Jamf

  • Updated on Apr 28, 2025
  • Published on May 28, 2023
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Computers

✅

✅

jamf_computers

NDJSON

API

Mac Applications

✅

jamf_macapplications

NDJSON

API

Network Segments

✅

jamf_networksegments

NDJSON

API

Packages

jamf_packages

NDJSON

API

Policies

jamf_policies

NDJSON

API

Scripts

jamf_scripts

NDJSON

API

Users

✅

jamf_users

NDJSON

API

Jamf System Access Logs

✅

✅

jamf_system_access_logs

NDJSON

S3

Jamf System Change Management Logs

jamf_system_change_management_logs

NDJSON

S3

Overview

imageJamf is the most prominent way to manage MacOS devices in an enterprise organization. As such, logs pulled from the Jamf API provide important information regarding the organizational MacOS devices being used, which is all the more important as these MacOS endpoints are usually not a part of a managed Active Directory network (as opposed to Windows enterprise fleets).

For example, the Jamf Computers API allows establishing a contextual list of all endpoints belonging to the organization, which enables detection of access to organizational resources or SaaS applications done from an unmanaged device.

Additional important contextual information pulled from the Jamf API includes user lists, policies, managed scripts, network segments and more.

Supported data types

From the Jamf API, Hunters supports the following data types:

Data type

Table name

Computers

jamf_computers

Mac Applications

jamf_macapplications

Network Segments

jamf_networksegments

Packages

jamf_packages

Policies

jamf_policies

Scripts

jamf_scripts

Users

jamf_users

From the Jamf Server on prem component, Hunters supports the following data types:

Data type

Table name

Jamf System Access Logs

jamf_system_access_logs

Jamf System Change Management Logs

jamf_system_change_management_logs

Send data to Hunters

Hunters supports two methods for ingesting Jamf logs:

  • Jamf API Integration - Connect to the Jamf API using one of the following authentication methods:

    • Basic Authentication - Create a dedicated Jamf user by following a few simple steps, and provide the user’s credentials to Hunters.

    • OAuth Authentication - Use a secure, non-user-based method based on API clients and access roles. This approach is recommended for enhanced security and token-based access control.

  • AWS S3 Storage - For on-premises Jamf deployments, route logs to an AWS S3 bucket and grant Hunters access to retrieve them directly.

Jamf API Integration

Basic Authentication

To connect Jamf logs using basic authentication:

  1. Login to Jamf and go to the Settings section.
    image

  2. Under All settings, click Jamf Pro User Accounts & Groups.
    image

  3. Click + New to add a new user.

  4. Under Choose an action, select Create Standard Account and then click Next.
    image

  5. Fill-in the New User Account form. Make sure that:

    • Access level is Full Access

    • Privilege Set is Auditor

    • Access Status is Enabled

  6. Copy the Username and Password for the next steps and click Save.

  7. When in the Jamf console, copy the API host address from your browser address bar.
    image

  8. Follow this guide to set up the connection on Hunters. You’ll need to provide Hunters with the following details:

    • Domain: The API host address copied from your browser address bar, e.g. company.jamfcloud.com

    • User: The Username retrieved in previous steps., e.g. username

    • Secret:  The Password retrieved in previous steps, e.g. password

OAuth Authentication

  1. Follow this guide to perform the following steps:

    1. Create an API Role with the necessary privileges for your integration.​

    2. Create an API Client and assign the previously created API Role to the new client.

    3. Generate a Client ID and Client Secret.​

  2. Follow this guide to set up the connection on Hunters. You’ll need to provide Hunters with the following details:

    1. Domain: The API host address copied from your browser address bar, e.g. company.jamfcloud.com.

    2. Client ID: The Client ID generated in the previous step.

    3. Client Secret: The Client secret generated in the previous step.

Jamf System On Prem Logs via S3

Hunters supports the ingestion of On-Prem Jamf Server logs via an intermediary AWS S3 bucket.

To connect Prem Jamf Server logs:

  1. Export your logs to an AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Jamf System Access Logs

2023-11-29 12:34:56,104: username=testuser1, status=Successful Login, ipAddress=1.23.45.67, entryPoint=F (API)
2023-12-30 11:22:33,274: username=testuser2, status=Login Failure, ipAddress=1.22.33.44, entryPoint=S (API)

Jamf System Change Management Logs

[System (ID: -1)] [READ] [Computer] [2023-10-29T15:04:44.716+0000]
	ID             12345
	Name ......... AB1234HG7K

[Test (ID: 1)] [WRITE] [Software] [2023-11-29T15:04:59.972+0000]
	ID             45678
	Name ......... ABCD1234HB2