How Jamf’s Lean IT Team Saved 150 Hours in One Month – and How You Can Too + Video

Listen to this Post

Featured Image

Introduction:

In today’s distributed work environment, IT teams are drowning in repetitive, high-volume support tickets—lost devices, forgotten passwords, and upgrade requests that consume thousands of hours annually. Jamf, a leader in Apple device management, recently demonstrated how a lean team of 30 IT professionals reclaimed the equivalent of nearly one full-time employee’s worth of time by automating their Mac lockout and FileVault key recovery workflows. By integrating Jamf Pro with Tines’ orchestration platform, they transformed manual, ticket-based processes into self-service, API-driven automations that resolve issues in seconds rather than days.

Learning Objectives:

  • Understand the architecture and security considerations of automating FileVault recovery key retrieval and Mac remote lock operations using Jamf Pro APIs.
  • Learn how to identify, prioritize, and scale high-impact IT automation opportunities within your organization.
  • Gain hands-on knowledge of the Linux/Windows commands, API calls, and Tines workflow configurations required to implement similar automations securely.
  1. Understanding the Core Workflow: Mac Lockout and FileVault Key Recovery

Jamf’s IT automation strategy centers on two high-volume, high-friction use cases: remote device locking for lost or stolen Macs, and FileVault recovery key retrieval for users who forget their passwords. Traditionally, these requests require ticket creation, IT agent triage, manual Jamf Pro navigation, and user verification—a process that can take hours or days.

The automated workflow replaces this with a self-service model. When a user reports a lost device or requests a FileVault key via Slack, the automation platform (Tines or Console) verifies the user’s identity through Okta or Duo Security, fetches the required data from Jamf Pro via API, and delivers the result—or executes the lock command—without human intervention. All actions are logged and auditable, ensuring compliance while dramatically reducing response times.

Step‑by‑Step Guide: How to Build This Workflow

  1. Map Your Current Process: Document every step of your existing lockout and recovery workflows, including ticket creation, user verification, Jamf navigation, and resolution. Identify bottlenecks and manual handoffs.
  2. Define Automation Triggers: Decide which events will initiate the workflow (e.g., Slack command, email to a service desk, or a form submission). For Slack-based triggers, configure a bot that listens for specific keywords like “/lost-my-mac” or “/get-filevault-key”.
  3. Implement Identity Verification: Integrate your identity provider (Okta, Azure AD, or Duo) to verify the user’s identity before any sensitive action is taken. This step is critical for preventing unauthorized access to recovery keys or device lock functions.
  4. Connect to Jamf Pro API: Use Jamf Pro’s REST API endpoints to perform actions programmatically. For FileVault key retrieval, the endpoint is `/v1/computers-inventory/filevault` (requires the “View Disk Encryption Recovery Key” privilege). For remote lock, use the lock command via the Jamf Pro API or MDM command endpoint.
  5. Build the Orchestration Logic: Using Tines (or a similar no-code/low-code platform), create a workflow that chains these steps together: trigger → identity verification → Jamf API call → response delivery (Slack DM or email).
  6. Add Approval Gates (Optional): For sensitive operations, configure manager approval or additional Okta verification before the key is released or the lock is executed.
  7. Test and Deploy: Run the workflow with a pilot group of users, monitor for errors, and refine the logic. Once stable, roll out to the entire organization.

  8. Securing API Access: Best Practices for Jamf Automation

Any automation that interacts with Jamf Pro’s API introduces security risks—especially when dealing with sensitive data like FileVault recovery keys, which are plaintext and grant full disk access. Jamf and security experts recommend a multi-layered approach to API security.

The Jamf API CLI Tool (apitokentool), developed by Howard Griffith at the University of Texas at Austin, provides a robust security model. Instead of embedding obfuscated API credentials directly in scripts—a common but dangerous practice—this tool uses device-level authentication and signed binaries to deliver temporary bearer tokens.

Step‑by‑Step Guide: Implementing Secure API Access

  1. Generate Client Token Keys: Create unique client token keys for each device or group of devices that will need API access.
  2. Configure Webhook Responders: Set up two webhook responders—one for initialization and one for authorization. The initialization webhook verifies the device’s serial number and the tool’s digital signature; the authorization webhook authenticates the client token key and returns a scoped API bearer token.
  3. Create Config Profiles: In Jamf Pro, create configuration profiles that deploy the client token keys to managed devices.
  4. Set Up API Users with Least Privilege: Create dedicated API user accounts in Jamf Pro with the minimum permissions required for each automation (e.g., read-only for key retrieval, write for lock commands).
  5. Sign the Binary: Use an organizationally-recognized Apple Developer signing certificate to sign the apitokentool binary. This ensures that only authorized, unaltered tools can request tokens.
  6. Deploy and Test: Deploy the apitokentool package and config profiles to test devices, then run scripts that invoke the tool to verify functionality.
  7. Roll Out to Production: Once validated, deploy to all appropriate devices and update existing scripts to use the apitokentool for API calls.

