Skip to main content
The Jamf Pro integration covers your managed Mac, iPhone, and iPad fleet.

What you’ll need

  • Jamf Pro administrator role with permission to create API roles and clients.
  • Your Jamf Pro URL (e.g. https://yourorg.jamfcloud.com).
  • Five minutes.

Set it up

1

Create an API role in Jamf Pro

In Jamf Pro, go to Settings → System → API roles and clients → API Roles → + New.
  • Display name: Axiom Reader
  • Privileges: Read Computers, Read Mobile Devices, Read Users, Read Groups, Read Computer Inventory Collection Settings
Save.
2

Create an API client

Go to API Clients → + New.
  • Display name: Axiom
  • API roles: select Axiom Reader
  • Access Token Lifetime: 30 minutes (default)
  • Authorization Type: API Client
Save and copy the Client ID and Client Secret that Jamf displays.
3

Paste credentials into Layer

In Layer, go to Integrations, find Jamf Pro, click Connect, and paste:
  • Jamf Pro URL
  • Client ID
  • Client Secret
4

Wait for the first sync

The first sync mints a short-lived token, pulls devices and users, and typically finishes in 10-20 minutes.

What gets synced

ObjectFieldsRefresh cadence
Computersname, serial number, OS version, last check-in, assigned userEvery 6 hours
Mobile devicesname, serial, OS, model, ownerEvery 6 hours
Usersusername, email, full nameDaily
Smart groupsname, criteria, member countDaily

Why client credentials, not OAuth

Jamf’s OAuth model is per-tenant — each customer’s Jamf URL is the issuer, so a single multi-tenant OAuth app doesn’t apply. The API Client pattern is what Jamf recommends for service-to-service integrations.

Troubleshooting

Tokens are short-lived (30 min default). Layer mints a new one for each sync, but if you rotated the Client Secret in Jamf, paste the new value into Layer.
Check the API role privileges — Read Computers and Read Mobile Devices are separate. Both must be granted.