Skip to content
Veraproof Veraproof Docs

Jamf Pro Admins Integration

Jamf Pro Admins Integration

Scimify enables SCIM provisioning for Jamf Pro admin accounts and admin groups, allowing you to manage administrator access through your identity provider.

Overview

This integration pushes admins and admin groups to Jamf Pro via SCIM. Admin accounts and groups created in Jamf Pro will correspond to those from your identity provider.

Prerequisites

  • A Jamf Pro instance
  • Administrator access to Jamf Pro
  • Ability to create API roles and clients

Configuration Steps

1. Create an API Role in Jamf Pro

  1. Log into your Jamf Pro instance as an administrator
  2. Navigate to Settings > System > API roles and clients
  3. Click “New” in the API Roles section
  4. Give the API role a name (e.g., “Scimify Admins Integration Role”)
  5. Grant the API role the following privileges:
    • Create Accounts
    • Read Accounts
    • Update Accounts
    • Delete Accounts
  6. Save the API role

2. Create an API Client

  1. In the same API roles and clients page, click “New” in the API Clients section
  2. Give the API client a name (e.g., “Scimify Admins Integration”)
  3. Select the API role created in Step 1
  4. Click “Save” and copy the Client ID and Client Secret

3. Configure the Integration in Scimify

  1. Navigate to the Integrations page in your Scimify admin console
  2. Create a new Jamf Pro Admins integration instance
  3. Enter the following configuration:
    • Instance URL: Enter your Jamf Pro instance URL (e.g., https://yourinstance.jamfcloud.com or https://jamf.company.com)
    • Client ID: Paste the Client ID from Step 2
    • Client Secret (API Key): Paste the Client Secret from Step 2
    • Instance Name (Optional): A friendly name to identify this integration instance
    • Group Description (Optional): Custom description for created groups (default: “Created via Scimify for tenant {tenant_id}“)

4. Configure Okta SCIM

Follow the Okta SCIM Configuration guide to set up SCIM provisioning in Okta.

How It Works

  • When admins and admin groups are pushed from your IdP, Scimify will create corresponding admin accounts and groups in Jamf Pro
  • Admin account and group names will match those from your IdP
  • Users assigned to admin groups in your IdP will be added to the corresponding Jamf Pro admin groups

User Provisioning

New admin accounts are created with a temporary random 10-character password. Users are required to change their password on first login. If SSO isn’t configured for Jamf Pro admins, users can use the “forgot password” flow to gain access once provisioned.

Access Level Requirements

Users must have the “Group Access” access level in order to be added as a group member via Scimify. Users with “Full Access” or “Site Access” cannot be added to admin groups through this integration.

Custom SCIM Attributes

You can manage admin account access levels and privilege sets via custom SCIM attributes in your IdP profile or group attributes.

Schema

Schema: urn:ietf:params:scim:schemas:extension:custom:2.0:User

Attribute 1: jamfpro_access_level

  • Type: String
  • Description: The access level to assign to the admin account in Jamf Pro
  • Valid Values: Full Access, Site Access, Group Access
  • Default: Full Access (if not specified)

Attribute 2: jamfpro_privilege_set

  • Type: String
  • Description: The privilege set to assign to the admin account in Jamf Pro
  • Valid Values: Administrator, Auditor, Enrollment Only, Custom
  • Default: Administrator (if not specified)

Note: These attributes can be configured in your IdP user profile or group attributes. Invalid values will result in a SCIM error being returned to your IdP.

Additional Resources

Need Help?

If you encounter any issues during configuration, please contact support@veraproof.io for assistance.