A beginner’s guide to the Jamf Pro Classic API
When working with Jamf Pro, one way to save yourself a lot of clicking in the admin console is to use one of the two current Jamf Pro APIs. Both APIs are REST APIs, which means they can perform requests and receive responses via HTTP protocols like GET, PUT, POST and DELETE. That means that the curl tool can be used to send commands to and receive information from a Jamf Pro server.
The two APIs are as follows:
- Classic API
- Jamf Pro API (formerly known as the Universal API)
Classic API
This API is the original one which Jamf Pro started with and it is slated for eventual retirement. This API is designed to work with XML and JSON.
The base URL for the Classic API is located at /JSSResource on your Jamf Pro server. If your Jamf Pro server is https://server.name.here:8443, that means that the API base URL is as follows:
https://server.name.here:8443/JSSResource
To help you become familiar with the API, Jamf includes documentation and “Try it out” functionality at the following URL on your Jamf Pro server:
https://server.name.here:8443/api
The Classic API is designed to work with usernames and passwords for authentication, with the username and password being passed as part of the curl command.
Examples: https://developer.jamf.com/apis/classic-api/index
Jamf Pro API
This API is in beta and is designed to be an eventual replacement for the Classic API. This API is designed to work with JSON.
The base URL for the Jamf Pro API is located at /uapi on your Jamf Pro server. If your Jamf Pro server is https://server.name.here:8443, that means that the API base URL is as follows:
https://server.name.here:8443/uapi
To help you become familiar with the API, Jamf includes documentation and “Try it out” functionality at the following URL on your Jamf Pro server:
https://server.name.here:8443/uapi/docs
The Jamf Pro API is designed to work with token-based authentication, with a Jamf Pro username and password used to initially generate the necessary token. These tokens are time-limited and expire after 30 minutes. However, you can generate a new token for API authentication using the existing token’s credentials. The new token generation process does the following:
- Creates a new token with the same access rights as the existing token.
- Invalidates the existing token.
Jamf Pro API examples: https://developer.jamf.com/apis/jamf-pro-api/index
For more details, please see below the jump.
Of the two, the Classic API is the one currently most used by Jamf Pro admins and the one I’ll be focusing on how to use it, using XML for input and output. The reasons that the Classic API is most used at this time are the following:
- The Classic API has been around the longest, so more Jamf Pro admins are familiar with it.
- Both XML input and output and JSON output are supported:
- There are various tools installed as part of macOS which allow XML parsing and manipulation when using Bash shell scripting.
- There are not tools installed as part of macOS which allow JSON parsing and manipulation when using Bash shell scripting.
Update – January 3, 2020: As Graham Pugh pointed out in the comments, I made a mistake originally on what can be done with JSON, where I stated that both JSON input and output were supported.
While you can both input and output XML, JSON can only be output. I’m updating the post to correct this.
There are tools available for macOS which allow easy JSON parsing and manipulation, with jq being an excellent example. However, they are not installed as part of macOS Catalina or earlier which means that its up to the Mac admin to make sure the relevant JSON parsing tools are installed and up to date on the Mac admin’s managed Macs.
In contrast, a number of XML parsing tools (like xmllint and xpath) are installed as part of macOS Catalina and earlier, which means that the Mac admin can currently rely on them being available if the Mac admin needs to run API-using scripts on managed Macs.
When using the Classic API, there are four commands available:
- DELETE
- GET
- PUT
- POST
DELETE = Deletes data from Jamf Pro
GET = Retrieves data from Jamf Pro
PUT = Updates data on Jamf Pro
POST = Creates new data on Jamf Pro
When sending one of these commands to Jamf Pro, you must include the following:
- Tool being used – In this case, we’re using curl
- Authentication – In this case, we’re using the username and password of a Jamf Pro user with the correct privileges to run the API command.
- URL – We’re using the API base URL followed by the specific API endpoint and data identifier
- -X or –request – We’re using the curl option for sending a request because we’re sending in a request for Jamf Pro to do something.
- Command being sent – This will be DELETE, GET, PUT or POST.
For all commands except DELETE, we also need to specify a header as this will specify for Jamf Pro if we’re using XML or JSON. Without this header specification, you should get XML but Jamf Pro may send back JSON instead. By specifying XML or JSON using the header, we avoid this issue.
The reason why DELETE is an exception is that we’re not sending or receiving any XML or JSON data. Instead, the Jamf Pro server receives and executes the command to delete the specified data.
