> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the Collector

> Configure the OpenHound Jamf collector to gather data from your Jamf Pro tenant.

export const source_0 = "Jamf"

export const env_0 = "Pro tenant"

<img noZoom src="https://mintcdn.com/specterops/tTIczgde9H07oLXf/assets/enterprise-AND-community-edition-pill-tag.svg?fit=max&auto=format&n=tTIczgde9H07oLXf&q=85&s=ad49a576589f4d2a8081df77d07fdf56" alt="Applies to BloodHound Enterprise and CE" width="482" height="45" data-path="assets/enterprise-AND-community-edition-pill-tag.svg" />

This page covers configuring the OpenHound Jamf collector for your Jamf Pro tenant.

## Prerequisites

* OpenHound installed with the Jamf collector included. Follow the OpenHound [installation](/openhound/community) instructions to set up OpenHound for BloodHound Community Edition. The Jamf collector is included by default in the OpenHound container image.
* Credentials to authenticate against the Jamf Pro API. See the options below for details on supported authentication methods.

<Note>
  The OpenHound setup instructions for BloodHound Community Edition also apply to BloodHound Enterprise users.
</Note>

## Choose an authentication method

The OpenHound Jamf collector supports two authentication methods. Use the API client method whenever possible.

### API client (recommended)

Authenticate with a [Jamf Pro API client](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/API_Roles_and_Clients.html) using the OAuth client credentials flow. API clients are not tied to a user account, can be scoped to a specific API role, and can be rotated or revoked independently.

To prepare OpenHound credentials for this method:

<Steps>
  <Step title="Create an API role">
    In Jamf Pro, create an [API role](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Role) and grant it the following privileges:

    <Expandable title="required privileges">
      * Read User
      * Read Accounts
      * Read Account Groups
      * Read Policies
      * Read Scripts
      * Read Computer Extension Attributes
      * Read Sites
      * Read Computers
      * Read API Integrations
      * Read API Roles
      * Read SSO Settings
    </Expandable>
  </Step>

  <Step title="Create an API client">
    In Jamf Pro, create an [API client](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Creating_an_API_Client).

    Assign it the API role from the previous step and set the **Access token lifetime** to `7200` seconds (2 hours).
  </Step>

  <Step title="Generate a client secret">
    In Jamf Pro, generate a [client secret](https://learn.jamf.com/r/en-US/jamf-pro-documentation-current/Generating_a_Client_Secret) for the API client.

    Copy the **Client ID** and the **Client secret** (you need both to configure the OpenHound `secrets.toml` file).

    <Warning>
      The client secret is only displayed once and cannot be retrieved later. If you lose it, you must generate a new one.
    </Warning>
  </Step>
</Steps>

### Username and password

Authenticate with a Jamf Pro user account. Create a [new account](https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Jamf_Pro_User_Accounts_and_Groups.html), or use an existing one, that is directly assigned or a member of a group assigned to one of the following roles with "Full Access":

* **Auditor** (recommended) - Provides restricted read permissions to Jamf Pro objects and follows least privilege.
* **Administrator** - Grants full administrative access. Use only when an Auditor account is not available.

## Configure OpenHound

Credentials for the Jamf collector are configured under the `[sources.source.jamf.credentials]` section of the secrets file, or via environment variables that use the `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.

<Warning>
  The credentials configuration structure changed in a recent release of the OpenHound Jamf collector. If you are upgrading from an earlier version, move existing `username`, `password`, and `host` values from `[sources.source.jamf]` into `[sources.source.jamf.credentials]` and update any matching environment variables to use the new `SOURCES__SOURCE__JAMF__CREDENTIALS` prefix.
</Warning>

### API client parameters

| Parameter name  | Environment variable        | Description                                                                            |
| --------------- | --------------------------- | -------------------------------------------------------------------------------------- |
| `client_id`     | \{PREFIX}\_\_CLIENT\_ID     | The client ID of the Jamf Pro API client used to authenticate to the Jamf Pro API.     |
| `client_secret` | \{PREFIX}\_\_CLIENT\_SECRET | The client secret of the Jamf Pro API client used to authenticate to the Jamf Pro API. |
| `host`          | \{PREFIX}\_\_HOST           | The full host URL of the Jamf Pro tenant. For example: `https://tenant.jamfcloud.com`. |

```toml title="secrets.toml" theme={null}
[sources.source.jamf.credentials]
client_id = "myclientid"
client_secret = "myclientsecret"
host = "https://tenant.jamfcloud.com"
```

### Username and password parameters

| Parameter name | Environment variable  | Description                                                                            |
| -------------- | --------------------- | -------------------------------------------------------------------------------------- |
| `username`     | \{PREFIX}\_\_USERNAME | The username of the account used to authenticate to the Jamf Pro API.                  |
| `password`     | \{PREFIX}\_\_PASSWORD | The password of the account used to authenticate to the Jamf Pro API.                  |
| `host`         | \{PREFIX}\_\_HOST     | The full host URL of the Jamf Pro tenant. For example: `https://tenant.jamfcloud.com`. |

```toml title="secrets.toml" theme={null}
[sources.source.jamf.credentials]
username = "myusername"
password = "mypassword"
host = "https://tenant.jamfcloud.com"
```

## Run OpenHound and collect data

After you set the required configuration parameters, [run](/openhound/community#collect) OpenHound to start the {source_0} collector and collect data from your {source_0} {env_0}. The collector will generate JSON files in the output directory that can be uploaded to BloodHound for analysis.