Linux/macOS Command Examples (for Jamf-Managed Macs):

 Re-issue a FileVault Personal Recovery Key and escrow it to Jamf Pro
sudo jamf recon
sudo fdesetup list  Verify existing keys
 Run a custom script to reissue the key (example from GitHub)
sudo /path/to/FileVault-PRK-Reissue.sh

Windows Command Examples (for Jamf admins managing Windows via API):

 Using curl to test Jamf Pro API connectivity (replace placeholders)
curl -X GET "https://your-instance.jamfcloud.com/JSSResource/computers" ^
-H "Accept: application/json" ^
-H "Authorization: Bearer YOUR_TOKEN"

3. Identifying and Prioritizing Automation Opportunities

Not every IT task is a good candidate for automation. Jamf’s team succeeded because they focused on high-volume, rules-based workflows that were both repetitive and time-consuming. To replicate their success, conduct an automation audit using these criteria:

  • Volume: How many tickets of this type are received per month?
  • Time: How much time does each ticket consume (including triage, verification, and resolution)?
  • Complexity: Is the workflow rules-based and predictable, or does it require subjective judgment?
  • Risk: Can the automation be safely implemented with appropriate guardrails (identity verification, approval gates, logging)?

Step‑by‑Step Guide: Scaling Automation Across Your Organization

  1. Analyze Ticket Data: Export your ITSM ticket data (e.g., from ServiceNow or Jira) and categorize requests by type. Rank them by volume and average handling time.
  2. Select High-Impact Candidates: Choose 2–3 workflows that score high on volume, time, and rule-based complexity. FileVault key recovery and remote device lock are excellent starting points for Apple-centric organizations.
  3. Build a Business Case: Calculate the potential time savings (e.g., 150 hours/month) and translate that into cost savings or reallocated FTE capacity.
  4. Pilot with a Small Group: Implement automation for a single team or department first. Gather feedback, measure success metrics (reduced ticket volume, faster resolution times), and refine the workflow.
  5. Champion the Program: Present results to leadership and stakeholders. Use data to demonstrate ROI and secure buy-in for broader rollout.
  6. Scale Gradually: Roll out automation to additional teams and workflows. Continuously monitor for errors, security incidents, and user satisfaction.

  7. Automating macOS Software Updates with Self-Service Patch Management

Beyond lockout and recovery, Jamf and Tines have collaborated to automate macOS software updates using a ring-based deployment model. This automation allows users to opt-in to pilot testing groups via Tines pages, enabling IT to validate updates with early adopters before broad rollout. The result is a balance between user empowerment, system stability, and reduced attack surface.

Step‑by‑Step Guide: Implementing Self-Service Patch Management

  1. Define Update Rings: Create pilot (ring 0) and production (ring 1) groups in Jamf Pro based on device criteria (e.g., department, device model, or voluntary opt-in).
  2. Build a User-Facing Interface: Use Tines pages (or a similar tool) to allow users to join or leave the pilot group. This interface should also display current OS version, available updates, and opt-in status.
  3. Automate Policy Scoping: When a user opts in, the workflow updates the device’s Jamf Pro group membership, which in turn scopes the appropriate patch policy to that device.
  4. Schedule Rollouts: Configure policies to push updates to the pilot group immediately, then to the production group after a defined period (e.g., one week) if no critical issues are reported.
  5. Monitor and Report: Track update success rates, user opt-in/opt-out patterns, and any rollback requests. Use this data to refine your update strategy.

  6. Integrating with ITSM and Security Tools for End-to-End Visibility

Automation doesn’t operate in a silo. Jamf’s team integrated their workflows with Jira for ticketing and ServiceNow for ITSM, ensuring that every automated action is tracked and auditable. This integration provides several benefits:

  • Audit Trail: Every automated action (key retrieval, device lock, update approval) is logged in the ITSM system, providing a complete record for compliance reviews.
  • Incident Response: When a device is reported lost or stolen, the workflow can automatically create a security incident ticket, lock the device, and notify the security team.
  • User Communication: Automated Slack or email notifications keep users informed at every step, reducing follow-up tickets.

