Home - Jamf-Concepts/apiutil GitHub Wiki

GitHub release (latest by date) GitHub all releases

 

Jamf API Utility

A macOS app to simplify the creation of admin API scripts

 

Project Summary

The application has two components:

  1. A macOS GUI app where you'll enter connection information for your Jamf servers.

  2. A command-line binary used to access the connection information and simplify API calls.

Say we're writing a script to pull down information about all the computers enrolled in Jamf Pro. We would first need to write some code to obtain a bearer token using the API's auth endpoint, and if we're being diligent, we would add the ability to refresh tokens as they near expiration and invalidate them when they're no longer needed. Then we'd need a looping structure with some logic to fetch all pages from the /api/v1/computers-inventory API path, concatenating or processing the pages as we go.

The Jamf API Utility app simplifies all of that. Once we've saved our credentials, instead of writing the 50-line script described above, now it's just a one-liner...

jamfapi --path "/api/v1/computers-inventory"

The apiutil binary handles the rest.

Note: This project is intended for use by Jamf admins writing scripts to run on their own computers, not for scripts that run on the Macs they manage. Secrets sent to client devices, no matter the delivery mechanism or obfuscation used, are discoverable by users or malware. Secrets for cloud applications and functions should be handled using a secret manager supported by your cloud platform.

 

Installation and Configuration

Requirements

  • macOS 14.6 or greater
  • API access to one or more Jamf Products

Quick Start

1. Installation

Please only download the API Utility app from GitHub Releases. The app is signed by Jamf Software (483DWKW443).

Install the .app file in your Applications folder.

2. Configure a target

Open the app and click the Add button to enter an API user for a Jamf server. Don't add more than one for now.

The login information defaults to the "API Client" option by default but if you're not already familiar with those, switch that setting to "Username and password" and use that for now.

Don't check the box to require local user authentication down at the bottom. We'll cover that topic a little later.

3. Try it out

Open Terminal and enter a command:

Jamf Pro example:

/Applications/API\ Utility.app/Contents/MacOS/apiutil --path "/JSSResource/categories"

Jamf School example:

/Applications/API\ Utility.app/Contents/MacOS/apiutil --path "/api/locations"

The app will connect to your server and return the results.

 

Simplifying the Path to the Command Line Executable

The command-line binary we'll be calling from Terminal or our shell scripts is buried inside the API Utility app. It's inside the bundle's Contents/MacOS/ folder.

If the API Utility app is in your Applications folder, you could call the command line utility like this:

/Applications/API\ Utility.app/Contents/MacOS/apiutil ...

But that's a lot to type. We can create a shortcut so we can simply say jamfapi .... (Note that the examples in this documentation assume you've made an alias called "jamfapi" but you can call it whatever you want.)

If you only need the shortcut for your own account, you can add an alias in your shell configuration file. You can do that by editing your ~/.zshrc file by hand, or with this command line:

sh -c "echo '\nalias jamfapi=\"/Applications/API\ Utility.app/Contents/MacOS/apiutil\"' >> ~/.zshrc"

Now, any newly-created terminal session will have the "jamfapi" alias available. If you want to make the shortcut available in your current Terminal window, just reload the shell configuration file:

source ~/.zshrc

Now, we can do the exact same API call we did during the Quick Start, but this time with a much shorter path to the utility!

jamfapi --path "/JSSResource/categories"

Most users are now done with the setup and are all set to make API calls. But some coverage of special situations follow.

 

If you use bash rather than z-shell, please use these commands instead of the ones above. If you don't know the difference between bash and z-shell, you're almost definitely using z-shell and can ignore this section.

sh -c "echo '\nalias jamfapi=\"/Applications/API\ Utility.app/Contents/MacOS/apiutil\"' >> ~/.bash_profile"

source ~/.bash_profile

After updating your shell configuration file, you'll be able to use the jamfapi alias instead of the full path to the command line executable.

As an alternative to all of the above, if you want to make a simplified command path available to all users, all shells, and all editors, we can add a wrapper script to a directory that's already in macOS's default search path. /usr/local/bin is a commonly-used location.

sudo tee /usr/local/bin/jamfapi > /dev/null <<'EOF'
#!/bin/sh
"/Applications/API Utility.app/Contents/MacOS/apiutil" "$@"
EOF

sudo chown root:wheel /usr/local/bin/jamfapi
sudo chmod +x /usr/local/bin/jamfapi

In the remainder of this document, we'll be calling the command line utility as jamfapi rather than with the full path.

 

Managing API Targets

Launch the App to Manage your Targets

Targets are named combinations of Server URLs and login information. At least one API target must be created before using the command line portion of the utility.

To manage your targets, open the app and you'll see a list of any items that have been saved.

Add API targets using the "Add" button. To update a target, highlight it and click the "Modify" button. As a security precaution, you will need to re-enter the authentication secret any time you modify a target.

Configuring a Target

A data entry window will open when you click the "Add" or "Modify" buttons.

Start by selecting the product for your target. The authentication fields will change depending on your selection.

A target name is used to refer to the saved target when making API calls from the command line so they should be unique and descriptive.

Note: If you include a space in a name, you'll need to remember to double-quote it any time you reference it from the command line so it might be easiest to avoid using spaces.

In the example below, a target has previously been saved with the name "pro".

Enter a server URL and the login information for your product instance. Don't include a "/" at the end of the URL.

The "Require local authentication" option may be used to protect your saved credentials. When enabled, attempts to access the associated target information via the API Utility app will require macOS user authentication. Touch ID makes it easy. For more information on approaches to securing script secrets, please see "How to Keep a Secret". For information on how to authenticate a target on scripts that make repeated API calls, please see the Using Cached Credentials section of the Jamf Pro Examples page.

The padlock icon in the saved targets list screen indicates if user authentication is required to access the target.

Configuration details for Jamf's APIs appears below.

Jamf Pro

For Jamf Pro credentials, you may use either a Client ID and Secret, or a Username and Password.

You can and should create different API targets for different applications to limit the API authorization to only those operations that are required by an app. For example, if you are writing a reporting script, you can limit the scripts's user or client to read-only access when creating the login in Jamf Pro. To learn about the permissions required for the Jamf Pro API paths you use in your applications, please see the documentation for the Jamf Pro and Classic APIs.

Jamf Protect

Jamf Protect's graphQL API utilizes an API Client and Secret:

Jamf School

The Jamf School API uses a Network ID and API key for authentication:

 

Concept Project Notes

Terms of Use

This project is offered under the terms of the Jamf Concepts Use Agreement. The application and this documentation are Copyright 2025, Jamf Software LLC.

Sharing Your Feedback

We'd love to hear about your experience using the utility and suggestions for improvements. Please use GitHub Issues to contact us.