Headers:
GET
The header should look like this for XML output:
-H "accept: application/xml"
The header should look like this for JSON output:
-H "accept: application/json"
PUT
The header should look like this for XML input:
-H "content-type: application/xml"
POST
The header should look like this for XML input:
-H "content-type: application/xml"
If you look closely, GET is using different headers than PUT and POST are:
GET
-H "accept: application/xml"
PUT / POST
-H "content-type: application/xml"
Why? It has to do with which way that data is expected to flow. With GET, you’re downloading data from the server and with PUT / POST, you’re uploading to the server. So with a GET command, setting accept: as part of the header lets the Jamf Pro server know how you’re planning to receive the data. For PUT / POST, setting content-type: as part of the header lets the Jamf Pro server know what to expect what kind of content it should be expecting for the data being uploaded to it.
Using GET
Let’s take a look at some GET examples, using Jamf’s tryitout.jamfcloud.com server. This server doesn’t require authentication, but I’m going to add the curl options for sending username and password as part of the command so that the command matches what a normal Jamf Pro server should be sent.
curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts" -H "accept: application/xml" -X GET
When I run that, I get the following XML output:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts" -H "accept: application/xml" -X GET | |
| <?xml version="1.0" encoding="UTF-8"?><accounts><users><user><id>2</id><name>apigee</name></user><user><id>3</id><name>jnuc</name></user><user><id>1</id><name>jssadmin</name></user></users><groups/></accounts> | |
| username@computername ~ % |
That could use some improvement for readability, so next let’s pipe it through xmllint’s formatting option to make it look nicer.
curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts" -H "accept: application/xml" -X GET | xmllint --format -
Note: When using xmllint’s formatting option, you need to specify the file being formatted: xmllint –format /path/to/filename.xml. In order to have it format standard input, like we’re trying to do in this example by piping the output to xmllint, the filename used is a single dash ( – ).
When I run that, I get the following output:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| username@computername ~ % curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts" -H "accept: application/xml" -X GET | xmllint –format – | |
| <?xml version="1.0" encoding="UTF-8"?> | |
| <accounts> | |
| <users> | |
| <user> | |
| <id>2</id> | |
| <name>apigee</name> | |
| </user> | |
| <user> | |
| <id>3</id> | |
| <name>jnuc</name> | |
| </user> | |
| <user> | |
| <id>1</id> | |
| <name>jssadmin</name> | |
| </user> | |
| </users> | |
| <groups/> | |
| </accounts> | |
| username@computername ~ % |
That output lists all accounts and gives me two pieces of information about each account:
- ID
- Name
Normally, the API only gives me the option about pulling additional data about something specific by using its ID number. However, for accounts, I’m also given the option of doing a lookup by account name.
- By ID: https://tryitout.jamfcloud.com/JSSResource/accounts/userid/id_number_goes_here
- By Name: https://tryitout.jamfcloud.com/JSSResource/accounts/username/username_goes_here
From there, I can pull out information about the following account using either the username or ID:
Username: jnuc
ID: 3
By ID: https://tryitout.jamfcloud.com/JSSResource/accounts/userid/3
curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts/userid/3" -H "accept: application/xml" -X GET | xmllint --format -
By Name: https://tryitout.jamfcloud.com/JSSResource/accounts/username/jnuc
curl -su username:password "https://tryitout.jamfcloud.com/JSSResource/accounts/username/jnuc" -H "accept: application/xml" -X GET | xmllint --format -
Since both API requests are ultimately referring to the same data, you should get identical output:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <account> | |
| <id>3</id> | |
| <name>jnuc</name> | |
| <directory_user>false</directory_user> | |
| <full_name/> | |
| <email/> | |
| <email_address/> | |
| <password_sha256 since="9.32">bb838aece502c44a6b62b049781e39410b3122d5d81596b43d0bed9234dd662b</password_sha256> | |
