Jamf Pro
Comprehensive Jamf Pro control plane — computers, mobile devices, users, smart/static groups, policies, configuration profiles, scripts, categories, buildings, departments, sites, patch management, restricted software, API roles + clients, and Self Service.
weave jamf
Env: JAMF_URL
Setup
Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.
Official API reference
weave commands for this module are checked against the vendor's published API.
| Variable | Description | Status |
|---|---|---|
| JAMF_URL | Required for authentication. | required |
| JAMF_CLIENT_ID | Required for authentication. | required |
| JAMF_CLIENT_SECRET | Required for authentication. | required |
Sanity-check the wiring:
weave secrets check weave jamf --help weave doctor # reports JAMF_URL status
Capabilities
What this module can do, by entity and verb. ✓
means a working CLI surface; · means
not (yet) wired.
| Entity | find | list | show | do | snapshot | diff | apply |
|---|---|---|---|---|---|---|---|
| api-client | · | ✓ | · | · | ✓ | ✓ | · |
| api-role | · | ✓ | · | · | ✓ | ✓ | · |
| building | · | ✓ | · | · | ✓ | ✓ | ✓ |
| categories | · | · | · | · | ✓ | ✓ | ✓ |
| category | · | ✓ | · | · | · | · | · |
| computer | ✓ | ✓ | ✓ | ✓ | · | · | · |
| computer-inventory | · | · | · | · | ✓ | ✓ | · |
| config-profile | ✓ | ✓ | ✓ | · | · | · | · |
| configuration-profiles | · | · | · | · | ✓ | ✓ | ✓ |
| department | · | ✓ | · | · | ✓ | ✓ | ✓ |
| enrollment-status | · | · | · | · | · | · | · |
| group | ✓ | ✓ | ✓ | · | · | · | · |
| mdm-command-history | · | ✓ | · | · | · | · | · |
| mobile-config-profile | · | ✓ | · | · | · | · | · |
| mobile-configuration-profiles | · | · | · | · | ✓ | ✓ | · |
| mobile-device | ✓ | ✓ | ✓ | ✓ | · | · | · |
| mobile-device-group | · | ✓ | · | · | · | · | · |
| mobile-device-inventory | · | · | · | · | ✓ | ✓ | · |
| patch-policies | · | · | · | · | ✓ | ✓ | · |
| patch-policy | · | ✓ | · | · | · | · | · |
| patch-software-title | · | ✓ | · | · | · | · | · |
| policies | · | · | · | · | ✓ | ✓ | · |
| policy | ✓ | ✓ | ✓ | ✓ | · | · | · |
| restricted-software | · | ✓ | · | · | ✓ | ✓ | · |
| script | ✓ | ✓ | ✓ | · | ✓ | ✓ | ✓ |
| self-service-category | · | ✓ | · | · | · | · | · |
| self-service-policy | · | ✓ | · | · | · | · | · |
| site | · | ✓ | · | · | · | · | · |
| smart-group | · | ✓ | · | · | ✓ | ✓ | · |
| static-group | · | ✓ | · | · | ✓ | ✓ | · |
| user | ✓ | ✓ | ✓ | · | ✓ | ✓ | · |
Commands
Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.
find (7)
find computer
readFind a computer by serial, name, or Jamf id.
weave jamf find computer <identifier>
find config-profile
readFind a macOS configuration profile by name or id.
weave jamf find config-profile <identifier>
find group
readFind a smart or static computer group by name or id.
weave jamf find group <identifier>
find mobile-device
readFind a mobile device by serial, name, or Jamf id.
weave jamf find mobile-device <identifier>
find policy
readFind a policy by name or id.
weave jamf find policy <identifier>
find script
readFind a script by name or id.
weave jamf find script <identifier>
find user
readFind a Jamf user by name, email, or id.
weave jamf find user <identifier>
list (23)
list api-clients
readList API integrations / clients.
weave jamf list api-clients <arg>
list api-roles
readList API roles.
weave jamf list api-roles <arg>
list buildings
readList buildings.
weave jamf list buildings <arg>
list categories
readList categories.
weave jamf list categories <arg>
list computers
readList computers (inventory).
weave jamf list computers <arg>
list config-profiles
readList macOS configuration profiles.
weave jamf list config-profiles <arg>
list departments
readList departments.
weave jamf list departments <arg>
list groups
readList smart + static computer groups.
