JAMF Pro

Integrate with JAMF Pro to retrieve data on Mobile Devices, Computers, and their patch states and logged in users.

📘

TL;DR

To integrate with JAMF Pro and perform searches with Query:

  • Create an API Role with the appropriate READ Permissions.
  • Create an API Client that will use the API Role, and generate credentials.
  • Note your JAMF Pro Server name to setup the Connection
  • Configure, test, and save a JAMF Pro Connector with your API Credentials and Server name.
  • Use Query Federated Search to surface details on Computers and Mobile Devices including their patch information and logged-in users to support Incident Response, Investigations, Threat Hunting, Red Teaming, and/or Audit use cases.

Overview

JAMF Pro is a comprehensive mobile device management (MDM) solution designed to automate Apple device management across an organization. It enables IT administrators to deploy, manage, and secure Mac computers, iPads, iPhones, and Apple TVs from a centralized console. JAMF Pro provides detailed inventory information on both computers and mobile devices, including hardware specifications, installed software, security status, and compliance with organizational policies.

Administrators can use JAMF Pro to remotely configure settings, deploy applications, enforce security measures, and troubleshoot issues without disrupting end users, making it an essential tool for organizations that need efficient management of their Apple ecosystem.

All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.

API NameSectionsQDM/OCSF Event ClassEntities/Observables
Computer Inventory RecordsGENERAL
STORAGE
USER_AND_LOCATION
OPERATING_SYSTEM
DISK_ENCRYPTION
GROUP_MEMBERSHIPS
Device Inventory InfoEmail Address
Group Name
Group UID
MAC Address
Resource Name
Resource UID
Serial Number
Username
Computer Inventory Records GENERAL
SOFTWARE_UPDATES
PLUGINS
Operating System Patch StateEmail Address
Group Name
Group UID
MAC Address
Resource Name
Resource UID
Serial Number
Computer Inventory Records GENERAL
LOCAL_USER_ACCOUNTS
User QueryEmail Address
Group Name
Group UID
MAC Address
Resource Name
Resource UID
Serial Number
Username
Mobile Device Inventory RecordsALLDevice Inventory Info Email Address
Group Name
Group UID
MAC Address
Resource Name
Resource UID
Serial Number
Username

Query Federated Search provides a normalized interface with all searches using the OCSF schema as the "decoder ring" to the various JAMF API methods and filters. When searching using Entities, you can retrieve important metadata about your devices in JAMF to use alongside data from Detection Findings (e.g., CrowdStrike Falcon, MDE) or Compliance Findings (e.g., AWS Security Hub) or otherwise. You can also use the integration to retrieve specific compliance or audit data for the devices onboarded and managed in JAMF.

Prerequisites

To connect a JAMF Pro Connector with Query Federated Search you'll need to:

  1. Create an API Role. Navigate to Settings -> System -> API roles and clients as shown below (FIG. 1).

    FIG. 1 - Navigate to the API roles & clients menu

    FIG. 1 - Navigate to the API roles & clients menu

  2. On the top-right, select + New. Provide a Role Name (e.g., QueryFederatedSearchRole) and add the following Assigned Privileges, and select Save at the bottom-right of the screen as shown below (FIG. 2).

    1. Read Computers

    2. Read Mobile Devices

    3. Read User

    4. Read User Extension Attributes

      FIG. 2 - Assigning privileges to the API role

      FIG. 2 - Assigning privileges to the API role

  3. While still in the API roles and clients settings menu, select the API Clients tab and choose + New in the top-right corner to create a new API Client.

  4. Provide a Display name (e.g., QueryFederatedSearchConnectorClient), select the API role(s) you created in Step 2 (e.g., QueryFederatedSearchRole) and set the Access token lifetime to AT LEAST 30 minutes or above. Finally, select Enable API Client and select Save at the bottom right as shown below (FIG. 3).

    FIG. 3 - Creating a JAMF Pro API Client for Query Federated Search

    FIG. 3 - Creating a JAMF Pro API Client for Query Federated Search

  5. You will be immediately redirected to a page for your API Client, copy the value for Client ID and select Generate client secret and copy the value for the Client Secret and store them in a PIM/PAM/Vault solution as shown below (FIG. 4).

    FIG. 4 - Generating and retrieving the Client ID and Client Secret

    FIG. 4 - Generating and retrieving the Client ID and Client Secret

  6. Take note of your Server name from the URL of your browser, for instance if your URL is https://contosocorp.jamfcloud.com/view/settings?tab=all your Server name is contosocorp.

To learn how to configure a JAMF Pro Connector Connector, proceed to the next section.

👍

On NHI security

NHI - or, Non-Human Identities - such as your JAMF Pro API Client Secret is extremely sensitive. Query securely stores the Client Secret in a dedicated AWS Secrets Manager Secret per Connector per Tenant.

Your credentials are stored securely with minimum necessary permissions that only allows the specific piece of serverless infrastructure on the Query side to retrieve the secret, it is never cached or persisted outside of the Secret.

Setting up the JAMF Pro Connector Connector

Use the following steps to create a new Query Federated Search Connector for JAMF Pro Connector.

  1. Navigate to the Connectors page, select Add Connector, and selectJAMF Pro Connector from the Mobile Device Management category as shown below (FIG. 5). You can also search for JAMF Pro Connector using the search bar in the Add Connector page.

    FIG. 5 - Locating the JAMF Pro Connector in the Query Federated Search platform

    FIG. 5 - Locating the JAMF Pro Connector in the Query Federated Search platform

  2. In the Configure Connector tab, add the following detail as shown below (FIG. 6):

    1. Connector Alias Name: The human-readable name you want to give to this connector, you can provide the name of your JAMF Server or another easy-to-remember name for your analysts.

    2. Default Login: Leave the default value: Default Login.

    3. JAMF Server Name: The name of your JAMF Server, DO NOT place the full URL here. Copied in Step 6 of the Prerequisites section.

    4. JAMF Client ID: The Client ID for your API Client, copied in Step 5 of the Prerequisites section.

    5. JAMF Client Secret: The Client ID for your API Client, copied in Step 5 of the Prerequisites section.

      FIG. 6 - Configuring the Parameters for the JAMF Pro Connector

      FIG. 6 - Configuring the Parameters for the JAMF Pro Connector

  3. Select Save to save and activate the Connector.

  4. Select Test Connection from the bottom-right of the connection pane to ensure that your API Client is enabled, that it has access to the right roles, and that you provided the right Server name to build an API URL from.

You will now see JAMF Pro Connector added as an available Connector within the Query Search and Query Summary Insights UI.

Resources

Troubleshooting Steps

  • Check that you provided all READ privileges for your API Role.
  • Check that you attached the correct API Role to your API Client.
  • Check that you have Enabled your API Client.
  • Check that you have provided the correct API Client ID and Client Secrets, that they were placed into the right parameter, and that they have not been regenerated. If they have, simply override the values in the Connector and save it again.
  • Ensure that you have provided the correct Server name without any whitespaces or illegal characters, and ensure that you did not provide the full URL.

If you have exhausted the above Troubleshooting list, please contact your designated Query Sales Engineer or Customer Success Manager. If you are using a free tenant, please contact Query Customer Success via the Support email in the Help section, or via Intercom within your tenant.