| <enabled>Enabled</enabled> | |
| <force_password_change>false</force_password_change> | |
| <access_level>Full Access</access_level> | |
| <privilege_set>Custom</privilege_set> | |
| <privileges> | |
| <jss_objects> | |
| <privilege>Create Self Service Branding Configuration</privilege> | |
| <privilege>Read Self Service Branding Configuration</privilege> | |
| <privilege>Update Self Service Branding Configuration</privilege> | |
| <privilege>Delete Self Service Branding Configuration</privilege> | |
| <privilege>Create Patch Policies</privilege> | |
| <privilege>Read Patch Policies</privilege> | |
| <privilege>Update Patch Policies</privilege> | |
| <privilege>Delete Patch Policies</privilege> | |
| <privilege>Create Personal Device Configurations</privilege> | |
| <privilege>Read Personal Device Configurations</privilege> | |
| <privilege>Update Personal Device Configurations</privilege> | |
| <privilege>Delete Personal Device Configurations</privilege> | |
| <privilege>Create Push Certificates</privilege> | |
| <privilege>Read Push Certificates</privilege> | |
| <privilege>Update Push Certificates</privilege> | |
| <privilege>Delete Push Certificates</privilege> | |
| <privilege>Create Device Name Patterns</privilege> | |
| <privilege>Read Device Name Patterns</privilege> | |
| <privilege>Update Device Name Patterns</privilege> | |
| <privilege>Delete Device Name Patterns</privilege> | |
| <privilege>Create Attachment Assignments</privilege> | |
| <privilege>Read Attachment Assignments</privilege> | |
| <privilege>Update Attachment Assignments</privilege> | |
| <privilege>Delete Attachment Assignments</privilege> | |
| <privilege>Create Patch External Source</privilege> | |
| <privilege>Read Patch External Source</privilege> | |
| <privilege>Update Patch External Source</privilege> | |
| <privilege>Delete Patch External Source</privilege> | |
| <privilege>Create Keystore</privilege> | |
| <privilege>Read Keystores</privilege> | |
| <privilege>Update Keystores</privilege> | |
| <privilege>Delete Keystores</privilege> | |
| <privilege>Create AirPlay Permissions</privilege> | |
| <privilege>Read AirPlay Permissions</privilege> | |
| <privilege>Update AirPlay Permissions</privilege> | |
| <privilege>Delete AirPlay Permissions</privilege> | |
| <privilege>Create PreStages</privilege> | |
| <privilege>Read PreStages</privilege> | |
| <privilege>Update PreStages</privilege> | |
| <privilege>Delete PreStages</privilege> | |
| <privilege>Create Departments</privilege> | |
| <privilege>Read Departments</privilege> | |
| <privilege>Update Departments</privilege> | |
| <privilege>Delete Departments</privilege> | |
| <privilege>Create Static Computer Groups</privilege> | |
| <privilege>Read Static Computer Groups</privilege> | |
| <privilege>Update Static Computer Groups</privilege> | |
| <privilege>Delete Static Computer Groups</privilege> | |
| <privilege>Create Static User Groups</privilege> | |
| <privilege>Read Static User Groups</privilege> | |
| <privilege>Update Static User Groups</privilege> | |
| <privilege>Delete Static User Groups</privilege> | |
| <privilege>Create Computer Extension Attributes</privilege> | |
| <privilege>Read Computer Extension Attributes</privilege> | |
| <privilege>Update Computer Extension Attributes</privilege> | |
| <privilege>Delete Computer Extension Attributes</privilege> | |
| <privilege>Create Disk Encryption Configurations</privilege> | |
| <privilege>Read Disk Encryption Configurations</privilege> | |
| <privilege>Update Disk Encryption Configurations</privilege> | |
| <privilege>Delete Disk Encryption Configurations</privilege> | |
| <privilege>Create Inventory Preload Records</privilege> | |
| <privilege>Read Inventory Preload Records</privilege> | |
| <privilege>Update Inventory Preload Records</privilege> | |
| <privilege>Delete Inventory Preload Records</privilege> | |
| <privilege>Create Advanced Mobile Device Searches</privilege> | |
| <privilege>Read Advanced Mobile Device Searches</privilege> | |
| <privilege>Update Advanced Mobile Device Searches</privilege> | |
| <privilege>Delete Advanced Mobile Device Searches</privilege> | |
| <privilege>Create Smart Mobile Device Groups</privilege> | |
| <privilege>Read Smart Mobile Device Groups</privilege> | |
| <privilege>Update Smart Mobile Device Groups</privilege> | |
| <privilege>Delete Smart Mobile Device Groups</privilege> | |
