Skip to content

Commit b09df2c

Browse files
BED-8516: Added API client auth for Jamf collector (#307)
* docs: added API client auth for jamf collector * Filter certifications across all status (#310) * chore: align certification status with v9.3.0 enhancement * chore: restore notes * fix: table with column descriptions * chore: update openapi spec for v0.3.0 (#308) * Initial guidance for pre-installed extensions (#311) * wip: initial draft of built-in extensions * style: normalize built-in extension terminology * wip: make update conditions easier to understand * chore: apply suggestions from CR review * docs: apply suggestions from PM review * docs: added top-level section for ext mgmt models * Path highlighting, label clipping, and default layout behavior (#309) * docs: added full path highlighting * chore: add full path highlighting example screenshot * wip: cross reference entity panel * style: wrap images in frames * style: replace badges with enterprise svg * docs: added layout behavior enhancements * docs: apply suggestions from PM review * docs: add lable clipping behavior and option to disable * chore: removed hacky console workaround for disabling path highlighting and label clipping * BP-2693: Release notes (2026-06-16) (#312) * wip: initial draft of v9.3.0 release notes * wip: removed old, mis-tagged issue for PZM * wip: removed old AzureHound fixed issue * wip: add no-op stub for AzureHound * wip: copyedit jamf api client feature * chore: moved AzureHound fixed issue to latest release * wip: copyedit fixed issue descriptions * wip: copyedit administration enhancements * wip: add TODOs for enhancements that require supporting doc updates * chore: removed mis-tagged issues * wip: copyedit full-path highlighting * wip: copyedit layout defaults * wip: copyedit layout defaults * wip: minor copyediting * wip: copyedit attack path type names * chore: removed previously shipped cypher result layouts enhancement * wip: copyedit certification statuses * wip: copyedited built-in extensions * wip: added post-processing performance enhancements * wip: initial draft of v9.3.0 summary * chore: align summary and v9.3.0 release notes * fix: broken links * chore: normalized pre-installed extension terminology * style: use title case * chore: bump openhound version * style: refine headings * docs: clarify editionavailability for supported extensions * chore: change enterprise designation * fix: removed stale file from old merge * docs: update links to jamf docs * docs: update links to jamf docs * style: normalize link text * docs: apply suggestions from tech review
1 parent 68210d7 commit b09df2c

2 files changed

Lines changed: 90 additions & 27 deletions

File tree

docs/openhound/collectors/jamf/collect-data.mdx

Lines changed: 80 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -12,42 +12,103 @@ This page covers configuring the OpenHound Jamf collector for your Jamf Pro tena
1212
## Prerequisites
1313

1414
* OpenHound installed with the Jamf collector included. Follow the OpenHound [installation](/openhound/community) instructions to set up OpenHound for BloodHound Community Edition. The Jamf collector is included by default in the OpenHound container image.
15-
* A Jamf Pro account with permissions to access the Jamf Pro API. See the options below for recommended roles and permissions.
15+
* Credentials to authenticate against the Jamf Pro API. See the options below for details on supported authentication methods.
1616

17-
<Note>The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users, for now.</Note>
17+
<Note>
18+
The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users.
19+
</Note>
1820

19-
### Auditor Account (Recommended)
21+
## Choose an authentication method
2022

21-
Create a [new account](https://docs.jamf.com/10.36.0/jamf-pro/install-guide-linux/Jamf_Pro_User_Accounts_and_Groups.html) directly assigned or part of a group assigned the "Auditor" default Jamf Pro role with "Full Access".
23+
The OpenHound Jamf collector supports two authentication methods. Use the API client method whenever possible.
2224

23-
This account will have restricted read permissions to Jamf Pro objects.
25+
### API client (recommended)
2426

25-
### Administrator Account
27+
Authenticate with a [Jamf Pro API client](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/API_Roles_and_Clients.html) using the OAuth client credentials flow. API clients are not tied to a user account, can be scoped to a specific API role, and can be rotated or revoked independently.
2628

27-
The OpenHound Jamf collector can authenticate using username and password for an account that has the default "Administrator" role with "Full Access" or member of a group with the "Administrator" role and "Full Access".
29+
To prepare OpenHound credentials for this method:
2830

29-
This is the least secure option and does not follow the best practice of least-privilege.
31+
<Steps>
32+
<Step title="Create an API role">
33+
In Jamf Pro, create an [API role](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Role) and grant it the following privileges:
34+
35+
<Expandable title="required privileges">
36+
- Read User
37+
- Read Accounts
38+
- Read Account Groups
39+
- Read Policies
40+
- Read Scripts
41+
- Read Computer Extension Attributes
42+
- Read Sites
43+
- Read Computers
44+
- Read API Integrations
45+
- Read API Roles
46+
- Read SSO Settings
47+
</Expandable>
48+
</Step>
49+
50+
<Step title="Create an API client">
51+
In Jamf Pro, create an [API client](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Client).
52+
53+
Assign it the API role from the previous step and set the **Access token lifetime** to `7200` seconds (2 hours).
54+
</Step>
55+
56+
<Step title="Generate a client secret">
57+
In Jamf Pro, generate a [client secret](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Generating_a_Client_Secret) for the API client.
58+
59+
Copy the **Client ID** and the **Client secret** (you need both to configure the OpenHound `secrets.toml` file).
60+
61+
<Warning>
62+
The client secret is only displayed once and cannot be retrieved later. If you lose it, you must generate a new one.
63+
</Warning>
64+
</Step>
65+
</Steps>
66+
67+
### Username and password
68+
69+
Authenticate with a Jamf Pro user account. Create a [new account](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Jamf_Pro_User_Accounts_and_Groups.html), or use an existing one, that is directly assigned or a member of a group assigned to one of the following roles with "Full Access":
70+
71+
- **Auditor** (recommended) - Provides restricted read permissions to Jamf Pro objects and follows least privilege.
72+
- **Administrator** - Grants full administrative access. Use only when an Auditor account is not available.
3073

