Clariti Docs
Full Guide5 minutes· easy

Jamf Pro

Endpoint & MDM

Connects to your Jamf Pro Cloud tenant to pull macOS and iOS device inventory plus FileVault encryption posture. Surfaces Macs without FileVault enabled — the single biggest 'lost device' liability for SMBs running Apple fleets.

What Clariti Collects

Jamf Pro

Connects to your Jamf Pro Cloud tenant to pull macOS and iOS device inventory plus FileVault encryption posture. Surfaces Macs without FileVault enabled — the single biggest "lost device" liability for SMBs running Apple fleets.

What this adapter actually does for you

Jamf is the de-facto Apple-device MDM for SMBs where the workforce runs Macs (design shops, dev studios, marketing agencies, video houses, ad agencies). Once connected, Clariti polls Jamf Pro Cloud every hour for two things SMB IT operators actually act on:

  1. Every Mac in your Jamf inventory, with its FileVault state. FileVault is macOS's full-disk-encryption feature. A Mac without FileVault is essentially an unlocked filing cabinet — anyone with physical access can pop the drive into another machine and read every document, browser session, and SSH key on it. Clariti emits a high-severity finding for every unencrypted Jamf-managed Mac, with a remediation walkthrough using Jamf's own Smart Computer Groups + Configuration Profile flow.
  2. Every iOS / iPadOS device in Jamf inventory, with its supervision status. Supervised devices have meaningful security policy enforcement; unsupervised devices are essentially BYOD even when they appear in your MDM.

Combined with the Microsoft Intune adapter, this gives Clariti full MDM coverage across the SMB Apple+Windows fleet without you having to pick "Apple shop" or "Windows shop" — most SMBs are mixed.

What this adapter does NOT pull

We deliberately stay narrow on Apple device data:

  • No installed app inventory (privacy-sensitive; significant per-device list size).
  • No user-level identity (Jamf has Account-bound device records, but identity belongs to Entra ID / Okta / Google Workspace).
  • No screen-time / activity logs.
  • No write actions. Clariti never wipes, locks, retires, or modifies a device. The API client is read-only.
  • On-prem Jamf Pro (self-hosted) is not supported by this adapter today — the SSRF guard restricts hostnames to *.jamfcloud.com. If you run on-prem, contact support.

Permissions required

The API client Clariti uses is read-only. Create it from a privileged account (any standard Jamf admin role can create the client; the assigned API Role determines what the client itself can do).

Recommended API Role: Read-Only. Jamf provides this canned role specifically for read-only integrations. If your tenant doesn't have it, build a custom role with the following privileges and nothing else:

  • Read Computers
  • Read Computer Inventory Collection
  • Read Mobile Devices
  • Read Smart Computer Groups (optional, helps the remediation flow)

Step-by-step credential creation

  • Jamf Pro admin access with permission to manage API Roles & Clients
  • An active Jamf Pro Cloud subscription (on-prem not supported)
  • Your Jamf Cloud subdomain — the part before .jamfcloud.com in your console URL
  • ~5 minutes
  • A Clariti account with adapter setup permissions
1

Sign in to Jamf Pro

Navigate to: https://{your-org}.jamfcloud.com

Log in to your Jamf Pro Cloud tenant at https://{your-org}.jamfcloud.com.

Why: API credentials live inside the tenant console. If you log in via a partner / managed-services portal, switch into the customer tenant first.

2

Open API Roles & Clients

Navigate to: Settings → System → API Roles and Clients

Click the gear icon in the top-right → SettingsSystemAPI Roles and Clients.

Why: This is the dedicated screen for the new (post-2022) Jamf Pro OAuth2 client credentials. It is not the same as 'Jamf Pro User Accounts' which uses the older Basic-auth Classic API — Clariti uses the modern flow.

3

Create an API Role

Navigate to: API Roles and Clients → API Roles → New

Click the API Roles tab → New. Name it Clariti Read-Only. Add these privileges (check the boxes — search is the fastest way):

  • Read Computers
  • Read Computer Inventory Collection
  • Read Mobile Devices

Click Save.

