You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/openhound/collectors/jamf/collect-data.mdx
+80-19Lines changed: 80 additions & 19 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,42 +12,103 @@ This page covers configuring the OpenHound Jamf collector for your Jamf Pro tena
12
12
## Prerequisites
13
13
14
14
* OpenHound installed with the Jamf collector included. Follow the OpenHound [installation](/openhound/community) instructions to set up OpenHound for BloodHound Community Edition. The Jamf collector is included by default in the OpenHound container image.
15
-
*A Jamf Pro account with permissions to access the Jamf Pro API. See the options below for recommended roles and permissions.
15
+
*Credentials to authenticate against the Jamf Pro API. See the options below for details on supported authentication methods.
16
16
17
-
<Note>The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users, for now.</Note>
17
+
<Note>
18
+
The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users.
19
+
</Note>
18
20
19
-
### Auditor Account (Recommended)
21
+
##Choose an authentication method
20
22
21
-
Create a [new account](https://docs.jamf.com/10.36.0/jamf-pro/install-guide-linux/Jamf_Pro_User_Accounts_and_Groups.html) directly assigned or part of a group assigned the "Auditor" default Jamf Pro role with "Full Access".
23
+
The OpenHound Jamf collector supports two authentication methods. Use the API client method whenever possible.
22
24
23
-
This account will have restricted read permissions to Jamf Pro objects.
25
+
### API client (recommended)
24
26
25
-
### Administrator Account
27
+
Authenticate with a [Jamf Pro API client](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/API_Roles_and_Clients.html) using the OAuth client credentials flow. API clients are not tied to a user account, can be scoped to a specific API role, and can be rotated or revoked independently.
26
28
27
-
The OpenHound Jamf collector can authenticate using username and password for an account that has the default "Administrator" role with "Full Access" or member of a group with the "Administrator" role and "Full Access".
29
+
To prepare OpenHound credentials for this method:
28
30
29
-
This is the least secure option and does not follow the best practice of least-privilege.
31
+
<Steps>
32
+
<Steptitle="Create an API role">
33
+
In Jamf Pro, create an [API role](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Role) and grant it the following privileges:
34
+
35
+
<Expandabletitle="required privileges">
36
+
- Read User
37
+
- Read Accounts
38
+
- Read Account Groups
39
+
- Read Policies
40
+
- Read Scripts
41
+
- Read Computer Extension Attributes
42
+
- Read Sites
43
+
- Read Computers
44
+
- Read API Integrations
45
+
- Read API Roles
46
+
- Read SSO Settings
47
+
</Expandable>
48
+
</Step>
49
+
50
+
<Steptitle="Create an API client">
51
+
In Jamf Pro, create an [API client](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Client).
52
+
53
+
Assign it the API role from the previous step and set the **Access token lifetime** to `7200` seconds (2 hours).
54
+
</Step>
55
+
56
+
<Steptitle="Generate a client secret">
57
+
In Jamf Pro, generate a [client secret](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Generating_a_Client_Secret) for the API client.
58
+
59
+
Copy the **Client ID** and the **Client secret** (you need both to configure the OpenHound `secrets.toml` file).
60
+
61
+
<Warning>
62
+
The client secret is only displayed once and cannot be retrieved later. If you lose it, you must generate a new one.
63
+
</Warning>
64
+
</Step>
65
+
</Steps>
66
+
67
+
### Username and password
68
+
69
+
Authenticate with a Jamf Pro user account. Create a [new account](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Jamf_Pro_User_Accounts_and_Groups.html), or use an existing one, that is directly assigned or a member of a group assigned to one of the following roles with "Full Access":
70
+
71
+
-**Auditor** (recommended) - Provides restricted read permissions to Jamf Pro objects and follows least privilege.
72
+
-**Administrator** - Grants full administrative access. Use only when an Auditor account is not available.
30
73
31
74
## Configure OpenHound
32
75
33
-
The following OpenHound configuration parameters are required to run the Jamf collector. These can either be set
34
-
via the `[sources.source.jamf]` section of the secrets file or via environment variables using the `SOURCES__SOURCE__JAMF` prefix.
76
+
Credentials for the Jamf collector are configured under the `[sources.source.jamf.credentials]` section of the secrets file, or via environment variables that use the `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.
77
+
78
+
<Warning>
79
+
The credentials configuration structure changed in a recent release of the OpenHound Jamf collector. If you are upgrading from an earlier version, move existing `username`, `password`, and `host` values from `[sources.source.jamf]` into `[sources.source.jamf.credentials]` and update any matching environment variables to use the new `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.
80
+
</Warning>
35
81
36
-
| Parameter Name | Environment Variable | Description |
Copy file name to clipboardExpand all lines: docs/openhound/collectors/jamf/overview.mdx
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,17 +7,19 @@ description: Learn about the SpecterOps-supported OpenHound Jamf collector for B
7
7
8
8
The OpenHound Jamf collector is the SpecterOps-supported tool for retrieving Jamf Pro tenant data for BloodHound.
9
9
10
-
If you are evaluating collector options for the Jamf extension, this is the recommended path. An alternative collector, [JamfHound](https://github.com/SpecterOps/JamfHound), also exists, but this documentation section focuses specifically on the OpenHound-based collector.
10
+
<Note>
11
+
If you are evaluating collector options for the Jamf extension, this is the recommended path. An alternative collector ([JamfHound](https://github.com/SpecterOps/JamfHound)) also exists, but this documentation focuses specifically on the OpenHound-based collector.
12
+
</Note>
11
13
12
-
## Authentication Options
14
+
## Authentication options
13
15
14
-
The OpenHound Jamf collector supports two authentication patterns:
16
+
The OpenHound Jamf collector supports two authentication methods against the Jamf API:
15
17
16
-
-[Auditor account](/openhound/collectors/jamf/collect-data): Recommended for most environments because it follows a read-oriented, lower-privilege collection path.
17
-
-[Administrator account](/openhound/collectors/jamf/collect-data): Simpler if you already have an admin account available, but less aligned with least privilege.
18
+
-[API client (recommended)](/openhound/collectors/jamf/collect-data#api-client-recommended): Authenticate with a Jamf API client using the OAuth client credentials flow. This approach avoids tying collection to a user account and is the preferred option for production environments.
19
+
-[Username and password](/openhound/collectors/jamf/collect-data#username-and-password): Authenticate with a Jamf user account. Pair this method with the Auditor role in Jamf to follow least privilege.
18
20
19
-
## Next Steps
21
+
## Next steps
20
22
21
-
-Review [Configure the Collector](/openhound/collectors/jamf/collect-data)
22
-
-Choose an authentication approach based on your available Jamf Pro roles
23
+
-Choose an authentication method and assign an appropriate Jamf role
24
+
-Review [Configure the collector](/openhound/collectors/jamf/collect-data)
0 commit comments