Breadcrumbs

Add Jamf to SaaS Agent

Task List

Task #

Task

Performed by

1

Prepare Jamf for use with CI Sync

Azure Admin

2

Add Jamf as a Source System using the CI Sync SaaS UI

CI Sync Admin

3

Check status of new Jamf Source System connection

CI Sync Admin

4

Perform Updates in ServiceNow (if required)

ServiceNow Admin

5

Do Not Synchronize Installed Software from two different source systems

CI Sync Admin

Task 1: Prepare JAMF for use with CI Sync

The CI Sync agent will require Client ID and Client secret credentials to connect to JAMF. The following guide will demonstrate how to create and configure an API Client and API Role within your JAMF Pro environment to obtain the credentials.

  1. Navigate to Settings and select API roles and clients.

image-20250404-050704.png

  1. Slect the API Roles tab, and then click New to create a new API Role.

image-20250404-050741.png

  1. Enter a Display name for the role (for example “CISync Readonly”) and then select role Privileges shown below.

image-20250404-050953.png

  1. Click Save.

image-20250404-051117.png

  1. Return to API roles and clients

  2. Select the API Clients tab, and then click New to create a new API Client.

image-20250404-051148.png

  1. Enter a Display name for the new API Client (for example CISync) and then select the API role created previously (e.g. CISync Readonly), click on Enable API client and save

image-20250404-051616.png

  1. Now, with the API client created, click on Generate client secret.

image-20250404-051709.png

  1. On the Generate client credentials dialog click Create secret

image-20250404-051741.png

  1. Make a copy of the Client ID and Client Secret values.

image-20250404-051804.png

Data Capture Note

  1. Take note of the Client ID.

  2. The Client Secret is only available while you remain on this screen. You must make a copy of the secret before leaving this form.

Make sure the secret stored securely and in a way that can be shared with the CI Sync Admin so they can use it when the follow the instructions later in this page.

  1. Click Close to be returned to JAMF UI.

image-20250404-052217.png
image-20250404-052226.png

  1. The JAMF environment setup is now complete. You can now proceed to the subsequent tasks below.

Data Capture Summary

As a reminder, you should have captured the following information when completing the above steps.

  1. The Client ID (from Step 10 above).

  2. The Client Secret (from Step 10 above).

Make sure any secrets or sensitive information is stored securely and in a way that can be shared with the CI Sync Admin.

The above information will be needed by the CI Sync Admin when they follow the instructions in Task 2 immediately below.

Task 2: Add Jamf as a Source System using the CI Sync SaaS UI

  1. Login to your CI Sync SaaS instance at https://YourCo.syncfish.app

  2. In the CI Sync UI, navigate to Settings > Connections.

  3. Find the “SaaS Agent” sub-heading under the Source Connections section. If you don’t see “SaaS Agent” it means your CI Sync instance hasn’t been configured for this feature. Please contact your Sync representative to discuss.

  4. On the right hand side of the form, click the +Add button.

CleanShot 2025-06-25 at 18.03.19@2x-20250625-080339.png

  1. The New Connection form now appears. Use the Connection Type drop down list to select the source system you wish to add (in this case Jamf).

CleanShot 2026-05-18 at 18.34.17@2x-20260518-083656.png

  1. Update the fields using these instructions

    1. Connection name

      1. This is a friendly name that represents the source system connection.

      2. The name you enter here will appear when you create a new sync job and are selecting from the available source system list.

      3. Note: Syncfish recommend using a textual suffix on the connection name if for any reason you have setup multiple CI Sync Connections to Jamf.

    2. Alias: Please ingore this field (it is not used for the CI Sync Cloud Agent and is being deprecated).

    3. Environments

      1. Select from the available choices Production, Test, or Production/Test (the latter being both).

      2. The selection you make for this field affects which source systems appear when you create a new sync job (i.e. when you are selecting the source system list based on the “Environment” you have chosen for the sync job). See this page for more details on creating a CI Sync job: Run a Small Initial Sync Job (then run more).

      3. FYI: CI Sync allows a source system to be both Production/Test because CI Sync only reads from a source system (it doesn’t write to it). Destination systems can only be Test or Production (not both).

    4. JAMF URL

      1. Enter the URL to your Jamf instance.

    5. Client ID

      1. Paste the API Client ID captured by your Jamf Admin in Task 1 above.

    6. Client Secret

      1. Paste the API Client Secret captured by your Jamf Admin in Task 1 above.

    7. The click the Consent to update fields checkbox.

    8. Finally click the Create connection button.

You will be returned to the main settings screen and your new source system connection will appear in the list as shown below.

CleanShot 2026-05-18 at 18.48.52@2x-20260518-084919.png

Task 3: Check status of new Jamf Source System connection

  1. To check the status of the newly added InTune Source System connection click the green Test Connection link. This will test whether your CI Sync InTune connection can successfully reach and authenticate to the Azure Entra ID defined in the connection itself.

    CleanShot 2026-05-18 at 18.45.57@2x-20260518-084759.png

  2. If the connection is successful, you will see a green dot next to the source connection name.

    CleanShot 2026-05-18 at 18.46.11@2x-20260518-085005.png

  3. To test again in the future, you can click the green Re-Test Connection link.

  4. If the test is unsuccessful, you will see a red dot next to the source connection name and an error message underneath. If you need assistance resolving an error, please contact Syncfish support.