| <privilege>Create LDAP Servers</privilege> | |
| <privilege>Read LDAP Servers</privilege> | |
| <privilege>Update LDAP Servers</privilege> | |
| <privilege>Delete LDAP Servers</privilege> | |
| <privilege>Create Scripts</privilege> | |
| <privilege>Read Scripts</privilege> | |
| <privilege>Update Scripts</privilege> | |
| <privilege>Delete Scripts</privilege> | |
| <privilege>Create Licensed Software</privilege> | |
| <privilege>Read Licensed Software</privilege> | |
| <privilege>Update Licensed Software</privilege> | |
| <privilege>Delete Licensed Software</privilege> | |
| <privilege>Create Mobile Device PreStage Enrollments</privilege> | |
| <privilege>Read Mobile Device PreStage Enrollments</privilege> | |
| <privilege>Update Mobile Device PreStage Enrollments</privilege> | |
| <privilege>Delete Mobile Device PreStage Enrollments</privilege> | |
| <privilege>Create Printers</privilege> | |
| <privilege>Read Printers</privilege> | |
| <privilege>Update Printers</privilege> | |
| <privilege>Delete Printers</privilege> | |
| <privilege>Create Smart User Groups</privilege> | |
| <privilege>Read Smart User Groups</privilege> | |
| <privilege>Update Smart User Groups</privilege> | |
| <privilege>Delete Smart User Groups</privilege> | |
| <privilege>Create Mac Applications</privilege> | |
| <privilege>Read Mac Applications</privilege> | |
| <privilege>Update Mac Applications</privilege> | |
| <privilege>Delete Mac Applications</privilege> | |
| <privilege>Create Software Update Servers</privilege> | |
| <privilege>Read Software Update Servers</privilege> | |
| <privilege>Update Software Update Servers</privilege> | |
| <privilege>Delete Software Update Servers</privilege> | |
| <privilege>Create Webhooks</privilege> | |
| <privilege>Read Webhooks</privilege> | |
| <privilege>Update Webhooks</privilege> | |
| <privilege>Delete Webhooks</privilege> | |
| <privilege>Create Mobile Device Enrollment Invitations</privilege> | |
| <privilege>Read Mobile Device Enrollment Invitations</privilege> | |
| <privilege>Update Mobile Device Enrollment Invitations</privilege> | |
| <privilege>Delete Mobile Device Enrollment Invitations</privilege> | |
| <privilege>Create NetBoot Servers</privilege> | |
| <privilege>Read NetBoot Servers</privilege> | |
| <privilege>Update NetBoot Servers</privilege> | |
| <privilege>Delete NetBoot Servers</privilege> | |
| <privilege>Create Mobile Device Extension Attributes</privilege> | |
| <privilege>Read Mobile Device Extension Attributes</privilege> | |
| <privilege>Update Mobile Device Extension Attributes</privilege> | |
| <privilege>Delete Mobile Device Extension Attributes</privilege> | |
| <privilege>Create Directory Bindings</privilege> | |
| <privilege>Read Directory Bindings</privilege> | |
| <privilege>Update Directory Bindings</privilege> | |
| <privilege>Delete Directory Bindings</privilege> | |
| <privilege>Create iOS Configuration Profiles</privilege> | |
| <privilege>Read iOS Configuration Profiles</privilege> | |
| <privilege>Update iOS Configuration Profiles</privilege> | |
| <privilege>Delete iOS Configuration Profiles</privilege> | |
| <privilege>Create Sites</privilege> | |
| <privilege>Read Sites</privilege> | |
| <privilege>Update Sites</privilege> | |
| <privilege>Delete Sites</privilege> | |
| <privilege>Create JSON Web Token Configuration</privilege> | |
| <privilege>Read JSON Web Token Configuration</privilege> | |
| <privilege>Update JSON Web Token Configuration</privilege> | |
| <privilege>Delete JSON Web Token Configuration</privilege> | |
| <privilege>Create Managed Preference Profiles</privilege> | |
| <privilege>Read Managed Preference Profiles</privilege> | |
| <privilege>Update Managed Preference Profiles</privilege> | |
| <privilege>Delete Managed Preference Profiles</privilege> | |
| <privilege>Create Mobile Device Managed App Configurations</privilege> | |
| <privilege>Read Mobile Device Managed App Configurations</privilege> | |
| <privilege>Update Mobile Device Managed App Configurations</privilege> | |
| <privilege>Delete Mobile Device Managed App Configurations</privilege> | |
| <privilege>Create Advanced Computer Searches</privilege> | |
| <privilege>Read Advanced Computer Searches</privilege> | |
| <privilege>Update Advanced Computer Searches</privilege> | |
| <privilege>Delete Advanced Computer Searches</privilege> | |
| <privilege>Create Packages</privilege> | |
