Jamf Pro End-users Integration

Jamf Pro End-users Integration

Scimify enables SCIM provisioning for Jamf Pro end-user accounts and user groups, allowing you to manage end-user access through your identity provider.

Overview

This integration pushes users and user groups to Jamf Pro via SCIM. End-user accounts and groups created in Jamf Pro will correspond to those from your identity provider.

Prerequisites

• A Jamf Pro instance
• Administrator access to Jamf Pro
• Ability to create API roles and clients

Configuration Steps

1. Create an API Role in Jamf Pro

1. Log into your Jamf Pro instance as an administrator
2. Navigate to Settings > System > API roles and clients
3. Click “New” in the API Roles section
4. Give the API role a name (e.g., “Scimify End-users Integration Role”)
5. Grant the API role the following privileges:
   • Create User
   • Read User
   • Update User
   • Delete User
   • Create Static User Groups
   • Read Static User Groups
   • Update Static User Groups
   • Delete Static User Groups
6. Save the API role

Note: Scimify uses a dedicated API client with this API role, which grants only the privileges above. That least-privilege approach means the integration does not require full Jamf Pro administrator rights on the automation principal; you scope the role to end-user and static user group management rather than broad admin access.

2. Create an API Client

1. In the same API roles and clients page, click “New” in the API Clients section
2. Give the API client a name (e.g., “Scimify End-users Integration”)
3. Select the API role created in Step 1
4. Click “Save” and copy the Client ID and Client Secret

3. Configure the Integration in Scimify

1. Navigate to the Integrations page in your Scimify admin console
2. Create a new Jamf Pro End-users integration instance
3. Enter the following configuration:
   • Instance URL: Enter your Jamf Pro instance URL (e.g., https://yourinstance.jamfcloud.com or https://jamf.company.com)
   • Client ID: Paste the Client ID from Step 2
   • Client Secret (API Key): Paste the Client Secret from Step 2
   • Instance Name (Optional): A friendly name to identify this integration instance
   • Group Description (Optional): Custom description for created groups (default: “Created via Scimify for tenant {tenant_id}“)

4. Configure Okta SCIM

Follow the Okta SCIM Configuration guide to set up SCIM provisioning in Okta.

How It Works

• When users and user groups are pushed from your IdP, Scimify will create corresponding end-user accounts and static user groups in Jamf Pro
• User and group names will match those from your IdP
• Users assigned to groups in your IdP will be added to the corresponding Jamf Pro static user groups
• Group renames and user profile updates: Renaming a group in your IdP updates the corresponding static user group in Jamf Pro. User profile changes are supported for first name, last name, and email.
• User deactivation: Jamf Pro does not offer a disabled or inactive status for end users. When a user is deactivated in your IdP, Scimify reflects that change by deleting the user in Jamf Pro—there is no separate “disabled” state to map to.
• Import from Jamf Pro: You can import users from Jamf Pro into your IdP as well—for example, with Okta’s Import flow for the SCIM app (application user import). That path brings existing Jamf users into the IdP alongside outbound provisioning from the IdP to Jamf.

Static User Groups

This integration creates and manages Static User Groups in Jamf Pro. These groups can be used for:

• Device management policies
• Application deployment
• Access control
• Compliance policies

Additional Resources

• Jamf Pro API Documentation
• Jamf Marketplace listing

Need Help?

If you encounter any issues during configuration, please contact [email protected] for assistance.