option for each object displayed.
    image.png

  5. Click Save.

Required Permissions

The value supplied in Username and Password must have the following access to devices.

API What for Permissions
Pro Devices Read Computers
Pro Users Read Accounts
Pro Users Read Jamf Pro User Accounts & Groups
Pro Users Read Users
Pro Mobile Devices Read Mobile Devices
Pro Departments & Buildings Information Read Buildings
Pro Departments & Buildings Information Read Departments
Classic Devices Read Computers
Classic Users Read Users
Classic Mobile Devices Read Mobile Devices
Both EC Actions (when used) Update - Smart Computer Groups
Note:

During the user fetch, permissions are required for the Jamf Classic API and the Jamf Pro API because each API fetches different data about users.