| <privilege>Read Packages</privilege> | |
| <privilege>Update Packages</privilege> | |
| <privilege>Delete Packages</privilege> | |
| <privilege>Create Personal Device Profiles</privilege> | |
| <privilege>Read Personal Device Profiles</privilege> | |
| <privilege>Update Personal Device Profiles</privilege> | |
| <privilege>Delete Personal Device Profiles</privilege> | |
| <privilege>Create Network Integration</privilege> | |
| <privilege>Read Network Integration</privilege> | |
| <privilege>Update Network Integration</privilege> | |
| <privilege>Delete Network Integration</privilege> | |
| <privilege>Create Distribution Points</privilege> | |
| <privilege>Read Distribution Points</privilege> | |
| <privilege>Update Distribution Points</privilege> | |
| <privilege>Delete Distribution Points</privilege> | |
| <privilege>Create Self Service Bookmarks</privilege> | |
| <privilege>Read Self Service Bookmarks</privilege> | |
| <privilege>Update Self Service Bookmarks</privilege> | |
| <privilege>Delete Self Service Bookmarks</privilege> | |
| <privilege>Create Infrastructure Managers</privilege> | |
| <privilege>Read Infrastructure Managers</privilege> | |
| <privilege>Update Infrastructure Managers</privilege> | |
| <privilege>Delete Infrastructure Managers</privilege> | |
| <privilege>Create macOS Configuration Profiles</privilege> | |
| <privilege>Read macOS Configuration Profiles</privilege> | |
| <privilege>Update macOS Configuration Profiles</privilege> | |
| <privilege>Delete macOS Configuration Profiles</privilege> | |
| <privilege>Create User Extension Attributes</privilege> | |
| <privilege>Read User Extension Attributes</privilege> | |
| <privilege>Update User Extension Attributes</privilege> | |
| <privilege>Delete User Extension Attributes</privilege> | |
| <privilege>Create Dock Items</privilege> | |
| <privilege>Read Dock Items</privilege> | |
| <privilege>Update Dock Items</privilege> | |
| <privilege>Delete Dock Items</privilege> | |
| <privilege>Create Disk Encryption Institutional Configurations</privilege> | |
| <privilege>Read Disk Encryption Institutional Configurations</privilege> | |
| <privilege>Update Disk Encryption Institutional Configurations</privilege> | |
| <privilege>Delete Disk Encryption Institutional Configurations</privilege> | |
| <privilege>Create VPP Invitations</privilege> | |
| <privilege>Read VPP Invitations</privilege> | |
| <privilege>Update VPP Invitations</privilege> | |
| <privilege>Delete VPP Invitations</privilege> | |
| <privilege>Create Categories</privilege> | |
| <privilege>Read Categories</privilege> | |
| <privilege>Update Categories</privilege> | |
| <privilege>Delete Categories</privilege> | |
| <privilege>Create VPP Administrator Accounts</privilege> | |
| <privilege>Read VPP Administrator Accounts</privilege> | |
| <privilege>Update VPP Administrator Accounts</privilege> | |
| <privilege>Delete VPP Administrator Accounts</privilege> | |
| <privilege>Create Device Enrollment Program Instances</privilege> | |
| <privilege>Read Device Enrollment Program Instances</privilege> | |
| <privilege>Update Device Enrollment Program Instances</privilege> | |
| <privilege>Delete Device Enrollment Program Instances</privilege> | |
| <privilege>Create Mobile Devices</privilege> | |
| <privilege>Read Mobile Devices</privilege> | |
| <privilege>Update Mobile Devices</privilege> | |
| <privilege>Delete Mobile Devices</privilege> | |
| <privilege>Create Advanced User Content Searches</privilege> | |
| <privilege>Read Advanced User Content Searches</privilege> | |
| <privilege>Update Advanced User Content Searches</privilege> | |
| <privilege>Delete Advanced User Content Searches</privilege> | |
| <privilege>Read Accounts</privilege> | |
| <privilege>Create Push Certificates</privilege> | |
| <privilege>Read Push Certificates</privilege> | |
| <privilege>Update Push Certificates</privilege> | |
| <privilege>Delete Push Certificates</privilege> | |
| <privilege>Create File Attachments</privilege> | |
| <privilege>Read File Attachments</privilege> | |
| <privilege>Update File Attachments</privilege> | |
| <privilege>Delete File Attachments</privilege> | |
| <privilege>Create Network Segments</privilege> | |
| <privilege>Read Network Segments</privilege> | |
| <privilege>Update Network Segments</privilege> | |
| <privilege>Delete Network Segments</privilege> | |