weave jamf list groups <arg>
list mdm-command-history
readMDM command history for one device (managementId).
weave jamf list mdm-command-history <arg>
list mobile-config-profiles
readList iOS / iPadOS / tvOS configuration profiles.
weave jamf list mobile-config-profiles <arg>
list mobile-device-groups
readList mobile-device groups.
weave jamf list mobile-device-groups <arg>
list mobile-devices
readList enrolled mobile devices.
weave jamf list mobile-devices <arg>
list patch-policies
readList patch policies.
weave jamf list patch-policies <arg>
list patch-software-titles
readList patch software titles (read-only catalog).
weave jamf list patch-software-titles <arg>
list policies
readList policies (Classic API).
weave jamf list policies <arg>
list restricted-software
readList restricted software entries.
weave jamf list restricted-software <arg>
list scripts
readList scripts (Pro API).
weave jamf list scripts <arg>
list self-service-categories
readList Self Service-eligible categories.
weave jamf list self-service-categories <arg>
list self-service-policies
readList policies that appear in Self Service (subset of policies).
weave jamf list self-service-policies <arg>
list sites
readList sites.
weave jamf list sites <arg>
list smart-groups
readList smart computer groups only.
weave jamf list smart-groups <arg>
list static-groups
readList static computer groups only.
weave jamf list static-groups <arg>
list users
readList Jamf-managed users (Classic API).
weave jamf list users <arg>
show (7)
show computer
readFull inventory record for a computer id.
weave jamf show computer <computer-id>
show config-profile
readFull record for one macOS configuration profile id.
weave jamf show config-profile <profile-id>
show group
readFull record for one computer group id.
weave jamf show group <group-id>
show mobile-device
readFull inventory record for a mobile device id.
weave jamf show mobile-device <device-id>
show policy
readFull record for one policy id.
weave jamf show policy <policy-id>
show script
readFull record for one script id (includes contents).
weave jamf show script <script-id>
show user
readFull record for one Jamf user id.
weave jamf show user <user-id>
do (14)
do clear-passcode
writeClear a mobile-device passcode (does not wipe data).
weave jamf do clear-passcode <management-id>
do disable-policy
writeDisable a policy by id (Classic API).
weave jamf do disable-policy <policy-id>
do enable-policy
writeEnable a policy by id (Classic API).
weave jamf do enable-policy <policy-id>
do execute-policy
writeTrigger a policy run on the next check-in for one computer.
weave jamf do execute-policy <policy-id>
do flush-failed-commands
writeFlush only Failed MDM commands for one device (alias for the common case).
weave jamf do flush-failed-commands <arg>
do flush-mdm-commands
writeFlush queued/failed MDM commands for a computer.
weave jamf do flush-mdm-commands <management-id>
do lock
writeLock a computer or mobile device (managementId).
weave jamf do lock <management-id>
do restart
writeRestart a managed computer (macOS).
weave jamf do restart <management-id>
do restart-device
writeRestart a mobile device (iOS/iPadOS, supervised).
weave jamf do restart-device <management-id>
do shutdown
writeShut down a managed computer (macOS).
weave jamf do shutdown <management-id>
do shutdown-device
writeShut down a mobile device (iOS/iPadOS, supervised).
weave jamf do shutdown-device <management-id>
do unmanage
writeRemove device from Jamf management (preserves data).
weave jamf do unmanage <management-id>
do update-inventory
writeForce a device check-in / inventory refresh.
weave jamf do update-inventory <management-id>
do wipe
writeErase a computer or mobile device (irreversible).
weave jamf do wipe <management-id>
watch (1)
watch enrollment-status
writeWatch a device's enrollment status until it transitions or a timeout.
weave jamf watch enrollment-status <arg>
snapshot → edit YAML →
diff → apply --yes (or confirm
interactively; apply --dry-run previews the same diff).
State kinds
Resources this module can snapshot and
diff; apply where the kind supports
live writes (see Round-trip per kind). Always run
diff before apply; use
--yes in automation after review. Files live under
.weave-state/jamf/.
configuration-profiles
All macOS configuration profiles (full apply via Classic XML).
State file skeleton
module: jamf kind: configuration-profiles items: - # <fields specific to this kind — see snapshot output>
mobile-configuration-profiles
All iOS / iPadOS / tvOS configuration profiles (snapshot + diff only).
