Unified CLI for the Jamf platform. Supports Jamf Pro and Jamf Protect.
Documentation Wiki — full guides, configuration reference, and workflow recipes.
Command Explorer — interactive showcase of all commands, searchable and filterable. Auto-updated on every merge.
brew install Jamf-Concepts/tap/jamf-cliDownload from GitHub Releases.
go install github.com/Jamf-Concepts/jamf-cli/cmd/jamf-cli@latestFor interactive use, jamf-cli pro setup prompts for credentials so nothing is leaked to shell history, and stores them in the system keychain. Environment variables (JAMF_CLIENT_ID, JAMF_CLIENT_SECRET, etc.) are intended for automation workflows only — avoid setting them in interactive shells.
# One-time setup: prompts for credentials and stores them in the system keychain
jamf-cli pro setup --url https://jamf.company.com
# Multi-instance setup (MSPs): bootstrap credentials for many instances at once
jamf-cli pro setup --from-file instances.txt --scope standard
# Instance health dashboard
jamf-cli pro overview
# List computers
jamf-cli pro comp list -o table
# Extract just the names
jamf-cli pro comp list --field name
# Export inventory
jamf-cli pro comp list -o csv --out-file inventory.csv
# Show the JSON template for creating a building
jamf-cli pro buildings create --scaffold
# Create or update a building by name (upsert)
echo '{"name":"HQ","streetAddress1":"1 Apple Park Way"}' | jamf-cli pro buildings apply
# Apply from a file without confirmation
jamf-cli pro buildings apply --from-file building.json --yes
# Delete a building by name
jamf-cli pro buildings delete --name "HQ" --yes
# Device actions by serial number
jamf-cli pro comp blank-push --serial C02X1234
jamf-cli pro comp redeploy-framework --serial C02X1234
jamf-cli pro comp erase --serial C02X1234 --yes
# Device actions targeting a group
jamf-cli pro comp blank-push --group "All Macs" --yes
jamf-cli pro md unmanage --group "Retired iPads" --yes --confirm-destructive
# Classic API MDM commands
jamf-cli pro comp lock --serial C02X1234 --yes --confirm-destructive
jamf-cli pro md update-inventory --id 42 --yes
# Device deep-dive
jamf-cli pro device C02X1234
# Fleet security report
jamf-cli pro report security -o table
# Run a command against multiple instances
jamf-cli multi --filter 'pro-*' -- pro buildings apply --from-file building.json --yesSee the Setup Guide for the full walkthrough.
- Full API coverage — Modern API (OpenAPI-generated) and Classic API (
/JSSResource/) commands overview— Instance dashboard with 37 parallel API calls: inventory, enrollment, MDM, alertsscope— View, add to, and remove from scope on policies, config profiles, restricted software, and apps — no XML editing required- Device actions — Erase, remove MDM, redeploy framework, blank push, DDM sync, renew MDM, lock, enable/disable Remote Desktop (computers); erase, unmanage, restart, shutdown, update inventory (mobile devices). Target by serial number, name, ID, group, or file. Destructive bulk operations require
--confirm-destructive device— Aggregated device deep-dive: identity, hardware, OS, security posture, user info, MDM command history, policy logsreport security— Fleet security posture: FileVault, Gatekeeper, SIP, firewall rates, OS version distribution, flagged devices
- Blueprints — CRUD, deploy/undeploy, clone, scope management (add/remove device groups by name), component scaffolds, import Classic configuration profiles as blueprints with automatic DDM conversion (passcode policies, Safari settings, software update deferrals, RSR settings, software update preferences are promoted to native DDM components;
--legacyto skip conversion) - Compliance Benchmarks — Benchmark CRUD, baselines, rules, device compliance results, stats
- Platform Devices — Unified device inventory, actions (check-in, erase, restart, shutdown, unmanage)
- Platform Device Groups — CRUD, membership management
- DDM Reports — Device declaration status, declaration clients
- Full SDK coverage — Plans, analytics, analytic sets, exception sets, USB control, telemetry, prevent lists, unified logging filters, roles, users, groups, API clients, and org settings
overview— Instance dashboard with 14 parallel API calls: endpoints, security config, data forwarding, accessapply— Idempotent upsert: creates or replaces resources by name, with confirmation.--scaffoldprints an empty JSON templateexport/import— Round-trip configuration as JSON or YAML. Plans and analytic sets use names (not IDs) for portability across tenants- Community analytics — Import YAML analytics from the jamf/jamfprotect repository
- Downloads — Installer packages, configuration profiles (.mobileconfig), and certificates
- Granular mutations — Add/remove rules on USB control sets, analytics on sets, exceptions on sets
--field— Extract a single field from any response:jamf-cli pro comp list --field idapply— Name-based upsert: creates if new, replaces if existing (with confirmation)patch— JSON Merge Patch (RFC 7386): update individual fields without a full replace. Use--set key=valuefor scalar fields or pipe a merge-patch document. Accepts--name,--serial,--udid(resource-dependent) in place of an ID.--scaffoldprints the patchable field template--nameflag —get,update,delete, andpatchcommands all accept--name(and resource-specific alternates like--serial,--udid) in place of a positional ID--scaffold— Print JSON templates for create/update commands with example values- Five output formats —
