Skip to main content
Applies to BloodHound Enterprise and CE This page covers configuring the OpenHound Jamf collector for your Jamf Pro tenant.

Prerequisites

  • OpenHound installed with the Jamf collector included. Follow the OpenHound installation instructions to set up OpenHound for BloodHound Community Edition. The Jamf collector is included by default in the OpenHound container image.
  • Credentials to authenticate against the Jamf Pro API. See the options below for details on supported authentication methods.
The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users.

Choose an authentication method

The OpenHound Jamf collector supports two authentication methods. Use the API client method whenever possible. Authenticate with a Jamf Pro API client using the OAuth client credentials flow. API clients are not tied to a user account, can be scoped to a specific API role, and can be rotated or revoked independently. To prepare OpenHound credentials for this method:
1

Create an API role

In Jamf Pro, create an API role and grant it the following privileges:
2

Create an API client

In Jamf Pro, create an API client.Assign it the API role from the previous step and set the Access token lifetime to 7200 seconds (2 hours).
3

Generate a client secret

In Jamf Pro, generate a client secret for the API client.Copy the Client ID and the Client secret (you need both to configure the OpenHound secrets.toml file).
The client secret is only displayed once and cannot be retrieved later. If you lose it, you must generate a new one.

Username and password

Authenticate with a Jamf Pro user account. Create a new account, or use an existing one, that is directly assigned or a member of a group assigned to one of the following roles with “Full Access”:
  • Auditor (recommended) - Provides restricted read permissions to Jamf Pro objects and follows least privilege.
  • Administrator - Grants full administrative access. Use only when an Auditor account is not available.

Configure OpenHound

Credentials for the Jamf collector are configured under the [sources.source.jamf.credentials] section of the secrets file, or via environment variables that use the SOURCES__SOURCE__JAMF__CREDENTIALS prefix.
The credentials configuration structure changed in a recent release of the OpenHound Jamf collector. If you are upgrading from an earlier version, move existing username, password, and host values from [sources.source.jamf] into [sources.source.jamf.credentials] and update any matching environment variables to use the new SOURCES__SOURCE__JAMF__CREDENTIALS prefix.

API client parameters

Parameter nameEnvironment variableDescription
client_id{PREFIX}__CLIENT_IDThe client ID of the Jamf Pro API client used to authenticate to the Jamf Pro API.
client_secret{PREFIX}__CLIENT_SECRETThe client secret of the Jamf Pro API client used to authenticate to the Jamf Pro API.
host{PREFIX}__HOSTThe full host URL of the Jamf Pro tenant. For example: https://tenant.jamfcloud.com.
secrets.toml
[sources.source.jamf.credentials]
client_id = "myclientid"
client_secret = "myclientsecret"
host = "https://tenant.jamfcloud.com"

Username and password parameters

Parameter nameEnvironment variableDescription
username{PREFIX}__USERNAMEThe username of the account used to authenticate to the Jamf Pro API.
password{PREFIX}__PASSWORDThe password of the account used to authenticate to the Jamf Pro API.
host{PREFIX}__HOSTThe full host URL of the Jamf Pro tenant. For example: https://tenant.jamfcloud.com.
secrets.toml
[sources.source.jamf.credentials]
username = "myusername"
password = "mypassword"
host = "https://tenant.jamfcloud.com"

Run OpenHound and collect data

After you set the required configuration parameters, run OpenHound to start the collector and collect data from your . The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.