icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Jamf Pro Add-on for Splunk
SHA256 checksum (jamf-pro-add-on-for-splunk_1010.tgz) 0ac7b9844dee473fbb0091377b3a09d7ec2196a8eaa1149701e58e060e9f0ee0 SHA256 checksum (jamf-pro-add-on-for-splunk_108.tgz) d22f379cf1b50323c20f57326e4a64e535ffe52b9c95a2bb41c798b0f069d297 SHA256 checksum (jamf-pro-add-on-for-splunk_106.tgz) 58af8227df5169a6106033ad9e141f2adce568e27b778f85ae80c584c8dda94a SHA256 checksum (jamf-pro-add-on-for-splunk_105.tgz) 2df87a3971079cd4df5e64bc0dfcc249561620e651b512679939100d71888797 SHA256 checksum (jamf-pro-add-on-for-splunk_104.tgz) b0660d0e7b614e4e1d3ae6a80b1e1e8e0f41c8813f3fcf5f506605157e42510e SHA256 checksum (jamf-pro-add-on-for-splunk_103.tgz) 6d5cec7292c2574930ee88c3783f47ea25402e7e477a8d3bf57d5961ec45b54c SHA256 checksum (jamf-pro-add-on-for-splunk_102.tgz) 7e7d43dd3dee57a3593da6d634e91da324ee2680a61a9ab85fba1a937187174a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Jamf Pro Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Splunk turns machine data into answers with the leading platform for analytics, helping businesses gain insight into their data.

Use this modular input app to integrate Jamf Pro with Splunk to enable a deeper level of analytics for your Jamf Pro data. This easy to use integration utilizes the advanced search APIs in Jamf Pro with Splunk’s modular input framework.

The application also provides a framework for the development of additional API based integrations to further enable analysis of Jamf Pro in Splunk.

- Import Computer and Mobile Device data from multiple Jamf Pro instances
- Import several system settings fields using the Custom API field
- Create and expand on visuals using tools in Splunks ecosystem

Jamf Modular Input for Splunk

Current Version 1.0.4

New Features!

  • Added the ability to use a Custom API end point
  • Updated Computers API endpoint to exclude FONTS, to save data


Using this integration you can:
- Import Computer and Mobile Device data from multiple Jamf Pro instances
- Import several system settings fields using the Custom API field
- Create and expand on visuals using tools in Splunks ecosystem

Advanced Computer and Mobile Search

The Computers tab and Mobile Devices tabs use a specific Jamf Pro endpoint referred to as Advanced Computer Searches. The power of these is you can use the Criteria section to narrow your selection of devices. For an example you can collect on only managed devices so you don't collect on devices you no longer are responsible for. You can also control the data that goes into the Splunk engine by using the Display section. Only Data fields that are checked will be ingested by the Splunk Event Writer. This allows you to reduce your logging to only values you want or can remove what you deem Personally Identifiable Information.

To use these highlight the Computer or Mobile Device tab and then in the Custom URL field enter the Name of the Advanced Search.

Learn more here:

Custom API End points

Custom API endpoints allows you to collect information from the Jamf Pro by integrating directly with the API. Below is a list of common endpoints that you may want to collect against. Copy paste these code paths into the custom fields to get the data described or go to the Jamf API page found here:


The API endpoints work such that if you call any of the JSSResource endpoints if you call the base it will take call that and then iterate across all objects that return. As an example if you call /JSSResource/computers/ it will call all computers. If you enter a NAME or ID field in the custom URL it will only call that object directly. Example would be /JSSResource/computers/id/10 this would return only the computer with the JSS_ID equal to 10. If you use the name it will return the computer that last reported that has that system name.

