Metadata
Name: JamfHoundDisplay Name: JAMF (JamfHound)
Version: 1.1.0
Namespace: jamf
Environment Kind: jamf_Tenant
Source Kind: jamf_Base
This file is automatically generated from the schema_enterprise.json file
that is bundled with JAMF (JamfHound).
Nodes
| Icon | Node Kind | Display Name |
|---|---|---|
 | jamf_Account | JAMF Account |
 | jamf_ApiClient | JAMF API Client |
 | jamf_Computer | JAMF Computer |
 | jamf_ComputerUser | JAMF Computer User |
 | jamf_DisabledAccount | JAMF Disabled Account |
 | jamf_DisabledApiClient | JAMF Disabled API Client |
 | jamf_Group | JAMF Group |
 | jamf_Site | JAMF Site |
 | jamf_SSOIntegration | JAMF SSO Integration |
 | jamf_Tenant | JAMF Tenant |
Edges
| Relationship Kind | Traversable | Description |
|---|---|---|
| jamf_AdminTo | ✅ | Represents full administrative control over the target and all resources controlled by the target. |
| jamf_AdminToSite | ✅ | The source has administrative control over the site and all resources controlled by the site. This includes creating policies that impact resources of the site, send or clear MDM commands, remotely administer site devices and computers, create computer objects for the site. |
| jamf_AssignedUser | ✅ | Represents the user assignment relationship on a JAMF-managed computer. |
| jamf_AZMatchedEmail | ❌ | Represents a cross-platform identity correlation where the JAMF principal’s email attribute matches an Azure AD account’s email. |
| jamf_Contains | ✅ | Represents a structural containment relationship where the source node contains the target resource. |
| jamf_Create_API_Client_and_Assign_Role | ✅ | Represents a privilege escalation path where the source possesses ‘Create API Integrations’ permission and at least one role exists allowing the creation of new API clients to assume existing role permissions. |
| jamf_Create_API_Client_and_Create_Role | ✅ | Represents a combined privilege escalation path, where the source possesses the ‘Create API Integrations’ and ‘Create API Roles’ permissions, that allow the creation of new API clients with any permissions in newly assigned roles and retrieving API client credentials to authenticate. |
| jamf_Create_API_Client_and_Update_Role | ✅ | Represents a combined privilege escalation path where the source possesses ‘Create API Integrations’ and ‘Update API Roles’ permissions and at least one API role exists allowing the creation of new API clients to assume roles, modifying the permissions of existing roles, and retrieving API client credentials. |
| jamf_CreateAccounts | ✅ | Represents possession of the ‘Create Accounts’ JSS Object permission which allows creating new accounts, including administrators, as well as creating new groups with any permissions. |
| jamf_CreateAPIRoles | ❌ | Represents the ability to create API roles in the JAMF tenant. Non-traversable because creating roles without the ability to create or update API integrations does not provide a credential retrieval mechanism. |
| jamf_CreateComputerExtensions | ✅ | Represents the ability to create computer extension attributes which can execute code on all computers in the JAMF tenant. |
| jamf_CreatePolicies | ✅ | Represents possession of the ‘Create Policies’ JSSObject privilege allowing code execution on target computers. |
| jamf_MatchedEmail | ✅ | Represents an identity correlation where the JAMF computer user’s email attribute matches the JAMF account’s email. |
| jamf_MatchedName | ✅ | Represents an identity correlation where the JAMF computer user’s displayname matches the JAMF account’s name or displayname. |
| jamf_MemberOf | ✅ | Represents group membership where the source inherits the group’s permissions and assignments. |
| jamf_Okta_Same_Device | ✅ | Represents a hybrid cross-platform device correlation where the JAMF Pro registered computer’s UDID matches the registered device UDID in Okta. |
| jamf_ScriptsNonTraversable | ❌ | Represents the ability to create or update scripts on the target. This edge is non-traversable because script creation/modification alone does not enable code execution. |
| jamf_SSO_Login | ✅ | Represents the ability of an SSO identity provider to authenticate as and inherit the privileges of JAMF accounts and groups. |
| jamf_Update_API_Client_and_Assign_Role | ❌ | Represents posession of the ‘Update API Integrations’ permission and at least one role has been created in the tenant. Combined these allow updating existing API clients to assume the permissions of existing roles. Non-traversable because these permissions alone cannot retrieve API client credentials. |
| jamf_Update_API_Client_and_Create_Roles | ❌ | Represents combined possession of ‘Update API Integrations’ and ‘Create API Roles’ permissions and at least one API client exists in the tenant allowing updates of existing API clients and assigning new roles created with any included permissions. Non-traversable because these permissions alone cannot retrieve API client credentials. |
| jamf_Update_API_Client_and_Update_Roles | ❌ | Represents combined possession of ‘Update API Integrations’ and ‘Update API Roles’ permissions and at least one Api Client and Role exist in the tenant allowing updates of existing API clients with any permissions by updating existing roles. Non-traversable because these permissions alone cannot retrieve API client credentials. |
| jamf_Update_Recurring_Scripts | ✅ | Represents a code execution path where the source has ‘Update Scripts’ JSSObject permission and there are scripts configured to run repeatedly on target computers via enabled policies allowing code execution. |
| jamf_Update_Roles_Assigned_To_Self | ✅ | Represents an API client possessing the ‘Update API Roles’ permission which allows updating existing API roles with any permissions, including roles assigned to itself. |
| jamf_Update_Self_and_Assign_Roles | ✅ | Represents an API client that possesses ‘Update API Integrations’ permission and at least one role exists, allowing the client to assume the permissions of existing roles. |
| jamf_Update_Self_and_Create_Roles | ✅ | Represents an API client that possesses ‘Update API Integrations’ and ‘Create API Roles’ permissions, allowing the client to assign new roles with any included permissions. |
| jamf_Update_Self_and_Update_Roles | ✅ | Represents an API client that possesses ‘Update API Integrations’ and ‘Update API Roles’ permissions and at least one role exists, allowing the client to assign any permissions by modifying existing roles. |
| jamf_Update_SSO_Settings | ✅ | Represents the ability to update or enable SSO settings in the tenant to change authentication to inherit the privileges of JAMF accounts and groups. |
| jamf_UpdateAccounts | ✅ | Represents possession of the ‘Update Accounts’ JSS Object permission which allows altering the passwords, enabled status, permissions, and memberships of existing accounts or groups. |
| jamf_UpdateAPIRoles | ❌ | Represents the ability to update existing API roles in the JAMF tenant. Non-traversable because modifying roles without the ability to create or update API clients does not provide a credential retrieval mechanism. |
| jamf_UpdateComputerExtensions | ✅ | Represents the ability to update existing computer extension attributes and at least one extension attribute exists, allowing execution of code on all computers in the JAMF tenant during inventory collection. |
| jamf_UpdatePolicies | ✅ | Represents possession of the ‘Update Policies’ JSSObject privilege and at least one policy already exists in the tenant, allowing modification of existing policies for code execution on target computers. |