Step‑by‑Step Guide: Integrating Automation with ITSM

  1. Map Existing ITSM Processes: Document how tickets are currently created, updated, and resolved for lockout and recovery requests.
  2. Configure API Connections: Set up API integrations between your automation platform (Tines) and your ITSM tool (ServiceNow, Jira). Use pre-built connectors where available.
  3. Create Automation Logic: In the workflow, add steps that create tickets, update statuses, and add comments based on automation outcomes.
  4. Define Notification Rules: Configure Slack or email notifications for users (e.g., “Your FileVault key has been sent via DM”) and for IT teams (e.g., “Device locked successfully – ticket updated”).
  5. Test End-to-End: Run the complete workflow from user request to ITSM update, verifying that all integrations function correctly and that audit logs are complete.

6. Command-Line and API Reference for Jamf Automation

For administrators who prefer scripting over no-code platforms, here are essential commands and API calls:

Jamf Pro API – Retrieve FileVault Recovery Key (cURL):

curl -X GET "https://your-instance.jamfcloud.com/api/v1/computers-inventory/filevault?page=0&page-size=100" \
-H "accept: application/json" \
-H "Authorization: Bearer YOUR_API_TOKEN"

Jamf Pro API – Lock a Computer (cURL):

curl -X POST "https://your-instance.jamfcloud.com/JSSResource/computercommands/command/Lock" \
-H "Content-Type: application/xml" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-d "<computer><id>123</id><passcode>123456</passcode><lock_message>Device reported lost. Please contact IT.</lock_message></computer>"

macOS Terminal – Reissue FileVault Recovery Key:

 Ensure the Mac is connected to the internet
sudo jamf recon
 Check existing FileVault users
sudo fdesetup list
 Reissue a new recovery key (requires a script or policy)
sudo /path/to/reissue_filevault_recovery_key.sh

Windows PowerShell – Test Jamf API Connectivity:

$headers = @{
"Authorization" = "Bearer YOUR_API_TOKEN"
"Accept" = "application/json"
}
Invoke-RestMethod -Uri "https://your-instance.jamfcloud.com/JSSResource/computers" -Headers $headers -Method Get

What Undercode Say:

  • Key Takeaway 1: Automation is not about replacing IT staff—it’s about reallocating their time from repetitive, low-value tasks to strategic initiatives that drive business value. Jamf’s 150-hour monthly saving equates to nearly one additional FTE without hiring.

  • Key Takeaway 2: Security must be baked into automation from the start. Using tools like the Jamf API CLI Tool and integrating identity verification (Okta/Duo) ensures that automation doesn’t introduce new vulnerabilities.

Analysis: The Jamf case study demonstrates a mature approach to IT automation that balances speed, security, and user experience. By focusing on high-volume, rules-based workflows—FileVault key recovery and remote device lock—they achieved immediate, measurable ROI. The integration with Tines (and Console) provides a no-code orchestration layer that bridges Jamf Pro with identity providers, ITSM tools, and communication platforms like Slack. This architecture is highly replicable for any organization using Jamf, regardless of size. The key success factors are: (1) starting with a clear automation strategy that prioritizes high-impact workflows, (2) implementing robust API security with least-privilege access and device-level authentication, and (3) integrating automation with existing ITSM and communication tools to maintain auditability and user transparency. As remote and hybrid work continues to expand, such automations will become not just advantageous but essential for IT teams to maintain service levels without scaling headcount proportionally.

Prediction:

  • +1 The adoption of AI-driven decision-making within automation workflows (e.g., using device metadata to auto-approve or deny upgrade requests) will further reduce manual intervention, potentially cutting ticket volumes by an additional 30–50% within the next 18 months.

  • +1 As API security tools like the Jamf API CLI Tool mature and gain broader adoption, organizations will be able to safely automate an even wider range of sensitive operations, including certificate management and compliance enforcement, without increasing risk.

  • -1 The proliferation of automation may lead to over-reliance on self-service workflows, potentially reducing IT’s visibility into emerging issues or user pain points if monitoring and feedback loops are not properly maintained.

  • -1 Without strict API rate limiting and concurrent connection controls (Jamf recommends no more than 5 concurrent connections), large-scale automation rollouts could inadvertently degrade Jamf Pro performance or trigger API throttling.

  • +1 The integration of automation platforms with SIEM and threat intelligence feeds (as seen with Tines ingesting over 150,000 IOCs in a month) will enable real-time, automated responses to security incidents—locking compromised devices and revoking access before human analysts can even triage.

▶️ Related Video (74% Match):

https://www.youtube.com/watch?v=_3KdG0TZ5ZA

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Jhaddix Thank – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky