Jamf Protect's brand-new API
Recently Jamf Protect unveiled its brand new API.
This has been a major feature request for Jamf Protect since it was announced as a new product in Jamf’s portfolio at the 2018 JNUC. The new API is built on a GraphQL language which allows admins and InfoSec to query content from the Jamf Protect console as well as to make modifications. GraphQL is a truly innovative approach for a query language, allowing users a simple method to gain information from the data by asking for specific fields on certain objects. The two main functions allowed currently with the Jamf Protect API are Queries and Mutations.
Queries:
Making a query against the data is the main purpose of the API. Here are some basic examples.
*NOTE: For our internal testing and development we use the Altair Client to debug and fine-tune our queries against the Jamf Protect API; we will use it here.
Example 1: Get a list of enrolled computers.
query {
listComputers {
items {hostName}
}
} Now one thing to note about the above query is that we have the ability to add in sub-selection of fields! So when attempting to fetch the "listComputers" we need to specify the additional items we want returned. For this, we want the "hostName". This could have easily have been swapped or included additional fields like "serial" or "uuid". All of the results produced are in JSON format.
Altair results:
Example 2: Get a list of computers that have not checked in for more than 90 days.
query Checkin {
listComputers (input: {
filter:{checkin: {lessThan: "2020-08-23T00:00:00.0Z"}}})
{
items {
hostName,
checkin
}
}
} In the above query we will see a list of computers that have not checked in since August 23, 2020 and show the hostname and the last check-in date.
Altair Results:
Mutations:
Now, we have talked about data fetching, but we still need a way to modify the data as well. And to do this with GraphQL we will use Mutations. So for our first example lets add a Unified Logging filter.
Example 1: Sudo Events Unified Logging Filter.
mutation CreateFilter {
createUnifiedLoggingFilter(
input: {
name: "Sudo Events"
filter: "process == 'sudo'"
enabled: true
tags: "sudo"
}
) {
name
created
enabled
}
}
All right; in this example we are going to add a Unified Logging filter in to our Protect Console. To add a new Unified Logging filter, your need to populate three mandatory fields: Name (Display name for the filter), Filter (the predicate filter), and Enabled. Additionally, you can add extra details for the filter in the Tags field for organization, but it's not mandatory.
We can also specify the data we want returned in Altair on successful creation of the new Unified Log filter.
Altair Results:
I hope these examples have helped to give you a feel for what is possible with Jamf Protect's long-awaited new API. As you've seen, it will help admins and InfoSec to query content from the Jamf Protect console as well as to make modifications, and GraphQL allows users a simple method to gain more granular information.
Not yet a Jamf Protect customer? Get Mac-specific endpoint protection for your Apple devices today.
by Category:
Have market trends, Apple updates and Jamf news delivered directly to your inbox.
To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.