Jamf Pro Endpoint Management Integration Setup
This guide walks you through integrating Jamf Pro with RAD Security to ingest managed-device inventory and device compliance findings, and to trigger remediation on a device from RAD. Jamf Pro is an Apple device management platform. RAD Security connects to the Jamf Pro API using OAuth 2.0 client credentials (an API role and client) and pulls device inventory and compliance posture on a scheduled basis to correlate them with your runtime, cloud, and Kubernetes security data.Read-only ingestion, with one write action: RAD only reads device inventory and compliance from Jamf Pro. The single exception is device remediation — RAD can trigger a remediation action on a device through Jamf Pro. That action is RBAC-gated (requires tenant write permission) and recorded as an OCSF Device Control Finding.
Prerequisites
Before you begin, ensure you have:- A Jamf Pro instance with administrator access
- Permission to create an API role and API client in Jamf Pro
- Your Jamf Pro URL (your instance base URL)
- Access to a RAD Security workspace with integration permissions
Understanding Integration Components
API Role
API Role
Jamf Pro authorizes API access through API roles, which define the privileges granted to a client. Create a role with the privileges needed to read computer/device inventory and compliance (and to run remediation actions if used).
API Client (OAuth 2.0)
API Client (OAuth 2.0)
An API client is assigned one or more API roles and issues OAuth 2.0 client credentials. You provide the Client ID and Client Secret, and RAD exchanges them for short-lived access tokens via the client-credentials grant.
Jamf Pro URL
Jamf Pro URL
The Jamf Pro URL is the base URL of your Jamf Pro instance (for example
https://yourcompany.jamfcloud.com). It is required so RAD targets your instance.Scheduled Polling
Scheduled Polling
RAD Security ingests Jamf Pro device inventory and compliance via scheduled polling. Data arrives on RAD’s polling cadence rather than being pushed by Jamf Pro.
Step 1: Create an API Role and Client in Jamf Pro
Create an API Role
Go to Settings → System → API roles and clients → API Roles and create a new role. Grant the privileges required to read inventory and compliance (and remediation privileges if you will use device remediation).
Create an API Client
On the API Clients tab, create a new client, assign the API role you created, and enable it. Note the Client ID.
Exact console navigation, privilege names, and labels may vary across Jamf Pro versions. See the Jamf Pro documentation for current steps to create API roles and clients.
Configure in RAD Security
Navigate to your RAD Security workspace and configure the Jamf Pro integration with the following parameters:Required Parameters
| Parameter | Required | Description |
|---|---|---|
| Client ID | Yes | OAuth 2.0 Client ID of the Jamf Pro API client |
| Client Secret | Yes | OAuth 2.0 Client Secret generated for the API client |
| Jamf Pro URL | Yes | Base URL of your Jamf Pro instance |
Verify Integration
Your Jamf Pro integration is now configured! RAD Security will ingest device inventory and compliance findings from Jamf Pro on a scheduled basis.
What Data is Synced
Device Inventory
Device Inventory
Jamf Pro managed devices, mapped to OCSF Device Inventory Info (5001) — hostname, OS, hardware, serial, owner, managed/compliant flags, risk, and first/last-seen timestamps.
Compliance Findings
Compliance Findings
Device compliance posture, mapped to OCSF Compliance Finding (2003) and stored as security findings. Feeds unified posture analysis and RADBot.
Device Remediation
Device Remediation
The one write action — RAD can trigger a Jamf Pro remediation on a device. RBAC-gated (tenant write) and recorded as an OCSF Device Control Finding.
Use Cases
Compliance Management
Track device compliance gaps from discovery through remediation across your Jamf-managed Apple fleet.
Asset Visibility
Use managed-device inventory to understand your endpoint estate and reduce attack surface.
Threat Response
Trigger Jamf Pro remediation on a non-compliant or compromised device directly from RAD.
RADBot Prioritization
Leverage RADBot to prioritize Jamf Pro device findings by real-world impact.
Troubleshooting
Authentication Failed
Authentication Failed
Possible causes:
- Incorrect Client ID or Client Secret
- The API client was disabled or its secret rotated in Jamf Pro
- Verify the Client ID and Client Secret are copied correctly (no extra spaces)
- Confirm the API client is enabled in API roles and clients
- Generate a new client secret and update it in RAD Security if needed
Insufficient Privileges
Insufficient Privileges
Possible causes:
- The assigned API role lacks the required read or remediation privileges
- Add the missing privileges to the API role assigned to the client
- Reconnect after updating the role
Connection Refused / Not Found
Connection Refused / Not Found
Possible causes:
- Incorrect or unreachable Jamf Pro URL
- Verify the Jamf Pro URL matches your instance base URL
- Confirm the URL is reachable and uses
https://
Security Best Practices
Dedicated API Client
Use a dedicated API client and role for the RAD integration rather than sharing one with other tools.
Least Privilege
Grant the API role only the privileges required for inventory, compliance, and remediation.
Rotate Credentials
Rotate the client secret periodically according to your security policy.
Secure Secret Storage
Store the client secret in a secrets vault. Never commit it to version control.
Additional Resources
Jamf Pro Documentation
Official Jamf Pro documentation on API roles and clients
Endpoint Management Overview
Learn about RAD’s endpoint management integrations
Next Steps
Endpoint Management Integrations
Explore other endpoint management integration options
Data Sources
Connect additional security data sources
RADBot
Learn how RADBot helps prioritize findings