Using the Jamf Pro API to deploy installer packages using MDM commands
One of the capabilities of mobile device management (MDM) on macOS is that you can use MDM commands to deploy installer packages, via the InstallEnterpriseApplication MDM command. If you’re using Jamf Pro for your MDM management, one of the capabilities of the Jamf Pro API is being able to leverage its ability to run MDM commands to send out InstallEnterpriseApplication commands to deploy installer packages. For more details, please see below the jump.
Using the Jamf Pro API to delete computers from Jamf Pro
Every so often, I need to delete one or multiple computers from a Jamf Pro server. This can be accomplished in the Jamf Pro admin console, but it can also be accomplished via the Jamf Pro API’s computers-inventory API endpoint. For more details, please see below the jump.
Using Self Service+ as a privilege elevation tool
As part of developing Self Service+, Jamf built in functionality which originally came from their Jamf Connect tool. Among the functionality added to the Self Service+ app is Jamf Connect’s ability to serve as a privilege elevation tool. This means that Self Service+ can be used as a privilege elevation tool for those shops who are interested in providing and managing admin privileges to standard user accounts on macOS. For more details, please see below the jump.
Deploying software update declarations for automatic minor OS updates using Blueprints in Jamf Pro
Back in November 2025, Jamf released options for automatically upgrading the OS version of a Mac to the latest version of macOS that a particular Mac can support. However, this upgrade option meant that the Mac could potentially be upgraded to a new major version of macOS as part of the upgrade process.
For example, applying this software update declaration to a Mac running macOS Sequoia 15.7.1 would not upgrade it to the latest version of Sequoia, which is 15.7.3 as of February 5, 2026. Instead the Mac would be upgraded to the latest version of macOS available, which is macOS Tahoe 26.2 as of February 5, 2026.
To address this, now there is an option for updating the OS version to the latest minor version of the OS that the Mac is currently running. Using the example above, now a software update declaration can be applied to update a Mac running macOS Sequoia to the very latest version of macOS Sequoia, but not upgrade the Mac to now run macOS Tahoe.
For those familiar with Jamf Pro’s managed software update functionality, the new software update declaration functionality provides the following update options:
- Download and schedule to install
- Latest minor version
The Latest minor version functionality in the managed software update functionality tells the managed Mac to download and install the latest update available to the current version of macOS that a particular Mac is running. The Blueprints software update declaration option provides that same experience, where you can do the following:
- Set that you want the managed Macs to update their OS version using the latest update for the current version of macOS that the Mac is running.
- Set a deadline that you want to have your Macs updated by.
For more details, please see below the jump.
Deploying Apple software update deferrals using Blueprints in Jamf Pro
As part of the software testing cycle, Mac admins may choose to delay making Apple’s macOS updates generally available to their fleet while they’re testing to make sure all the software used on their organization’s Macs works correctly on new versions of macOS. To assist with this, Apple has made available deferral settings for Apple’s Software Update on macOS, where you can choose to defer the following for up to 90 days:
- Major OS upgrades: An upgrade is a major macOS release with a new name (for example, macOS Sequoia 15 to macOS Tahoe 26).
- Minor OS updates: An update is a minor release within the same macOS version, such as Tahoe 26.0 to 26.2.
- Non-OS updates: These are software updates provided by Apple that are not covered by the prior two categories.
For those who need to know when deferral periods end, Apple has them available for the current shipping OS via the link below:
https://support.apple.com/guide/deployment/about-software-updates-depc4c80847a/web (see the Software release dates section.)
One example of a deferral choice is delaying the release of a new major version of macOS. In this scenario, a Mac admin may want to delay release because mandatory security software for their environment has not yet been certified by the software vendor as being compatible with the new version of macOS. You can use Blueprints in Jamf Pro to distribute these tokens, using the Software Update Settings component in Blueprints.
Let’s take a look on how to deploy deferral settings using using the following software update configuration as an example:
- What’s deferred: Major OS upgrades
- How long: 90 days
For more details, please see below the jump.