State file skeleton
module: jamf kind: mobile-configuration-profiles items: - # <fields specific to this kind — see snapshot output>
computer-inventory
Computer inventory key fields keyed by serial (snapshot + diff for audit).
State file skeleton
module: jamf kind: computer-inventory items: - # <fields specific to this kind — see snapshot output>
mobile-device-inventory
Mobile-device inventory key fields keyed by serial (snapshot + diff for audit).
State file skeleton
module: jamf kind: mobile-device-inventory items: - # <fields specific to this kind — see snapshot output>
users
Jamf-managed users (snapshot + diff; create users in the Jamf dashboard).
State file skeleton
module: jamf kind: users items: - # <fields specific to this kind — see snapshot output>
smart-groups
Smart computer groups with criteria (snapshot + diff).
State file skeleton
module: jamf kind: smart-groups items: - # <fields specific to this kind — see snapshot output>
static-groups
Static computer groups with explicit member lists (snapshot + diff).
State file skeleton
module: jamf kind: static-groups items: - # <fields specific to this kind — see snapshot output>
policies
Jamf policies with scope, scripts, packages (snapshot + diff).
State file skeleton
module: jamf kind: policies items: - # <fields specific to this kind — see snapshot output>
scripts
Jamf scripts (full apply: create, update, delete via Pro API).
State file skeleton
module: jamf kind: scripts items: - # <fields specific to this kind — see snapshot output>
categories
Categories (full apply: create, update, delete via Pro API).
State file skeleton
module: jamf kind: categories items: - # <fields specific to this kind — see snapshot output>
buildings
Buildings (full apply: create, update, delete via Pro API).
State file skeleton
module: jamf kind: buildings items: - # <fields specific to this kind — see snapshot output>
departments
Departments (full apply: create, update, delete via Pro API).
State file skeleton
module: jamf kind: departments items: - # <fields specific to this kind — see snapshot output>
patch-policies
Patch policies (snapshot + diff for audit; apply via Jamf dashboard).
State file skeleton
module: jamf kind: patch-policies items: - # <fields specific to this kind — see snapshot output>
restricted-software
Restricted software entries (snapshot + diff; XML write path planned).
State file skeleton
module: jamf kind: restricted-software items: - # <fields specific to this kind — see snapshot output>
api-roles
API roles (snapshot + diff; privilege writes deferred).
State file skeleton
module: jamf kind: api-roles items: - # <fields specific to this kind — see snapshot output>
api-clients
API integrations / clients (snapshot + diff; secrets never round-tripped).
State file skeleton
module: jamf kind: api-clients items: - # <fields specific to this kind — see snapshot output>
Workflows
End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.
Daily fleet audit (drift detection)
Snapshot inventory + smart groups, commit to git, diff tomorrow.
weave jamf snapshot computer-inventory weave jamf snapshot mobile-device-inventory weave jamf snapshot smart-groups git add .weave-state/jamf && git commit -m 'jamf inventory `date +%F`' # … next day, in CI … weave jamf diff computer-inventory # surface fleet churn weave jamf diff smart-groups # spot smart-group criteria edits
Quarantine a lost laptop
Confirm the device, lock it, then erase if not recovered. Lock + wipe both refuse to run without --yes.
weave jamf find computer SN12345 weave jamf list mdm-command-history --device <managementId> weave jamf do lock <managementId> --yes weave jamf watch enrollment-status --device <managementId> --timeout 600 # if not recovered: weave jamf do wipe <managementId> --yes
Onboard a Mac (re-enroll after re-image)
Force inventory, push the standard policy, watch for confirmation.
weave jamf find computer <serial> weave jamf do update-inventory <managementId> --yes weave jamf do execute-policy <policy-id> --device <managementId> --yes weave jamf watch enrollment-status --device <managementId>
Roll out a configuration profile
Snapshot, edit YAML in PR review, diff, apply via Classic XML.
weave jamf snapshot configuration-profiles $EDITOR .weave-state/jamf/<jamf-host>/configuration-profiles.yaml weave jamf diff configuration-profiles weave jamf apply configuration-profiles --yes
Standardize categories + departments + buildings
Single source of truth for org metadata in git, applied via the Pro API.
weave jamf snapshot categories
weave jamf snapshot departments
weave jamf snapshot buildings
$EDITOR .weave-state/jamf/<jamf-host>/{categories,departments,buildings}.yaml
weave jamf apply categories --yes && weave jamf apply departments --yes && weave jamf apply buildings --yes
Flush a stuck MDM command queue
Inspect history, then flush failed commands. Flush is destructive — --yes mandatory.
