Providing Jamf Pro computer inventory information via macOS configuration profile
Jamf Pro can store and make available a lot of information about a particular computer and who is using it as part of the computer’s inventory record, but it can be challenging to access that information from the computer itself.
It is possible to use an API call to access this information, using either the Jamf Pro API or Jamf Pro’s Classic API, but that means providing a way to authenticate to the API. This may pose some security issues as you will need to both:
- Provide a way for the computer to access those authentication credentials
- Protect the authentication credentials from potentially malicious third parties
Fortunately, there is an alternative way to provide at least some inventory information without needing to make an API call. Jamf Pro provides a number of variables which can be used in macOS configuration profiles and it’s possible to leverage those variables to build a profile whose task is providing information from the computer’s inventory record in Jamf Pro in a way which can be accessed from the managed computer. For more details, please see below the jump.
The variables which are available to macOS configuration profiles as of Jamf Pro 10.44.0 are listed in the table shown below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Variable | Inventory Information | |
|---|---|---|
| $MANAGEMENTID | Device management ID assigned by Jamf Pro | |
| $COMPUTERNAME | Computer Name | |
| $SITENAME | Site Name | |
| $SITEID | Site ID | |
| $UDID | Computer UDID | |
| $SERIALNUMBER | Computer Serial Number | |
| $USERNAME | Username associated with the computer in Jamf Pro (computer-level profiles only) Username of the user logging in to the computer (user-level profiles only) |
|
| $FULLNAME or $REALNAME | Full Name | |
| Email Address | ||
| $PHONE | Phone Number | |
| $POSITION | Position | |
| $DEPARTMENTNAME | Department Name | |
| $DEPARTMENTID | Department ID | |
| $BUILDINGNAME | Building Name | |
| $BUILDINGID | Building ID | |
| $ROOM | Room | |
| $MACADDRESS | MAC Address | |
| $JSSID | Jamf Pro ID | |
| $PROFILEJSSID | Jamf Pro ID of the Configuration Profile | |
| $EXTENSIONATTRIBUTE_# | Extension Attribute ID Number Note: The ID number is found in the extension attribute URL. In the example URL below,"id=2" indicates the extension attribute ID number: https://JAMF_PRO_URL.jamfcloud.com/computerExtensionAttributes.html?id=2&o=r |
I’ve used them to build a profile which will pull the information associated with the variables below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $JSSID | |
| $COMPUTERNAME | |
| $MACADDRESS | |
| $SERIALNUMBER | |
| $UDID | |
| $REALNAME | |
| $BUILDINGID | |
| $BUILDINGNAME | |
| $DEPARTMENTNAME | |
| $DEPARTMENTID | |
| $POSITION | |
| $ROOM | |
| $PHONE | |
| $USERNAME | |
| $SITENAME | |
| $SITEID |
When deployed, the profile will pull the relevant information from the computer record in Jamf Pro and store it as part of the profile.
This information in turn can be read from a plist file which should appear in the /Library/Managed Preferences directory on the managed Macs which the profile is being deployed to. In this case, the profile is managing the com.company.information domain, which means that a file named com.company.information.plist should appear in /Library/Managed Preferences.
This information can then be read out of the /Library/Managed Preferences/com.company.information.plist file by either the defaults command or an alternate tool which can parse a plist file for information.