| <privilege>Create Configurations</privilege> | |
| <privilege>Read Configurations</privilege> | |
| <privilege>Update Configurations</privilege> | |
| <privilege>Delete Configurations</privilege> | |
| <privilege>Create VPP Assignment</privilege> | |
| <privilege>Read VPP Assignment</privilege> | |
| <privilege>Update VPP Assignment</privilege> | |
| <privilege>Delete VPP Assignment</privilege> | |
| <privilege>Create Buildings</privilege> | |
| <privilege>Read Buildings</privilege> | |
| <privilege>Update Buildings</privilege> | |
| <privilege>Delete Buildings</privilege> | |
| <privilege>Create Computer Enrollment Invitations</privilege> | |
| <privilege>Read Computer Enrollment Invitations</privilege> | |
| <privilege>Update Computer Enrollment Invitations</privilege> | |
| <privilege>Delete Computer Enrollment Invitations</privilege> | |
| <privilege>Create Provisioning Profiles</privilege> | |
| <privilege>Read Provisioning Profiles</privilege> | |
| <privilege>Update Provisioning Profiles</privilege> | |
| <privilege>Delete Provisioning Profiles</privilege> | |
| <privilege>Create Restricted Software</privilege> | |
| <privilege>Read Restricted Software</privilege> | |
| <privilege>Update Restricted Software</privilege> | |
| <privilege>Delete Restricted Software</privilege> | |
| <privilege>Create Advanced User Searches</privilege> | |
| <privilege>Read Advanced User Searches</privilege> | |
| <privilege>Update Advanced User Searches</privilege> | |
| <privilege>Delete Advanced User Searches</privilege> | |
| <privilege>Create Patch Management Software Titles</privilege> | |
| <privilege>Read Patch Management Software Titles</privilege> | |
| <privilege>Update Patch Management Software Titles</privilege> | |
| <privilege>Delete Patch Management Software Titles</privilege> | |
| <privilege>Create Smart Computer Groups</privilege> | |
| <privilege>Read Smart Computer Groups</privilege> | |
| <privilege>Update Smart Computer Groups</privilege> | |
| <privilege>Delete Smart Computer Groups</privilege> | |
| <privilege>Create Computers</privilege> | |
| <privilege>Read Computers</privilege> | |
| <privilege>Update Computers</privilege> | |
| <privilege>Delete Computers</privilege> | |
| <privilege>Create Static Mobile Device Groups</privilege> | |
| <privilege>Read Static Mobile Device Groups</privilege> | |
| <privilege>Update Static Mobile Device Groups</privilege> | |
| <privilege>Delete Static Mobile Device Groups</privilege> | |
| <privilege>Create Classes</privilege> | |
| <privilege>Read Classes</privilege> | |
| <privilege>Update Classes</privilege> | |
| <privilege>Delete Classes</privilege> | |
| <privilege>Create Peripheral Types</privilege> | |
| <privilege>Read Peripheral Types</privilege> | |
| <privilege>Update Peripheral Types</privilege> | |
| <privilege>Delete Peripheral Types</privilege> | |
| <privilege>Create User</privilege> | |
| <privilege>Read User</privilege> | |
| <privilege>Update User</privilege> | |
| <privilege>Delete User</privilege> | |
| <privilege>Create Enrollment Profiles</privilege> | |
| <privilege>Read Enrollment Profiles</privilege> | |
| <privilege>Update Enrollment Profiles</privilege> | |
| <privilege>Delete Enrollment Profiles</privilege> | |
| <privilege>Create Allowed File Extension</privilege> | |
| <privilege>Read Allowed File Extension</privilege> | |
| <privilege>Delete Allowed File Extension</privilege> | |
| <privilege>Create Mobile Device Applications</privilege> | |
| <privilege>Read Mobile Device Applications</privilege> | |
| <privilege>Update Mobile Device Applications</privilege> | |
| <privilege>Delete Mobile Device Applications</privilege> | |
| <privilege>Create eBooks</privilege> | |
| <privilege>Read eBooks</privilege> | |
| <privilege>Update eBooks</privilege> | |
| <privilege>Delete eBooks</privilege> | |
| <privilege>Create Maintenance Pages</privilege> | |
| <privilege>Read Maintenance Pages</privilege> | |
| <privilege>Update Maintenance Pages</privilege> | |
| <privilege>Delete Maintenance Pages</privilege> | |
| <privilege>Create iBeacon</privilege> | |
| <privilege>Read iBeacon</privilege> | |
| <privilege>Update iBeacon</privilege> | |
| <privilege>Delete iBeacon</privilege> | |
| <privilege>Create Removable MAC Address</privilege> | |
| <privilege>Read Removable MAC Address</privilege> | |
| <privilege>Update Removable MAC Address</privilege> | |
