What you’ll need
- Jamf Pro administrator role with permission to create API roles and clients.
- Your Jamf Pro URL (e.g.
https://yourorg.jamfcloud.com). - Five minutes.
Set it up
1
Create an API role in Jamf Pro
In Jamf Pro, go to Settings → System → API roles and clients → API Roles → + New.
- Display name:
Axiom Reader - Privileges:
Read Computers,Read Mobile Devices,Read Users,Read Groups,Read Computer Inventory Collection Settings
2
Create an API client
Go to API Clients → + New.
- Display name:
Axiom - API roles: select
Axiom Reader - Access Token Lifetime: 30 minutes (default)
- Authorization Type: API Client
3
Paste credentials into Layer
In Layer, go to Integrations, find Jamf Pro, click Connect, and paste:
- Jamf Pro URL
- Client ID
- Client Secret
4
Wait for the first sync
The first sync mints a short-lived token, pulls devices and users, and typically finishes in 10-20 minutes.
What gets synced
Why client credentials, not OAuth
Jamf’s OAuth model is per-tenant — each customer’s Jamf URL is the issuer, so a single multi-tenant OAuth app doesn’t apply. The API Client pattern is what Jamf recommends for service-to-service integrations.Troubleshooting
Some devices missing
Some devices missing
Check the API role privileges —
Read Computers and Read Mobile Devices are separate. Both must be granted.