3174
## Configure OpenHound
3275

33-
The following OpenHound configuration parameters are required to run the Jamf collector. These can either be set
34-
via the `[sources.source.jamf]` section of the secrets file or via environment variables using the `SOURCES__SOURCE__JAMF` prefix.
76+
Credentials for the Jamf collector are configured under the `[sources.source.jamf.credentials]` section of the secrets file, or via environment variables that use the `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.
77+
78+
<Warning>
79+
The credentials configuration structure changed in a recent release of the OpenHound Jamf collector. If you are upgrading from an earlier version, move existing `username`, `password`, and `host` values from `[sources.source.jamf]` into `[sources.source.jamf.credentials]` and update any matching environment variables to use the new `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.
80+
</Warning>
3581

36-
| Parameter Name | Environment Variable | Description |
37-
|----------------|---------------------------------|------------------------------------------------------------------------------------|
38-
| `username` | \{PREFIX\}__USERNAME | The username of the account used to authenticate to the Jamf Pro API. |
39-
| `password` | \{PREFIX\}__PASSWORD | The password of the account used to authenticate to the Jamf Pro API. |
40-
| `host` | \{PREFIX\}__HOST | The full host/url of the Jamf Pro tenant. For example: `https://jamf.example.com`. |
82+
### API client parameters
4183

84+
| Parameter name | Environment variable | Description |
85+
|-----------------|-------------------------------|---------------------------------------------------------------------------------------------------|
86+
| `client_id` | \{PREFIX\}__CLIENT_ID | The client ID of the Jamf Pro API client used to authenticate to the Jamf Pro API. |
87+
| `client_secret` | \{PREFIX\}__CLIENT_SECRET | The client secret of the Jamf Pro API client used to authenticate to the Jamf Pro API. |
88+
| `host` | \{PREFIX\}__HOST | The full host URL of the Jamf Pro tenant. For example: `https://tenant.jamfcloud.com`. |
4289

43-
### Example Configuration
4490
```toml title="secrets.toml"
45-
[sources.source.jamf]
46-
username = "myusername"
91+
[sources.source.jamf.credentials]
92+
client_id = "myclientid"
93+
client_secret = "myclientsecret"
4794
host = "https://tenant.jamfcloud.com"
95+
```
96+
97+
### Username and password parameters
98+
99+
| Parameter name | Environment variable | Description |
100+
|----------------|---------------------------|----------------------------------------------------------------------------------------|
101+
| `username` | \{PREFIX\}__USERNAME | The username of the account used to authenticate to the Jamf Pro API. |
102+
| `password` | \{PREFIX\}__PASSWORD | The password of the account used to authenticate to the Jamf Pro API. |
103+
| `host` | \{PREFIX\}__HOST | The full host URL of the Jamf Pro tenant. For example: `https://tenant.jamfcloud.com`. |
104+
105+
```toml title="secrets.toml"
106+
[sources.source.jamf.credentials]
107+
username = "myusername"
48108
password = "mypassword"
109+
host = "https://tenant.jamfcloud.com"
49110
```
50111

51-
## Running OpenHound and Collecting Data
112+
## Run OpenHound and collect data
52113

53114
<RunAndCollect source="Jamf" env="Pro tenant" />

docs/openhound/collectors/jamf/overview.mdx

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -7,17 +7,19 @@ description: Learn about the SpecterOps-supported OpenHound Jamf collector for B
77

88
The OpenHound Jamf collector is the SpecterOps-supported tool for retrieving Jamf Pro tenant data for BloodHound.
99

10-
If you are evaluating collector options for the Jamf extension, this is the recommended path. An alternative collector, [JamfHound](https://github.com/SpecterOps/JamfHound), also exists, but this documentation section focuses specifically on the OpenHound-based collector.
10+
<Note>
11+
If you are evaluating collector options for the Jamf extension, this is the recommended path. An alternative collector ([JamfHound](https://github.com/SpecterOps/JamfHound)) also exists, but this documentation focuses specifically on the OpenHound-based collector.
12+
</Note>
1113

12-
## Authentication Options
14+
## Authentication options
1315

14-
The OpenHound Jamf collector supports two authentication patterns:
16+
The OpenHound Jamf collector supports two authentication methods against the Jamf API:
1517

16-
- [Auditor account](/openhound/collectors/jamf/collect-data): Recommended for most environments because it follows a read-oriented, lower-privilege collection path.
17-
- [Administrator account](/openhound/collectors/jamf/collect-data): Simpler if you already have an admin account available, but less aligned with least privilege.
18+
- [API client (recommended)](/openhound/collectors/jamf/collect-data#api-client-recommended): Authenticate with a Jamf API client using the OAuth client credentials flow. This approach avoids tying collection to a user account and is the preferred option for production environments.
19+
- [Username and password](/openhound/collectors/jamf/collect-data#username-and-password): Authenticate with a Jamf user account. Pair this method with the Auditor role in Jamf to follow least privilege.
1820

19-
## Next Steps
21+
## Next steps
2022

21-
- Review [Configure the Collector](/openhound/collectors/jamf/collect-data)
22-
- Choose an authentication approach based on your available Jamf Pro roles
23+
- Choose an authentication method and assign an appropriate Jamf role
24+
- Review [Configure the collector](/openhound/collectors/jamf/collect-data)
2325
- Import the resulting data with the [Jamf OpenGraph extension](/opengraph/extensions/jamf/getting-started)

0 commit comments

Comments
 (0)