| <privilege>Delete Removable MAC Address</privilege> | |
| <privilege>Create Policies</privilege> | |
| <privilege>Read Policies</privilege> | |
| <privilege>Update Policies</privilege> | |
| <privilege>Delete Policies</privilege> | |
| <privilege>Create Computer PreStage Enrollments</privilege> | |
| <privilege>Read Computer PreStage Enrollments</privilege> | |
| <privilege>Update Computer PreStage Enrollments</privilege> | |
| <privilege>Delete Computer PreStage Enrollments</privilege> | |
| </jss_objects> | |
| <jss_settings/> | |
| <jss_actions> | |
| <privilege>Assign Users to Mobile Devices</privilege> | |
| <privilege>Send Email to End Users via JSS</privilege> | |
| <privilege>Send Computer Remote Lock Command</privilege> | |
| <privilege>Send Computer Remote Wipe Command</privilege> | |
| <privilege>Send Computer Unmanage Command</privilege> | |
| <privilege>Send Computer Unlock User Account Command</privilege> | |
| <privilege>Send Computer Delete User Account Command</privilege> | |
| <privilege>Send Computer Remote Command to Download and Install OS X Update</privilege> | |
| <privilege>Send Computer Bluetooth Command</privilege> | |
| <privilege>Send Computer Remote Desktop Command</privilege> | |
| <privilege>Send Inventory Requests to Mobile Devices</privilege> | |
| <privilege>Send Mobile Device Remote Lock Command</privilege> | |
| <privilege>Send Mobile Device Remove Passcode Command</privilege> | |
| <privilege>Send Mobile Device Remove Restrictions Password Command</privilege> | |
| <privilege>Send Mobile Device Remote Wipe Command</privilege> | |
| <privilege>Send Mobile Device Managed Settings Command</privilege> | |
| <privilege>Send Mobile Device Mirroring Command</privilege> | |
| <privilege>Send Mobile Device Set Wallpaper Command</privilege> | |
| <privilege>Send Blank Pushes to Mobile Devices</privilege> | |
| <privilege>Send Mobile Device Enable Voice Roaming Command</privilege> | |
| <privilege>Send Mobile Device Disable Voice Roaming Command</privilege> | |
| <privilege>Send Mobile Device Enable Data Roaming Command</privilege> | |
| <privilege>Send Mobile Device Disable Data Roaming Command</privilege> | |
| <privilege>Send Mobile Device Set Device Name Command</privilege> | |
| <privilege>Send Mobile Device Remote Command to Download and Install iOS Update</privilege> | |
| <privilege>Send Mobile Device Lost Mode Command</privilege> | |
| <privilege>Send Mobile Device Shared iPad Commands</privilege> | |
| <privilege>Send Mobile Device Diagnostics and Usage Reporting and App Analytics Commands</privilege> | |
| <privilege>Send Mobile Device Restart Device Command</privilege> | |
| <privilege>Send Messages to Self Service Mobile</privilege> | |
| <privilege>Send Update Passcode Lock Grace Period Command</privilege> | |
| <privilege>Send Mobile Device Shut Down Command</privilege> | |
| <privilege>Send Mobile Device Bluetooth Command</privilege> | |
| <privilege>Send Mobile Device Personal Hotspot Command</privilege> | |
| </jss_actions> | |
| <recon/> | |
| <casper_admin> | |
| <privilege>Use Casper Admin</privilege> | |
| <privilege>Save With Casper Admin</privilege> | |
| </casper_admin> | |
| <casper_remote/> | |
| <casper_imaging/> | |
| </privileges> | |
| </account> |
Using POST
When you want to upload all-new data to the Jamf Pro server via the API, you would use the POST command. This command requires that the data be sent along with the API command, so you would need to have either the XML written out as part of the API command or in a file. One important thing to know when using POST is that the ID used is always going to be the number 0. Jamf Pro will interpret an ID of zero as meaning that Jamf Pro should assign the next available ID number to the uploaded data.
For example, if you want to create a new department named Art on your Jamf Pro server, you could use a command like the one shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -su username:password "https://server.name.here/JSSResource/departments/id/0" -H "content-type: application/xml" -X POST -d '<department><name>Art</name></department>' |
In this example, the XML being used is pretty simple so we’re flattening out the necessary XML into one line and including it in the command. We’re also using curl’s -d option, which tells curl that it will be transmitting data along with the rest of the command.
