Skip to main content

Connecting Vanta & Jamf Pro (OAuth)

S
Written by Shannon DeLange
Updated today

Overview

Vanta’s Jamf Pro (OAuth) integration enables automated evidence collection and continuous monitoring of your managed devices. By leveraging Jamf’s modern API Roles and Clients framework, you can securely grant Vanta only the permissions required to synchronize computer and user data.

Vanta synchronizes the following data from Jamf Pro:

  • Computers: Device details, including hardware information, operating system version, disk encryption status, installed applications, running services, configuration profiles, and local user accounts.

  • Accounts: Jamf user accounts used for linked account monitoring.

  • Vendors: Imported vendor data to support vendor management workflows.

This data syncs approximately every hour and is used within Vanta for:

  • Device compliance monitoring

  • Automated evidence collection

  • Endpoint inventory tracking

  • Security posture assessments (such as disk encryption, screen lock configuration, antivirus detection, and password manager detection)

Why OAuth?

Using Jamf’s API Roles and Clients (OAuth) framework allows you to define a scoped, read-only set of permissions for Vanta, aligning with the principle of least privilege.

Unlike the legacy username and password approach, OAuth credentials:

  • Do not require a dedicated Jamf user account

  • Cannot be used to log in to the Jamf Pro dashboard

  • Provide granular control over the specific API endpoints Vanta can access

This approach enables more secure, controlled integration with Jamf Pro while limiting access strictly to what is required.

How it works

Authentication

Vanta connects to Jamf Pro using OAuth 2.0 through Jamf’s API Roles and Clients framework.

During setup:

  • You create an API Role with specific read-only permissions

  • You generate a Client ID and Client Secret

Vanta uses these client credentials to obtain short-lived access tokens, which are automatically refreshed as needed. No passwords are stored.

Data sync

Once connected, Vanta synchronizes data from Jamf Pro approximately every hour.

The integration retrieves:

  • Computer inventory data, including hardware information, operating system details, disk encryption status, installed applications, running services, configuration profiles, and local user accounts

  • Jamf user accounts

  • Vendor information

Only the permissions granted through the configured API Role are used.

How Vanta uses this data

  • Device compliance monitoring: Evaluates whether computers meet security requirements such as disk encryption (FileVault), screen lock configuration, and antivirus presence.

  • Endpoint inventory: Provides a centralized view of managed devices, their assigned owners, and their overall security posture within the Vanta dashboard.

  • Automated evidence collection: Generates compliance evidence for frameworks such as SOC 2, ISO 27001, and HIPAA based on collected device data.

  • Password manager detection: Identifies whether approved password managers are installed on devices.

  • Linked accounts: Maps Jamf user accounts to Vanta personnel to support access review workflows.

Use cases

  • Full disk encryption compliance: Automatically verify that all managed macOS devices have FileVault enabled, generating compliance evidence for SOC 2, ISO 27001, and other frameworks.

  • Screenlock enforcement: Confirm that configuration profiles enforcing screen lock policies are installed across your device fleet.

  • Antivirus and endpoint protection monitoring: Detect installed antivirus software and running security services on each device.

  • Password manager adoption tracking: Identify which devices have approved password managers installed to support credential management policies.

  • Device inventory and ownership mapping: Maintain an up-to-date inventory of all Jamf-managed computers with automatic owner assignment based on Jamf user and location data.

  • Linked account reviews: Map Jamf user accounts to your personnel directory to support periodic access reviews.

  • Vendor management: Import vendor data from Jamf to support centralized vendor risk tracking within Vanta.

Requirements

To connect the Jamf Pro (OAuth) integration, you must have:

  • A Jamf Pro Cloud instance (for example, yourdomain.jamfcloud.com)

  • Administrator access to your Jamf Pro dashboard.

Note: Vanta does not currently support on-premise deployments, Jamf Now, or Jamf Business.

Connect the integration

Step 1: Create an API role in Jamf Pro

Before connecting Vanta, define the specific read-only permissions the integration will use.

  1. Log in to your Jamf Pro dashboard.

  2. Click the Settings (gear icon) in the top right or side navigation

  3. Go to System → API roles and clients

  4. Select the API Roles tab and click + New

  5. Under Display Name, enter vanta_test_role (or a name of your choice)

  6. In the Privileges section, search for and add the following Read permissions:

    • Read Accounts

    • Read Computers

    • Read iOS Configuration Profiles

    • Read macOS Configuration Profiles

  7. Click Save

Step 2: Create an API client and generate credentials

Next, generate the client credentials required for the Vanta connection.

  1. Switch to the API Clients tab and click + New

  2. Under Display Name, enter vanta_client_cred

  3. Under API Roles, select the role created in Step 1 (for example, vanta_test_role)

  4. Ensure the client is set to Enabled

  5. Click Save

  6. After saving, click Generate Client Secret

Important: Copy the Client ID and Client Secret immediately. The Client Secret will not be visible again after you close this window.

Step 3: Connect Jamf Pro to Vanta

  1. Open Vanta and navigate to Integrations from the left-hand panel

  2. Search for Jamf Pro in the Available tab and select Connect

  3. In the connection modal, provide the following:

    • Jamf Cloud Hostname: Your full Jamf Cloud URL (e.g., company.jamfcloud.com).

    • Client ID: The ID generated in Step 2

    • Client Secret: The Secret generated in Step 2

  4. Select Validate and store

If the connection is successful, you will see a confirmation message indicating that the Jamf Pro connection has been created.

Step 4: Configure resource scope

After connecting, configure which resources Vanta should monitor.

  1. Navigate to Connected Integrations

  2. Locate Jamf Pro and select Configure Scope

  3. Review the list of Jamf Accounts and Computers

  4. Toggle specific resources In Scope or Out of Scope based on your compliance requirements

Note: Resource scoping changes may take at least one hour to fully update across the platform.

Additional guidance

If you have computers that are not managed by Jamf Pro, install the Vanta Device Agent on those machines to ensure full compliance coverage.

Video walkthrough

Related Articles
Connecting Vanta & TriNet
Connecting Vanta & Addigy
Connecting Vanta & Omnissa Workspace One
Troubleshooting missing Jamf computers
Connecting Vanta & NinjaOne