The example profile I’ve written is available below:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> | |
| <plist version="1"> | |
| <dict> | |
| <key>PayloadUUID</key> | |
| <string>6D198024-4389-441A-86F2-B2A3FAEA24BE</string> | |
| <key>PayloadType</key> | |
| <string>Configuration</string> | |
| <key>PayloadOrganization</key> | |
| <string>Company Name</string> | |
| <key>PayloadIdentifier</key> | |
| <string>6D198024-4389-441A-86F2-B2A3FAEA24BE</string> | |
| <key>PayloadDisplayName</key> | |
| <string>Computer Information</string> | |
| <key>PayloadDescription</key> | |
| <string/> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadEnabled</key> | |
| <true/> | |
| <key>PayloadRemovalDisallowed</key> | |
| <true/> | |
| <key>PayloadScope</key> | |
| <string>System</string> | |
| <key>PayloadContent</key> | |
| <array> | |
| <dict> | |
| <key>PayloadDisplayName</key> | |
| <string>Custom Settings</string> | |
| <key>PayloadIdentifier</key> | |
| <string>85586FBC-6B08-4451-B6CD-AA09BE2CC0A3</string> | |
| <key>PayloadOrganization</key> | |
| <string>JAMF Software</string> | |
| <key>PayloadType</key> | |
| <string>com.apple.ManagedClient.preferences</string> | |
| <key>PayloadUUID</key> | |
| <string>85586FBC-6B08-4451-B6CD-AA09BE2CC0A3</string> | |
| <key>PayloadVersion</key> | |
| <integer>1</integer> | |
| <key>PayloadContent</key> | |
| <dict> | |
| <key>com.company.information</key> | |
| <dict> | |
| <key>Forced</key> | |
| <array> | |
| <dict> | |
| <key>mcx_preference_settings</key> | |
| <dict> | |
| <key>Computer Jamf Pro ID Number</key> | |
| <string>$JSSID</string> | |
| <key>Computer Name</key> | |
| <string>$COMPUTERNAME</string> | |
| <key>Computer Network Connection MAC Address</key> | |
| <string>$MACADDRESS</string> | |
| <key>Computer Serial Number</key> | |
| <string>$SERIALNUMBER</string> | |
| <key>Computer UDID</key> | |
| <string>$UDID</string> | |
| <key>Computer User's Email Address</key> | |
| <string>$EMAIL</string> | |
| <key>Computer User's Name</key> | |
| <string>$REALNAME</string> | |
| <key>Computer User's Office Building ID</key> | |
| <string>$BUILDINGID</string> | |
| <key>Computer User's Office Building Name</key> | |
| <string>$BUILDINGNAME</string> | |
| <key>Computer User's Office Department</key> | |
| <string>$DEPARTMENTNAME</string> | |
| <key>Computer User's Office Department ID</key> | |
| <string>$DEPARTMENTID</string> | |
| <key>Computer User's Office Position</key> | |
| <string>$POSITION</string> | |
| <key>Computer User's Office Room Location</key> | |
| <string>$ROOM</string> | |
| <key>Computer User's Phone Number</key> | |
| <string>$PHONE</string> | |
| <key>Computer User's username</key> | |
| <string>$USERNAME</string> | |
| <key>Site</key> | |
| <string>$SITENAME</string> | |
| <key>Site ID</key> | |
| <string>$SITEID</string> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </dict> | |
| </dict> | |
| </array> | |
| </dict> | |
| </plist> |
Leave a comment
Recent Comments
 | Ben LeRoy on Losing a giant |
 | Peter-Erik on Downloading installer packages… |
 | nathanhaggard on Losing a giant |
 | andras0602 on Disabling login window clock d… |
 | Jeff on Losing a giant |
Der Flounder 
Few months ago I looked for a way how to get the JSS ID for API calls without more API calls. Using the same solution since then.
Did you figured out how to update the values once pushed to the client?
This might be solved by using the machines UUID, jamf_hostname + ‘/JSSResource/computers/udid/’ + local_uuid.
I have a POC here: https://github.com/lazymutt/Jamf-Pro-API-Sampler
Nice scripts; added it to my reading list.
Is it still possible to use the UUID for new Jamf Pro API? Thought it was only for the Classic API.
My question was more like how to update the values that were pushed to the client, ie. values for Room or Building.
From my perspective you’ll have to remove the profile from client, then push it again. Jamf Pro fills the placeholders with the current available values.
Good post.
Another way to get to more client info locally without an API callis using “sudo jamf recon -saveFormTo”.
In both ways I miss the info for Secure Boot Status. It seems to me that this info (at least on Apple Silicon) can not be queried from the CLI in an easy way and Jamf Pro gets this inventory info from the MDM Commands it sends to the client after an inventory updates succeeds. So Jamf Pro has it in the Server, but not in the reconForm or the payload variables.
It seems the only way to get this info to the client without API calls is a smartgroup on the criteria, then run a script with a defaults write putting it into a local plist. The complementing Smartgroup would run a script to do a defaults write with the opposite value into that plist.