If the data being sent along is a little unwieldy to include with the command, curl has a -T option for uploading a file. For example, if you wanted to create a smart group, you could write out the necessary XML into a file like the one shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <computer_group> | |
| <name>Clients with Firefox</name> | |
| <is_smart>true</is_smart> | |
| <site> | |
| <id>-1</id> | |
| <name>None</name> | |
| </site> | |
| <criteria> | |
| <size>1</size> | |
| <criterion> | |
| <name>Application Title</name> | |
| <priority>0</priority> | |
| <and_or>and</and_or> | |
| <search_type>is</search_type> | |
| <value>Firefox.app</value> | |
| <opening_paren>false</opening_paren> | |
| <closing_paren>false</closing_paren> | |
| </criterion> | |
| </criteria> | |
| </computer_group> |
Once you have the file ready, you could use a command like the one shown below to create the smart group:
curl -su username:password "https://server.name.here/JSSResource/computergroups/id/0" -H "content-type: application/xml" -X POST -T /path/to/filename.xml
Using PUT
When you want to update existing data to the Jamf Pro server via the API, you would use the PUT command. When using this, you would be targeting some existing data and changing one of the data’s existing attributes. A good example would be if you want to change the status of a policy from enabled to disabled. To do this with a policy which has an ID number of 27, you could use a command like the one shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -su username:password "https://server.name.here/JSSResource/policies/id/27" -H "content-type: application/xml" -X PUT -d '<policy><general><enabled>false</enabled></general></policy>' |
Similar to the earlier POST example which uses a XML file, you can also used the -T option with PUT to upload a file. For example, if you wanted to update the distribution point associated with a network segment which has an ID number of 561, you could add the necessary data into an XML file like the one shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <network_segment> | |
| <name>172.16.1.0/24</name> | |
| <starting_address>172.16.1.0</starting_address> | |
| <ending_address>172.16.1.255</ending_address> | |
| <distribution_server/> | |
| <distribution_point>Cloud Distribution Point</distribution_point> | |
| <url>https://c611e35c8602.cloudfront.net</url> | |
| <netboot_server/> | |
| <swu_server/> | |
| <building/> | |
| <department/> | |
| <override_buildings>false</override_buildings> | |
| <override_departments>false</override_departments> | |
| </network_segment> |
Once you have the file ready, you could use a command like the one shown below to update the network segment:
curl -su username:password "https://server.name.here/JSSResource/networksegments/id/561" -H "content-type: application/xml" -X PUT -T /path/to/filename.xml
Using DELETE
When you want to delete data from the Jamf Pro server via the API, you would use the DELETE command. All you generally need with the DELETE command is the identifier for the data you want to remove, so the commands are simpler. No header info or specifying if you want to use XML or JSON is required.
For example, if you wanted to delete an existing computer inventory record which has the ID number of 1024, you can use a command like the one shown below to do so:
curl -su username:password "https://server.name.here/JSSResource/computers/id/1024" -X DELETE
Similarly, if you wanted to delete an existing network segment which has the ID number of 22, you could use a command like the one shown below:
curl -su username:password "https://server.name.here/JSSResource/networksegments/id/22" -X DELETE
Moving on to more advanced usage
You can use the Jamf Pro Classic API with scripting and other automation tools to accomplish some truly amazing administrative feats with Jamf Pro and the Jamf Pro API beta looks to build on that strong foundation. While the information in this post won’t solve all of your API-related issues, it does hopefully provide enough foundational support to get you started with using the Jamf Pro Classic API. Good luck!
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
“Both XML and JSON input and output are supported”
This is not true, unfortunately. You can request XML and JSON, but you can only send XML.
Now fixed in the post and thanks for catching that. I had previously missed the difference, but when I rechecked the documentation, it was clear on this point and you’re correct.
Rich, if one wanted to create an account in Jamf to use it when doing API calls, what kind of permissions would it need to authorize a call like this: curl -su username:password “https://tryitout.jamfcloud.com/JSSResource/accounts” -H “accept: application/xml” -X GE
Jamf has posted documentation on API privileges here: https://developer.jamf.com/jamf-pro/docs/classic-api-minimum-required-privileges-and-endpoint-mapping
Rich: https://tryitout.jamfcloud.com doesn’t seem to exist any longer.