This means you are ready to run a sync job using the new source connection using these high-level instructions: Run a Small Initial Sync Job (then run more).

Task 4: Perform Updates in ServiceNow (if required)

Guidance Note

Syncfish recommend the person setting up the source system described in this guide discusses this particular task with their ServiceNow system administrator. 

A ServiceNow administrator will need to perform these steps.

Syncfish recommend following these instructions in your non-production ServiceNow environment for testing synchronization jobs.

Only once exhaustive testing in non-production is complete, repeat this process in your ServiceNow production environment.

In this section your ServiceNow SME will assess various updates to ServiceNow to support this CI Sync connector:

  • Task 4a: Assess if the CMDB CI Class Models plug-in is required

  • Task 4b: Assess if additional permissions are required

  • Task 4c: (Optional though recommended) Assess your ServiceNow CI forms and update to include additional Related Lists

Task 4a: Assess if the CMDB CI Class Models plug-in is required

A number of record sets (asset types/resource types) available to sync using the InTune Connector rely upon CMDB CI Classes that are only available via the CMDB CI Class Models plug-in. 

You therefore need to install the CMDB CI Class Models plug-in to your ServiceNow instance.

If you already have the plug-in you may want to upgrade it to the latest version (as ServiceNow occasionally updates the plug-in to include extra CI Classes/tables).

Source System

Specific Record Sets that require the CMDB CI Class Models plug-in

Jamf

  • Mobile Device

Instructions

Follow these steps to add this plug-in (and similar steps to locate it and upgrade it if required):

  1. Assess the use/inclusion of this plug-in within your ServiceNow (ensure you are comfortable installing this plug-in).

  2. Search for Plugins via the ServiceNow navigation menu.

  3. Locate the CMDB CI Class Models plug-in.

  4. Click Add -> Install and follow the instructions provided.

image-20250328-005325.png

Task 4b: Assess if additional permissions are required

No additional permissions are required in ServiceNow to support the CI Sync InTune connector. Therefore you can ignore/skip this task.

Context

CI Sync populates various child tables (related lists) associated with parent CIs. The following table shows the Related Lists (per CI Class) populated by the CI Sync InTune Connector.

CI Class

Related List
(i.e. friendly name)

Related List Name as it appears in the ServiceNow UI when adding it to a CI Form

Apple Macs

Software Installations

Software Installed

Windows PC

Software Installations

Software Installed

Android

Software (via Airwatch)

Software Installed

iPad

Software (via Airwatch)

Software Installed

iPhone

Software (via Airwatch)

Software Installed

Instructions

Below are the steps to modify a ServiceNow CI form to expose a new Related List.

  1. Login to your ServiceNow instance with Admin permissions.

  2. Navigate to any CI in the relevant CI Class (i.e. one/all of those listed in the table in the Context section above). For example, navigate to a Windows Server CI).

  3. Right-click in the heading area of the form, then click Configure and then Related Lists from the sub-menus.

image-20250402-073451.png


  1. Identify the Related List you want to expose on the CI form using the table in the Context section above.

  2. Find the Related List in the left hand column which lists all Available Related Lists.

  3. Click the Related List and then click add (the selection arrow) to move the item to the Selected column and then click Save.

image-20250402-073539.png

  1. Repeat for each additional CI Class listed in the table in the Context section above.

Task 5: Do Not Synchronize Installed Software from two different source systems

Customers should be aware that if you synchronize Installed Software (i.e. the installed software applications for the same IT asset) from two different source systems (e.g. from Intune and Defender, or from Lansweeper and Defender, or InTune and SCCM, etc etc) for the same device you will end up with duplicate software instance records in your CMDB.

The cause of this issue is the naming convention of Installed Software is inconsistent between different source systems, and therefore CI Sync cannot reliably correlate the Installed Software per CI within the CMDB. By way of example:

  • In InTune, “Microsoft Teams” is stored as “MSTeams” (and there is no Manufacturer attribute in InTune).

  • However, in Defender for Endpoint, “Microsoft Teams” is stored as “Teams”.

Important Recommendation from Syncfish

Syncfish do NOT recommend synchronizing Installed Software from two different source systems.

Below are some notes to action this in advice in the CI Sync Web UI:

  • When you are creating a sync job via the CI Sync UI and reach the Selections page, do not select “Software” or “Software Installs” from a given source system if you have already selected Installed Software on another source system sync job.

The screen shot below shows a sample of the Selection page for InTune as the source system for a CI Sync job. If you have selected Software Installs for InTune you should not select Software Installs for a Microsoft Defender for Endpoint sync job (as shown on the subsequent screen shot below)

CleanShot 2025-06-12 at 11.53.59@2x-20250612-015416.png

The screen shot shows the Selection page for Microsoft Defender for Endpoint as the source system for a CI Sync job. You should NOT select Software Installs via Microsoft Defender for Endpoint because you have selected Software Installs via the InTune source system.

CleanShot 2025-06-12 at 11.47.31@2x-20250612-014745.png

The same logic/approach applies to any other source system that offers Installed Software, such as SCCM, Jamf, or Lansweeper. The key message is: do NOT recommend synchronizing Installed Software from two different source systems.