Jamf Pro Secret Template for RPC

Overview

This document briefly discusses using Secret Server Remote Password Changing (RPC) for a Jamf Pro Account. With Remote Password Changing (RPC), secrets can automatically change remote account passwords when a secret expires, either immediately or on a defined schedule. In addition, the new passwords’ strengths and other qualities are completely configurable. See the Password Changer List for a complete list of available password changers.

Jamf Pro is a comprehensive enterprise mobility management (EMM) tool for Apple devices, used by medium to large organizations for device deployment, inventory, security management, software distribution, and patch management. The Jamf Pro RPC template in Secret Server supports both Remote Password Changing and Heartbeat for locally managed Jamf Pro user accounts, with password operations performed through the Jamf Pro API using Bearer Token authentication.

Supported Account Types

This template rotates passwords for locally managed Jamf Pro accounts, including:

  • Local user accounts — Standard users created and authenticated within Jamf Pro’s native authentication.

  • Administrator accounts — Accounts with administrative privileges, or accounts assigned an API Role/Client with permission to manage other users’ accounts and passwords.

Accounts authenticated through LDAP, SSO, or other external identity providers are not supported. Manage those passwords through the external identity provider.

Use Cases

  • Heartbeat — Secret Server periodically validates that the stored Jamf Pro credentials are still correct against the Jamf Pro API.

  • Password rotation — The privileged account changes the password for a target Jamf Pro user via the Jamf Pro API.

Prerequisites

Jamf Pro

The following must be in place on the Jamf Pro instance before setup. This section does not cover Jamf Pro installation or deployment.

  • Jamf Pro instance — A running, accessible Jamf Pro environment (on-premises or cloud-hosted).

  • Jamf Pro API access — The Jamf Pro API must be reachable from the Secret Server Distributed Engine. For on-premises instances, the default management port is 8443 (HTTPS). For cloud-hosted instances, use the standard HTTPS URL (for example, https://[instance].jamfcloud.com).

  • Bearer Token authentication — The Jamf Pro API uses Bearer Token authentication. Basic authentication is deprecated as of Jamf Pro 11.5.0. An API Client or admin credentials are used to obtain a token via POST /api/v1/auth/token, which Secret Server includes in the Authorization header of subsequent requests.

  • Admin-level Jamf Pro account — An account with administrative privileges, or an API Role/Client with permissions to manage other users’ accounts and passwords. This account serves as the Privileged Account in Secret Server.

  • Network connectivity — The Secret Server Distributed Engine must have HTTPS network access to the Jamf Pro API endpoint (https://[jamf-host]:8443 for on-premises or https://[instance].jamfcloud.com for cloud).

Secret Server

  • Remote Password Changing: enabled in your Secret Server instance.

  • Distributed Engine: Configured, online, and with HTTPS network access to the Jamf Pro API endpoint.

  • The Jamf Privileged Account and Jamf Account secret templates available in your Secret Server instance.

Configuration

Step 1: Create the Privileged Account Secret

The privileged account secret stores the credentials of the Jamf Pro account that Secret Server uses to rotate passwords for other users.

  • Navigate to Secrets and click Create Secret.

  • Select the Jamf Privileged Account template.

  • Enter a Secret Name (for example, Jamf Pro Admin - Privileged).

  • In Host, enter the Jamf Pro URL (for example, https://[jamf-host]:8443 for on-premises or https://[instance].jamfcloud.com for cloud).

  • Enter the Username and Password of the Jamf Pro admin account.

  • Click Create Secret.

Step 2: Create the Target User Secret

The target user secret stores the credentials of the Jamf Pro account whose password Secret Server will rotate and monitor.

  • Navigate to Secrets and click Create Secret.

  • Select the Jamf Account template.

  • Enter a Secret Name (for example, Jamf Pro - [username]).

  • In Host, enter the Jamf Pro URL (see Step 1).

  • Enter the Username and Password of the target Jamf Pro user account.

  • Click Create Secret.

  • Select the Remote Password Changing tab.

  • In RPC / Autochange, click Edit.

  • For Change Password Using, select Privileged Account Credentials.

  • Click No Secret Selected and search for the privileged account secret created in Step 1.

  • Click Save.

Step 3: Verify Password Rotation and Heartbeat

After setting up RPC, verify that both Heartbeat and password rotation work correctly.

Test Heartbeat

  • On the target user secret’s Overview tab, locate the Expiration and heartbeat section.

  • Trigger a Heartbeat and verify that Last Heartbeat Status shows a successful result.

Test Password Rotation

  • Trigger a manual password rotation (Change Password Now) on the target user secret. Test both manual and auto-generated passwords. Confirm the operation completes successfully and the secret’s password value updates.

  • Log in to Jamf Pro with the target user account using the new rotated password to confirm the change took effect.

  • After rotation, verify the Heartbeat status remains successful.