weave jamf list mdm-command-history --device <managementId> weave jamf do flush-failed-commands --device <managementId> --yes
Terraform parity
For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.
| Terraform resource | weave equivalent |
|---|---|
| (no first-party Terraform provider) | weave ships the operator-facing 80% of Jamf as discoverable verbs Comparison rows below are vs. the community deploymenttheory/jamf-pro provider; closest-sibling mapping is Meraki SM. |
| jamfpro_computer_extension_attribute | Not yet surfaced — extension attributes are a separate Pro API Planned |
| jamfpro_computer_inventory_collection_settings | weave jamf snapshot computer-inventory (snapshot+diff for audit) |
| jamfpro_smart_computer_group | weave jamf list/find smart-groups + snapshot smart-groups (snapshot+diff; criteria authored in dashboard) |
| jamfpro_static_computer_group | weave jamf list/find static-groups + snapshot static-groups |
| jamfpro_mobile_device_smart_group / jamfpro_mobile_device_static_group | weave jamf list mobile-device-groups |
| jamfpro_policy | weave jamf list/find/show policy + snapshot policies + do execute-policy / enable-policy / disable-policy snapshot+diff (policy XML payloads are large per-payload typed blobs) |
| jamfpro_macos_configuration_profile_plist | weave jamf list/find/show config-profile + snapshot/apply configuration-profiles (full round-trip via Classic XML) |
| jamfpro_mobile_device_configuration_profile | weave jamf list/find mobile-config-profiles + snapshot mobile-configuration-profiles (snapshot+diff) |
| jamfpro_script | weave jamf list/find/show script + snapshot/apply scripts (full round-trip via Pro API) |
| jamfpro_category | weave jamf list categories + snapshot/apply categories (full round-trip) |
| jamfpro_building | weave jamf list buildings + snapshot/apply buildings (full round-trip) |
| jamfpro_department | weave jamf list departments + snapshot/apply departments (full round-trip) |
| jamfpro_site | weave jamf list sites list-only — site changes are rare and cross-cut every other resource's scope |
| jamfpro_patch_policy / jamfpro_patch_software_title | weave jamf list patch-policies / patch-software-titles + snapshot patch-policies snapshot+diff; apply requires software-title configuration id resolution |
| jamfpro_restricted_software | weave jamf list restricted-software + snapshot restricted-software snapshot+diff (Classic XML write path) |
| jamfpro_api_role / jamfpro_api_integration | weave jamf list api-roles / api-clients + snapshot api-roles / api-clients snapshot+diff only — client secrets cannot round-trip safely through YAML |
| jamfpro_user / jamfpro_user_group | weave jamf list/find/show user + snapshot users snapshot+diff — managed users are usually directory-driven |
| (MDM commands — Lock, Wipe, Erase, ClearPasscode, etc.) | weave jamf do lock / wipe / restart / shutdown / unmanage / clear-passcode / restart-device / shutdown-device / update-inventory Device-destructive verbs (wipe, lock, restart, shutdown, unmanage, flush-failed-commands) refuse to run without --yes. |
| (MDM command flush) | weave jamf do flush-mdm-commands / flush-failed-commands Operational verb unique to weave — no Terraform equivalent. |
| (MDM command history) | weave jamf list mdm-command-history --device <managementId> Operational verb unique to weave. |
| (enrollment watch) | weave jamf watch enrollment-status --device <id> Operational verb unique to weave — useful right after re-enrollment, MDM provisioning, or DEP hand-offs. |
| Jamf Cloud tenant administration | (intentionally skipped) Account-level admin — usually not operator-visible. |
| LDAP server config | (intentionally skipped) Rarely changes; low value for round-trip. |
| DEP integrations | (intentionally skipped) Auth-gated by Apple Business Manager — out of scope. |
| (closest sibling: Meraki Systems Manager) | weave jamf list computers / mobile-devices + do wipe / lock / unenroll MDM-platform sibling for cross-tool comparison. |
Troubleshooting & source
Run weave doctor — it reports which env
vars (including JAMF_URL) are set
and which are blank.
Re-run weave jamf diff <kind>
to confirm the controller's current state, then re-snapshot
before the next apply. The driver always re-snapshots
before diffing.
The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/jamf. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.