Jamf Pro
Connects to your Jamf Pro Cloud tenant to pull macOS and iOS device inventory plus FileVault encryption posture. Surfaces Macs without FileVault enabled — the single biggest "lost device" liability for SMBs running Apple fleets.
What this adapter actually does for you
Jamf is the de-facto Apple-device MDM for SMBs where the workforce runs Macs (design shops, dev studios, marketing agencies, video houses, ad agencies). Once connected, Clariti polls Jamf Pro Cloud every hour for two things SMB IT operators actually act on:
- Every Mac in your Jamf inventory, with its FileVault state. FileVault is macOS's full-disk-encryption feature. A Mac without FileVault is essentially an unlocked filing cabinet — anyone with physical access can pop the drive into another machine and read every document, browser session, and SSH key on it. Clariti emits a high-severity finding for every unencrypted Jamf-managed Mac, with a remediation walkthrough using Jamf's own Smart Computer Groups + Configuration Profile flow.
- Every iOS / iPadOS device in Jamf inventory, with its supervision status. Supervised devices have meaningful security policy enforcement; unsupervised devices are essentially BYOD even when they appear in your MDM.
Combined with the Microsoft Intune adapter, this gives Clariti full MDM coverage across the SMB Apple+Windows fleet without you having to pick "Apple shop" or "Windows shop" — most SMBs are mixed.
What this adapter does NOT pull
We deliberately stay narrow on Apple device data:
- No installed app inventory (privacy-sensitive; significant per-device list size).
- No user-level identity (Jamf has Account-bound device records, but identity belongs to Entra ID / Okta / Google Workspace).
- No screen-time / activity logs.
- No write actions. Clariti never wipes, locks, retires, or modifies a device. The API client is read-only.
- On-prem Jamf Pro (self-hosted) is not supported by this adapter today — the SSRF guard restricts hostnames to
*.jamfcloud.com. If you run on-prem, contact support.
Permissions required
The API client Clariti uses is read-only. Create it from a privileged account (any standard Jamf admin role can create the client; the assigned API Role determines what the client itself can do).
Recommended API Role: Read-Only. Jamf provides this canned role specifically for read-only integrations. If your tenant doesn't have it, build a custom role with the following privileges and nothing else:
Read ComputersRead Computer Inventory CollectionRead Mobile DevicesRead Smart Computer Groups(optional, helps the remediation flow)
Step-by-step credential creation
- Jamf Pro admin access with permission to manage API Roles & Clients
- An active Jamf Pro Cloud subscription (on-prem not supported)
- Your Jamf Cloud subdomain — the part before .jamfcloud.com in your console URL
- ~5 minutes
- A Clariti account with adapter setup permissions
Sign in to Jamf Pro
Navigate to: https://{your-org}.jamfcloud.com
Log in to your Jamf Pro Cloud tenant at https://{your-org}.jamfcloud.com.
Why: API credentials live inside the tenant console. If you log in via a partner / managed-services portal, switch into the customer tenant first.
Open API Roles & Clients
Navigate to: Settings → System → API Roles and Clients
Click the gear icon in the top-right → Settings → System → API Roles and Clients.
Why: This is the dedicated screen for the new (post-2022) Jamf Pro OAuth2 client credentials. It is not the same as 'Jamf Pro User Accounts' which uses the older Basic-auth Classic API — Clariti uses the modern flow.
Create an API Role
Navigate to: API Roles and Clients → API Roles → New
Click the API Roles tab → New. Name it Clariti Read-Only. Add these privileges (check the boxes — search is the fastest way):
Read ComputersRead Computer Inventory CollectionRead Mobile Devices
Click Save.
Why: The role defines what the client can read. Creating a least-privilege role is best practice; you can also pick the canned 'Read-Only' role if your tenant has it.