Enabling a standard user account to access the unified system log on macOS using the log command line tool
As part of my work, I occasionally need to pull information from the unified system log, either directly on a Mac or from a sysdiagnose file, using the log command line tool. However, I also prefer to run as a standard user account most of the time and use privilege elevation tools like SAP’s Privileges or the privilege elevation functionality built into Jamf’s Self Service+ tool to get admin privileges when needed.
The combination of the two sometimes means I get halted while working because the log command line tool needs an account with admin privileges to run when it is getting log information from the unified system log on the Mac I’m using. Using the log command line tool doesn’t require root privileges or require admin authorization, but it needs to be run by a user with admin rights.
Note: This requirement for admin privileges does not appear to be coming from the log command line tool itself, but instead is coming from the unified system log. The reason I’m saying this is that accessing logs using the log tool from a sysdiagnose file does not require admin privileges. If any readers have more information about this topic, please let me know in the comments.
This has been an occasional annoyance because I get pulled briefly out of my focus while working in order to elevate my account’s privileges and then go back to my work. However, I was able to develop a solution for this issue using the sudo command line tool. For more details, please see below the jump.
Additional roles in Apple Business Manager or Apple School Manager with option to administer AppleSeed for IT program
As a follow-up to my previous post on using Apple Business Manager to enroll in the AppleSeed for IT program, my colleague Mark let me know that in addition to the Administrator role, it appears there are two other roles which can administer the AppleSeed for IT program for an organization.
Note: One of those roles is exclusive to Apple School Manager, so for Apple Business Manager there is only one other role in addition to the Administrator role which can administer the AppleSeed for IT program.
- People Manager role (available in Apple Business Manager and Apple School Manager):
If you look in the People Manager role in either Apple Business Manager and Apple School Manager, there is an Administer AppleSeed for IT checkbox option.
This option is disabled by default, but it is the same checkbox option which is checked for the Administrator role, which in turn allows the Administrator role to administer the AppleSeed for IT program for an organization.
- Site Manager role (available only in Apple School Manager):
If you look in the Site Manager role in Apple School Manager, there likewise is an Administer AppleSeed for IT checkbox option. This option is enabled by default, so it looks like the Site Manager role in Apple School Manager by default has the same ability as the Administrator role to administer the AppleSeed for IT program for an organization.
Deploying Apple beta program tokens using Blueprints in Jamf Pro
As discussed in a previous post, Apple provides tokens which allow devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device.
You can use Blueprints in Jamf Pro to distribute these tokens, using the Software Update Settings component in Blueprints. Let’s see how this works using the following software update configuration as an example:
- Macs are enrolled in the macOS Tahoe beta program.
- Macs cannot opt out of participating in the macOS Tahoe beta program.
For more details, please see below the jump.
Obtaining Apple beta program tokens
As discussed in an earlier post, you can sign up for Apple’s AppleSeed for IT program using a user with the Administrator role in Apple Business Manager or Apple School Manager and subsequently obtain tokens which allow devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device.
Apple has documentation available on how to obtain these tokens using an API call to the following endpoint:
https://mdmenrollment.apple.com/os-beta-enrollment/tokens
However, the documentation does not include the specifics on how to set up the API call or the necessary OAuth authentication for it. Fortunately, the folks at HCS Technology Group have published a technical article showing how to obtain the necessary tokens using the following:
- An ADE token from your organization’s Apple Business Manager or Apple School Manager instance.
- The getBetaTokens script written by the folks from Microsoft.
For more details, please see below the jump.
Signing up for AppleSeed for IT using Apple Business Manager
Apple’s AppleSeed for IT program is designed to help enterprise and education customers test beta versions of Apple’s software.
To assist with making it easier to test these beta versions on devices, it’s possible for a user with the Administrator role in Apple Business Manager or Apple School Manager to accept the AppleSeed program’s terms and conditions on behalf of their organization. In turn, this will enable devices to be enrolled in Apple’s beta programs without the need for the user to sign in with an Apple Account on the device. For more details on how to do this, please see below the jump.
Der Flounder 
Recent Comments