Use this modular input add-on to integrate Jamf Pro with Splunk to enable a deeper level of analytics for your Jamf Pro data. This integration retrieves data from Jamf Pro via API and provides it as a Splunk modular input.
Please see Integrating Splunk with Jamf Pro and Jamf Protect Technical Paper on Jamf's website
The most common use of the plugin is to import device inventory information. These endpoints are available at built-in options. To use them, select jamfComputers and/or jamfMobileDevices from the add-on's Input tab > "Create New Input" drop down menu.
These pre-built inputs are preferred as they will retrieve data in paginated batches, causing less strain on your Jamf Pro instance as compared to pulling each device's record individually. They also import data as JSON, the format preferred by most users.
If /JSSResource/computers or /JSSResource/mobiledevices are added as custom endpoints, the add on will import each record one by one. This is inefficient, but might be used if you don't have a lot of devices and wanted XML-formatted data.
In many cases, users set up the built-in computers or mobile devices inputs and that's all that's needed. If you would like to import other Jamf Pro data into Splunk, the "jamf" input type allows you to specify other API endpoints. Some examples appear below. Note that if you add a /JSSResource custom endpoint base path with multiple records that can be obtained via ID, the add-on will take care of iterating across all the child objects. For example, if you call /JSSResource/macapplications/ it will import all the applications.
/JSSResource/computers
Avoid using this endpoint (See above). This allows you to iterate across the computers and pull every computer. There is no restrictions and the only field that is dropped is the FONTS field.
/JSSResource/mobiledevices
Avoid using this endpoint (See above). This allows you to iterate across the mobile devices and pull every iPad, iPhone, appleTV, and other mobile devices. It returns all fields
/JSSResource/byoprofiles
This collects the configuration profiles that would be applied to computers or mobile devices that are user enrolled, formerally Bring Your Own Device profiles
/JSSResource/computerconfigurations
This collects all of the Computer Configurations that could be applied to a computer. It also returns details related to what is controlled by the configuration profile
/JSSResource/directorybindings
This collects the User Direcotry Bindings and authentication that devices use for user lookup. Used with conditional access systems
/JSSResource/licensedsoftware
This collects the software that you are licensed to use from the Apple Store. You must be connected with Apple School or Business Manager to use this feature
/JSSResource/macapplications
This collects every application that the Jamf Pro server has seen on devices since it has started collecting. This is a high data usage endpoint
/JSSResource/mobiledeviceapplications
This collects every application installed on a mobile device that the Jamf Pro server has seen. This is a high data usage endpoint
/JSSResource/restrictedsoftware
This colelcts applications that have been marked restricted by the Jamf Pro administrator. These are applications that the Jamf Pro, if it has the ability, will remove from the device
/JSSResource/scripts
This collects the scripts that could be deployed to a computer. Combine this with Smart Groups to find all of the computers with these scripts installed
/JSSResource/sites
This collections the multi-tenancy information available with sites. Sites is less used feature that allows a hierarchical setup to your Jamf Pro server. This exposes those relationships
/JSSResource/users
This allows you to collect on users that the Jamf Pro server has seen. You can correlate assigned devices with this endpoint
/JSSResource/vppassignments
This shows the applications that were purchased through the Apple Volume Purchasing Program and either which user or which device it is deployed to.
The #splunk channel on MacAdmins Slack has lots of excellent community discussions on using Splunk in the context of Apple device management.
2.12.2 is a maintenance/version-compatibility release. The add-on's Python packages have been updated for compatibility with Python 3.9.
updated support for python3 removing .getchildren() dependency
Rebuilt with latest Add-On builder to meet Security and Compliance targets
Extension Attributes and Groups now has a ~:all sourcetype where all the values are contained. This can be helpful for making a large table of group memberships for many devices with more simple SPL.
Repackaged with the Latest Add-On builder, no functional changes
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.