Prerequisites
- OpenHound installed with the Jamf collector included. Follow the OpenHound installation instructions to set up OpenHound for BloodHound Community Edition. The Jamf collector is included by default in the OpenHound container image.
- Credentials to authenticate against the Jamf Pro API. See the options below for details on supported authentication methods.
The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users.
Choose an authentication method
The OpenHound Jamf collector supports two authentication methods. Use the API client method whenever possible.API client (recommended)
Authenticate with a Jamf Pro API client using the OAuth client credentials flow. API clients are not tied to a user account, can be scoped to a specific API role, and can be rotated or revoked independently. To prepare OpenHound credentials for this method:Create an API role
In Jamf Pro, create an API role and grant it the following privileges:
Create an API client
In Jamf Pro, create an API client.Assign it the API role from the previous step and set the Access token lifetime to
7200 seconds (2 hours).Generate a client secret
In Jamf Pro, generate a client secret for the API client.Copy the Client ID and the Client secret (you need both to configure the OpenHound
secrets.toml file).Username and password
Authenticate with a Jamf Pro user account. Create a new account, or use an existing one, that is directly assigned or a member of a group assigned to one of the following roles with “Full Access”:- Auditor (recommended) - Provides restricted read permissions to Jamf Pro objects and follows least privilege.
- Administrator - Grants full administrative access. Use only when an Auditor account is not available.
Configure OpenHound
Credentials for the Jamf collector are configured under the[sources.source.jamf.credentials] section of the secrets file, or via environment variables that use the SOURCES__SOURCE__JAMF__CREDENTIALS prefix.
API client parameters
| Parameter name | Environment variable | Description |
|---|---|---|
client_id | {PREFIX}__CLIENT_ID | The client ID of the Jamf Pro API client used to authenticate to the Jamf Pro API. |
client_secret | {PREFIX}__CLIENT_SECRET | The client secret of the Jamf Pro API client used to authenticate to the Jamf Pro API. |
host | {PREFIX}__HOST | The full host URL of the Jamf Pro tenant. For example: https://tenant.jamfcloud.com. |
secrets.toml
Username and password parameters
| Parameter name | Environment variable | Description |
|---|---|---|
username | {PREFIX}__USERNAME | The username of the account used to authenticate to the Jamf Pro API. |
password | {PREFIX}__PASSWORD | The password of the account used to authenticate to the Jamf Pro API. |
host | {PREFIX}__HOST | The full host URL of the Jamf Pro tenant. For example: https://tenant.jamfcloud.com. |
secrets.toml