README
¶
jamf-cli
Unified CLI for the Jamf platform. Supports Jamf Pro and Jamf Protect.
Documentation Wiki — full guides, configuration reference, and workflow recipes.
Installation
Homebrew (macOS and Linux)
brew install Jamf-Concepts/tap/jamf-cli
Binary releases
Download from GitHub Releases.
From source
go install github.com/Jamf-Concepts/jamf-cli/cmd/jamf-cli@latest
Quick Start
For interactive use, jamf-cli pro setup prompts for credentials so nothing is leaked to shell history, and stores them in the system keychain. Environment variables (JAMF_CLIENT_ID, JAMF_CLIENT_SECRET, etc.) are intended for automation workflows only — avoid setting them in interactive shells.
Jamf Pro
# One-time setup: prompts for credentials and stores them in the system keychain
jamf-cli pro setup --url https://jamf.company.com
# Instance health dashboard
jamf-cli pro overview
# List computers
jamf-cli pro comp list -o table
# Extract just the names
jamf-cli pro comp list --field name
# Export inventory
jamf-cli pro comp list -o csv --out-file inventory.csv
# Show the JSON template for creating a building
jamf-cli pro buildings create --scaffold
# Create or update a building by name (upsert)
echo '{"name":"HQ","streetAddress1":"1 Apple Park Way"}' | jamf-cli pro buildings apply
# Apply from a file without confirmation
jamf-cli pro buildings apply --from-file building.json --yes
# Delete a building by name
jamf-cli pro buildings delete-by-name "HQ" --yes
See the Setup Guide for the full walkthrough.
Features
Jamf Pro
- Full API coverage — Modern API (OpenAPI-generated) and Classic API (
/JSSResource/) commands overview— Instance dashboard with 37 parallel API calls: inventory, enrollment, MDM, alertsscope— View, add to, and remove from scope on policies, config profiles, restricted software, and apps — no XML editing required
Jamf Protect
- Full SDK coverage — Plans, analytics, analytic sets, exception sets, USB control, telemetry, prevent lists, unified logging filters, roles, users, groups, API clients, and org settings
overview— Instance dashboard with 14 parallel API calls: endpoints, security config, data forwarding, accessapply— Idempotent upsert: creates or replaces resources by name, with confirmationexport/import— Round-trip configuration as JSON or YAML. Plans and analytic sets use names (not IDs) for portability across tenants- Community analytics — Import YAML analytics from the jamf/jamfprotect repository
- Downloads — Installer packages, configuration profiles (.mobileconfig), and certificates
- Granular mutations — Add/remove rules on USB control sets, analytics on sets, exceptions on sets
Cross-product
--field— Extract a single field from any response:jamf-cli pro comp list --field idapply— Name-based upsert: creates if new, replaces if existing (with confirmation)delete-by-name— Delete a resource by name instead of ID (with collision detection)--scaffold— Print JSON templates for create/update commands with example values- Five output formats —
table,json,csv,yaml,plain - Auto-pagination —
--allfetches every page;--limitcaps results - Dry-run mode —
--dry-runpreviews writes without executing - Destructive safeguards — Delete and replace operations require
--yesconfirmation - System keychain — Secrets stored via macOS Keychain or Linux secret-service
- Jamf Platform Gateway — Route Jamf Pro through regional gateways with
--tenant-id
Configuration
Config file: ~/.config/jamf-cli/config.yaml
default-profile: prod
default-output: table
profiles:
prod:
url: https://jamf.company.com
auth-method: oauth2
client-id: abc123
client-secret: env:JAMF_PROD_SECRET
protect:
product: protect
url: https://tenant.protect.jamfcloud.com
auth-method: oauth2
client-id: keychain:jamf-cli/protect/client-id
client-secret: keychain:jamf-cli/protect/client-secret
# Platform Gateway auth (routes Jamf Pro through regional gateway)
platform-prod:
url: https://us.apigw.jamf.com
auth-method: platform
client-id: env:PLATFORM_CLIENT_ID
client-secret: env:PLATFORM_CLIENT_SECRET
tenant-id: e5b39e85-5ecd-4d40-9d13-02c7cf21c762
Jamf Pro supports three auth methods: oauth2, token, and platform. Jamf Protect uses oauth2 only. Three secret formats: env:VAR, file:/path, keychain:service/account.
Least privilege: When creating API roles for use with jamf-cli, grant only the privileges required for the endpoints you need to access. Jamf Pro maps each API endpoint to a specific privilege — consult the Privileges and Deprecations reference to determine the minimum set of permissions for your workflow.
See the wiki for full details: Configuration & Profiles · Secrets & Keychain
Command Structure
Each product has its own namespace:
jamf-cli pro <command> [subcommand] [flags] # Jamf Pro
jamf-cli protect <command> [subcommand] [flags] # Jamf Protect
Aliases
| Product | Command | Alias |
|---|---|---|
| Pro | computers |
comp |
| Pro | mobile-devices |
md |
| Pro | scripts |
scr |
| Pro | buildings |
bld |
| Pro | categories |
cat |
| Pro | departments |
dept |
| Protect | removable-storage-control-sets |
rscs |
| Protect | unified-logging-filters |
ulf |
| Protect | exception-sets |
es |
| Protect | analytic-sets |
as |
| Protect | action-configs |
ac |
| Protect | custom-prevent-lists |
cpl |
| Protect | api-clients |
apic |
| Protect | config-freeze |
cf |
| Root | config |
cfg |
Full command catalog: Command Reference · Output Formats · Common Workflows
Exit Codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid usage |
| 3 | Authentication error |
| 4 | Not found |
| 5 | Permission denied |
| 6 | Rate limited |
See Error Handling & Exit Codes for structured JSON errors, retry logic, and scripting patterns.
Shell Completion
jamf-cli completion install
Supports bash, zsh, fish, and PowerShell. See the Setup Guide for manual installation.
Development
make build # Build binary
make test # Run tests
make lint # Lint code
make generate # Generate commands from OpenAPI specs
See Architecture & Development for project structure and contributing guidelines.
Troubleshooting
Debug output
Add --verbose (or -v) to any command to print HTTP request and response details to stderr:
jamf-cli pro comp list --verbose
To capture debug output to a file:
jamf-cli pro comp list --verbose 2>debug.log
Authentication errors (exit code 3)
- Run
jamf-cli pro setup(orjamf-cli protect setup) to reconfigure credentials. - Verify the active profile with
jamf-cli config list. - Check that env vars (
JAMF_CLIENT_ID,JAMF_CLIENT_SECRET,JAMF_URL) are not overriding your config profile unintentionally. - For OAuth2, confirm the API client is enabled in Jamf Pro and has the required privileges.
Not found / permission errors (exit codes 4–5)
- Confirm the resource exists: try a
listcommand first. - Check that the API role has the minimum privileges for the endpoint. See Privileges and Deprecations.
Rate limiting (exit code 6)
jamf-cli retries automatically with exponential backoff when rate-limited. If you're consistently hitting limits, add --limit to reduce page sizes or introduce delays between commands in scripts.
Previewing changes safely
Use --dry-run (-n) to see what a write command would do without executing it:
jamf-cli pro buildings apply --from-file building.json --dry-run
Bugs and feature requests
Please file an issue in GitHub Issues.
License
Copyright (c) 2026 Jamf Software LLC.
This project is distributed under the MIT License.
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
jamf-cli
command
|
|
|
internal
|
|
|
registry
Package registry defines the shared interfaces and types used by all product command packages (pro, protect, etc.) and the root command.
|
Package registry defines the shared interfaces and types used by all product command packages (pro, protect, etc.) and the root command. |
|
scope
Package scope provides scope manipulation for Jamf Classic API resources.
|
Package scope provides scope manipulation for Jamf Classic API resources. |