Why: The role defines what the client can read. Creating a least-privilege role is best practice; you can also pick the canned 'Read-Only' role if your tenant has it.

4

Create the API Client

Navigate to: API Roles and Clients → API Clients → New

Switch to the API Clients tab → New. Set:

  • Display name: Clariti (read-only)
  • API Roles: select the Clariti Read-Only role you just created
  • Access Token Lifetime: leave at 30 minutes (Clariti refreshes on every poll)
  • Enable: on

Click Save. On the next screen click Enable API Client.

Why: The client is the actual machine-to-machine credential. It's bound to the role from Step 3.

5

Generate and copy the secret

Navigate to: The API Client detail page

On the API Client detail page, click Generate Client Secret. Copy the Client ID and Client Secret both immediately.

Common Mistake

Jamf shows the secret value once. If you click Done without copying, the secret is gone. You can always generate a new one — but rotating means downtime until Clariti's stored credential is updated.

Why: Jamf only displays the secret once, on the page that opens immediately after you click Generate Client Secret. If you navigate away, the secret is gone — you'll have to generate a new one.

Connecting in Clariti

In Clariti, navigate to IntegrationsJamf ProConnect now and paste the three values:

Value from vendor consolePaste into Clariti field
Your Jamf subdomain (e.g. 'acme' for acme.jamfcloud.com)Jamf subdomain
Client IDClient ID
Client SecretClient Secret

Click Connect. Clariti exchanges the credentials at {your-org}.jamfcloud.com/api/oauth/token. A green checkmark means the token issued; you'll be routed to the onboarding-connecting screen while the first poll runs.

What you'll see after connect

Within ~2 minutes:

  • The Assets screen fills with one row per Jamf-managed Mac and iOS device, labelled Jamf Pro in the source chip.
  • The MDM coverage tile turns green for every device Jamf manages (alongside Intune on the Windows side).
  • The encryption rate posture metric rises by every Mac with FileVault enabled.
  • If any Mac in your fleet has FileVault disabled, a high-severity Finding card titled "N Jamf-managed Mac(s) without FileVault encryption" appears in the Findings list with the offending device names and a 4-step Jamf-side remediation checklist (smart group → configuration profile → scope → roll out).

Troubleshooting

400 Bad Request at connect time Most often: subdomain typo. The subdomain is the part before .jamfcloud.com and without any leading https:// — for https://acme.jamfcloud.com it's just acme. Clariti validates the subdomain to be DNS-label-shaped and rejects anything containing /, ., @, or spaces.

401 Unauthorized Either the Client ID or Client Secret is wrong, or you forgot to click Enable API Client in Step 4. Re-check both values for whitespace, then verify the client is enabled in the Jamf admin console.

403 Forbidden during the first poll The API Role assigned to your client doesn't grant Read Computers or Read Mobile Devices. Open the role in Jamf (Settings → System → API Roles and Clients → API Roles → click your role) and verify the read privileges are checked. After editing, the change takes effect on the next API token (within 30 min) — Clariti will recover on its next poll.

"is not a recognized Jamf Cloud domain" You're trying to connect an on-prem Jamf Pro instance (custom domain, not .jamfcloud.com). On-prem Jamf isn't supported by this adapter today; contact support if you need it.

No FileVault findings but you know you have unencrypted Macs Check that the affected Macs are actually in your Jamf inventory (Computers → All Computers). Macs that haven't checked in for a long time may have stale data; force a check-in via a Jamf policy and re-poll Clariti.

API rate limits and polling cadence

Jamf Pro Cloud rate-limits at approximately 50 requests/second per tenant on the data-plane endpoints. Clariti's per-poll request count is far below this — even a 5,000-device tenant only takes 25–30 paginated requests per poll.

If you do hit a 429, Clariti respects the Retry-After header (cap 60s) and retries up to 3 times. Persistent throttling beyond that surfaces as a recognizable 429 in the run log rather than a generic failure — almost always a sign that another integration (Terraform provider, custom report scripts) is sharing the tenant's quota.

Token TTL is 30 minutes; Clariti's default poll cadence is 1 hour, so a fresh token is exchanged on every poll. No action needed from you on rotation.