table,json,csv,yaml,plain - Auto-pagination —
--allfetches every page;--limitcaps results - Dry-run mode —
--dry-runpreviews writes without executing multi— Run any command against multiple profiles:jamf-cli multi --filter 'pro-*' -- pro comp list. Supports glob patterns, file input (profile names or URLs), and interactive selection- Destructive safeguards — Delete and replace operations require
--yesconfirmation setup— Bootstrap API roles and OAuth2 credentials from a username/password. Idempotent (safe to re-run): updates roles and integrations in place without rotating credentials. Use--rotate-credentialsto explicitly regenerate secrets. Supports multi-instance setup via--from-filefor MSPs- System keychain — Secrets stored via macOS Keychain or Linux secret-service
- Jamf Platform Gateway — Route Jamf Pro through regional gateways with
--tenant-id
Config file: ~/.config/jamf-cli/config.yaml
default-profile: prod
default-output: table
profiles:
prod:
url: https://jamf.company.com
auth-method: oauth2
client-id: abc123
client-secret: env:JAMF_PROD_SECRET
protect:
product: protect
url: https://tenant.protect.jamfcloud.com
auth-method: oauth2
client-id: keychain:jamf-cli/protect/client-id
client-secret: keychain:jamf-cli/protect/client-secret
# Platform Gateway auth (routes Jamf Pro through regional gateway)
platform-prod:
url: https://us.apigw.jamf.com
auth-method: platform
client-id: env:PLATFORM_CLIENT_ID
client-secret: env:PLATFORM_CLIENT_SECRET
tenant-id: e5b39e85-5ecd-4d40-9d13-02c7cf21c762Jamf Pro supports three auth methods: oauth2, token, and platform. Jamf Protect uses oauth2 only. Three secret formats: env:VAR, file:/path, keychain:service/account.
Least privilege: When creating API roles for use with jamf-cli, grant only the privileges required for the endpoints you need to access. Jamf Pro maps each API endpoint to a specific privilege — consult the Privileges and Deprecations reference to determine the minimum set of permissions for your workflow.
See the wiki for full details: Configuration & Profiles · Secrets & Keychain
Each product has its own namespace:
jamf-cli pro <command> [subcommand] [flags] # Jamf Pro
jamf-cli protect <command> [subcommand] [flags] # Jamf Protect| Product | Command | Alias |
|---|---|---|
| Pro | computers |
comp |
| Pro | mobile-devices |
md |
| Pro | scripts |
scr |
| Pro | buildings |
bld |
| Pro | categories |
cat |
| Pro | departments |
dept |
| Pro | device |
dev |
| Pro | blueprints |
bp |
| Pro | compliance-benchmarks |
cb |
| Pro | platform-devices |
pdev |
| Pro | platform-device-groups |
pdg |
| Pro | ddm-reports |
ddm |
| Protect | removable-storage-control-sets |
rscs |
| Protect | unified-logging-filters |
ulf |
| Protect | exception-sets |
es |
| Protect | analytic-sets |
as |
| Protect | action-configs |
ac |
| Protect | custom-prevent-lists |
cpl |
| Protect | api-clients |
apic |
| Protect | config-freeze |
cf |
| Root | config |
cfg |
Full command catalog: Command Reference · Output Formats · Common Workflows
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | General error |
| 2 | Invalid usage |
| 3 | Authentication error |
| 4 | Not found |
| 5 | Permission denied |
| 6 | Rate limited |
See Error Handling & Exit Codes for structured JSON errors, retry logic, and scripting patterns.
jamf-cli completion installSupports bash, zsh, fish, and PowerShell. See the Setup Guide for manual installation.
make build # Build binary
make test # Run tests
make lint # Lint code
make generate # Generate commands from OpenAPI specsSee Architecture & Development for project structure and contributing guidelines.
Add --verbose (or -v) to any command to print HTTP request and response details to stderr:
jamf-cli pro comp list --verboseTo capture debug output to a file:
jamf-cli pro comp list --verbose 2>debug.log- Run
jamf-cli pro setup(orjamf-cli protect setup) to reconfigure credentials. - Verify the active profile with
jamf-cli config list. - Check that env vars (
JAMF_CLIENT_ID,JAMF_CLIENT_SECRET,JAMF_URL) are not overriding your config profile unintentionally. - For OAuth2, confirm the API client is enabled in Jamf Pro and has the required privileges.
- Confirm the resource exists: try a
listcommand first. - Check that the API role has the minimum privileges for the endpoint. See Privileges and Deprecations.
jamf-cli retries automatically with exponential backoff when rate-limited. If you're consistently hitting limits, add --limit to reduce page sizes or introduce delays between commands in scripts.
Use --dry-run (-n) to see what a write command would do without executing it:
jamf-cli pro buildings apply --from-file building.json --dry-runPlease file an issue in GitHub Issues.
Copyright (c) 2026 Jamf Software LLC.
This project is distributed under the MIT License.