Interesting Custom API strings

This allows you to iterate across the computers and pull every computer. There is no restrictions and the only field that is dropped is the FONTS field.
This allows you to iterate across the mobile devices and pull every iPad, iPhone, appleTV, and other mobile devices. It returns all fields
This collects the configuration profiles that would be applied to computers or mobile devices that are user enrolled, formerally Bring Your Own Device profiles
This collects all of the Computer Configurations that could be applied to a computer. It also returns details related to what is controlled by the configuration profile
This collects the User Direcotry Bindings and authentication that devices use for user lookup. Used with conditional access systems
This collects the software that you are licensed to use from the Apple Store. You must be connected with Apple School or Business Manager to use this feature
This collects every application that the Jamf Pro server has seen on devices since it has started collecting. This is a high data usage endpoint
This collects every application installed on a mobile device that the Jamf Pro server has seen. This is a high data usage endpoint
This colelcts applications that have been marked restricted by the Jamf Pro administrator. These are applications that the Jamf Pro, if it has the ability, will remove from the device
This collects the scripts that could be deployed to a computer. Combine this with Smart Groups to find all of the computers with these scripts installed
This collections the multi-tenancy information available with sites. Sites is less used feature that allows a hierarchical setup to your Jamf Pro server. This exposes those relationships
This allows you to collect on users that the Jamf Pro server has seen. You can correlate assigned devices with this endpoint
This shows the applications that were purchased through the Apple Volume Purchasing Program and either which user or which device it is deployed to.

Installation and Setup

After acquiring and installing onto your instance this Modular Input you will be presented a form with the below
Input Data fields
Name: This is the unique name for the data search
Interval: This is the number of seconds it should wait between collecting. The suggestions are 3600 (1 hour) or 86400 (1 day)
Name of Modular Input: This is the name used for the search field it is suggested to be the same as Name
JSS URL : This is the FQDN endpoint for your Jamf Pro server. Your Splunk server must have either 443 or 8443 access to this port depending on your deployment. Valid inputs are https://yourserver.domain.com https://yourserver.domain.com:8443 yourserver.domain.com
Search Name: This is either the Advanced Search name used for the Computer or Mobile Device or it is the Custom API URI field to collect additional information from the Jamf Pro besides Computer or Mobile Device information
Username: Refer to your documentation on how to create read only accounts and ensuring that the account has the correct and appropriate access rights to your data
Password: The password for the user or service account that will be used to collect this information.
Custom Index Name and Custom Host Name: These are data fields for advanced Splunk Users to allow multiple inputs or multiple hosts to appear as a single input.

Dashboards and Visuals

Coming soon with be example and included dashboard to show you what is possible with both Splunk and Jamf

Help us make this better

Reach out on Jamf Nation https://www.jamf.com/jamf-nation/ to find users and interact with us on how to make this better. We are highly interested to see what people can build in Splunks environment with your data.



Release Notes

Version 1.0.10
July 6, 2020

- added Serial Number, Site Name, and the EPOC time of the inventory to the pagination fields.

Mobile Devices:
- Fixed error where a Mobile Device was written as a computer record
- added Serial Number, Site Name, and the EPOC time of the inventory to the pagination fields.

- Removed the BYTE encoding of the ICON to reduce data usage.

- Reduced number of data transformations to increase speed
- Added the Serial Number for Jamf Protect to quickly grab any event string for a computer

Version 1.0.8
April 22, 2020

Reduced XML transformations

Fixed error where XML objects wouldn't automatically be recognized by the extraction engine

Fixed error where custom API endpoints other than /JSSResource/computers and /JSSResource/mobiledevices would fail to write to the event writer

Version 1.0.6
Feb. 18, 2020

Improved Error Handling and Logging,
Improved ITER method of computer and mobile devices

Version 1.0.5
Oct. 31, 2019

- Verified Version 8 support
- Adjusted Inputs Configuration Page for clarity

Version 1.0.4
Oct. 22, 2019

Removed testing inputs that were included accidentally

Version 1.0.3
Oct. 21, 2019

+ Updated the Icons and descriptions.
+ Added support contact

Version 1.0.2
Oct. 14, 2019


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.