Create the API Client
Navigate to: API Roles and Clients → API Clients → New
Switch to the API Clients tab → New. Set:
- Display name:
Clariti (read-only) - API Roles: select the
Clariti Read-Onlyrole you just created - Access Token Lifetime: leave at 30 minutes (Clariti refreshes on every poll)
- Enable: on
Click Save. On the next screen click Enable API Client.
Why: The client is the actual machine-to-machine credential. It's bound to the role from Step 3.
Generate and copy the secret
Navigate to: The API Client detail page
On the API Client detail page, click Generate Client Secret. Copy the Client ID and Client Secret both immediately.
Jamf shows the secret value once. If you click Done without copying, the secret is gone. You can always generate a new one — but rotating means downtime until Clariti's stored credential is updated.
Why: Jamf only displays the secret once, on the page that opens immediately after you click Generate Client Secret. If you navigate away, the secret is gone — you'll have to generate a new one.
Connecting in Clariti
In Clariti, navigate to Integrations → Jamf Pro → Connect now and paste the three values:
| Value from vendor console | Paste into Clariti field |
|---|---|
Your Jamf subdomain (e.g. 'acme' for acme.jamfcloud.com) | Jamf subdomain |
Client ID | Client ID |
Client Secret | Client Secret |
Click Connect. Clariti exchanges the credentials at {your-org}.jamfcloud.com/api/oauth/token. A green checkmark means the token issued; you'll be routed to the onboarding-connecting screen while the first poll runs.
What you'll see after connect
Within ~2 minutes:
- The Assets screen fills with one row per Jamf-managed Mac and iOS device, labelled Jamf Pro in the source chip.
- The MDM coverage tile turns green for every device Jamf manages (alongside Intune on the Windows side).
- The encryption rate posture metric rises by every Mac with FileVault enabled.
- If any Mac in your fleet has FileVault disabled, a high-severity Finding card titled "N Jamf-managed Mac(s) without FileVault encryption" appears in the Findings list with the offending device names and a 4-step Jamf-side remediation checklist (smart group → configuration profile → scope → roll out).
Troubleshooting
400 Bad Request at connect time
Most often: subdomain typo. The subdomain is the part before .jamfcloud.com and without any leading https:// — for https://acme.jamfcloud.com it's just acme. Clariti validates the subdomain to be DNS-label-shaped and rejects anything containing /, ., @, or spaces.
401 Unauthorized Either the Client ID or Client Secret is wrong, or you forgot to click Enable API Client in Step 4. Re-check both values for whitespace, then verify the client is enabled in the Jamf admin console.
403 Forbidden during the first poll
The API Role assigned to your client doesn't grant Read Computers or Read Mobile Devices. Open the role in Jamf (Settings → System → API Roles and Clients → API Roles → click your role) and verify the read privileges are checked. After editing, the change takes effect on the next API token (within 30 min) — Clariti will recover on its next poll.
"is not a recognized Jamf Cloud domain"
You're trying to connect an on-prem Jamf Pro instance (custom domain, not .jamfcloud.com). On-prem Jamf isn't supported by this adapter today; contact support if you need it.
No FileVault findings but you know you have unencrypted Macs Check that the affected Macs are actually in your Jamf inventory (Computers → All Computers). Macs that haven't checked in for a long time may have stale data; force a check-in via a Jamf policy and re-poll Clariti.
API rate limits and polling cadence
Jamf Pro Cloud rate-limits at approximately 50 requests/second per tenant on the data-plane endpoints. Clariti's per-poll request count is far below this — even a 5,000-device tenant only takes 25–30 paginated requests per poll.
If you do hit a 429, Clariti respects the Retry-After header (cap 60s) and retries up to 3 times. Persistent throttling beyond that surfaces as a recognizable 429 in the run log rather than a generic failure — almost always a sign that another integration (Terraform provider, custom report scripts) is sharing the tenant's quota.
Token TTL is 30 minutes; Clariti's default poll cadence is 1 hour, so a fresh token is exchanged on every poll. No action needed from you on rotation.