Automating Apple endpoint management with Git, CI/CD and Terraform
Managing multiple Jamf Pro instances at scale can lead to repetitive, error-prone work that consumes valuable admin time. At JNUC 2025, experts Tristan Valente, Tech Lead at Netopie, and Neil Martin, Senior Systems Engineer, MSP Services at Jamf demonstrated how to solve this with infrastructure as code (IaC). By using tools like Git and Terraform, IT admins and Managed Service Providers (MSP) can automate deployments, enforce standards, and create a full continuous integration/continuous deployment (CI/CD) pipeline for safer, faster, and smarter Apple endpoint management.
Key facts:
- An IaC approach helps solve the challenges of managing multiple unique Jamf Pro instances.
- Automating with IaC allows administrators to version, review and promote configuration changes with a full audit trail.
- The ultimate goal is to efficiently spin up, scale and standardize multi-tenant Jamf environments.
What challenges does infrastructure as code solve for Jamf admins?
For IT administrators and MSPs, managing multiple Jamf Pro instances manually is slow, inconsistent and prone to human error. Infrastructure as code provides a scalable and reliable solution, forming the foundation for a full CI/CD pipeline that automates deployment and reduces operational risk. This automation journey leads to CI/CD, which can be thought of as an assembly line for your code where changes are built, tested and shipped with minimal human intervention.
Valente detailed the challenges of managing over 150 Jamf Pro instances, each with its own complex mix of sites, use cases and administrator changes. The process is filled with repetitive tasks that are ideal for automation. As he noted, when building a new Jamf instance from scratch, “every time it is a lot of clicking, a lot of setup steps and a lot of errors too, unfortunately.” This manual effort not only slows down operations but also introduces inconsistencies that are difficult to track and remediate, making a strong case for a code-based approach.
How does a Git-based template standardize Jamf Pro configuration?
Storing a standardized Jamf Pro configuration template in Git provides a version-controlled, single source of truth that documents every policy, profile and script, enabling consistent deployments and collaborative review. Netopie’s strategy centers on a master template stored in GitLab that contains all the building blocks for a successful Jamf Pro deployment. This includes everything from policies and configuration profiles to scripts, extension attributes and more.
A key part of their method is that every machine-readable configuration file is paired with a human-readable Markdown file. This allows admins to quickly understand a setting’s purpose, scope and history without having to parse a raw configuration profile or script file. This system provides clear versioning for releases, full visibility into changes and an audit trail for compliance, all without giving auditors direct access to the Jamf Pro console.
What is Terraform and how does it provision Jamf Pro resources?
Terraform is a command-line tool from HashiCorp that lets you define and provision infrastructure using a declarative language. For Jamf admins, it uses plugins called “providers” to translate that code into API calls, automating the creation and management of Jamf Pro objects. The community-driven Jamf Pro provider, created and maintained by customers at Lloyds Banking Group, allows you to define nearly any Jamf Pro component — from policies, scripts and configuration profiles to static groups and settings — as code.
In Terraform, you declare the desired state of your infrastructure in configuration files. A “resource” represents an infrastructure object, like a Jamf Pro policy. A “data source” allows you to fetch read-only information, such as the contents of a smart group, to use elsewhere in your configuration. Martin explains that the provider “takes away any kind of messing around you need to know about that API.” This abstraction lets you focus on defining what you want to create, not the specific API requests required to do it.
What does a Terraform workflow look like in practice?
The standard init, plan, and apply workflow gives you a safe, predictable and auditable way to deploy infrastructure changes. It shows you exactly what will be created, modified or destroyed before you approve the action, dramatically reducing the risk of unintended consequences. In the session, they showcased this process by creating a static computer group, a script and a policy scoped to the new group.
The core commands are straightforward:
terraform init: Prepares your project by downloading the necessary providers, such as the Jamf Pro provider.terraform plan: Creates an execution plan that compares your desired state (your code) to the current state in Jamf Pro and shows you the difference.terraform apply: Executes the plan to bring the Jamf Pro environment in line with your code.
What’s new for automation with the Jamf Platform API?
The new Jamf platform provider for Terraform extends infrastructure as code capabilities to modern Jamf features, enabling you to manage Compliance Benchmarks and Blueprints programmatically. Developed and maintained by Jamf, this new provider works alongside the existing Jamf Pro provider to give you a unified workflow for managing both Jamf Pro and Jamf platform resources. It’s in its early days, but more resources will be added as more Jamf platform APIs become available.
This powerful new tool was put to the test live on stage during the JNUC keynote. “By the way, that keynote where they ran the pull request to create a blueprint was real,” Martin confirmed. “It ran that provider, no smoke and mirrors… that was a real pipeline doing the thing.” This real-world demonstration proves that admins can now apply the same GitOps principles to manage the entire lifecycle of their compliance and device configuration workflows, from creation to deployment, all through version-controlled code.
Key takeaways
- Use Git to store and version your Jamf Pro configuration as a single source of truth, creating a complete audit trail.
- Use Terraform and the open-source Jamf Pro provider to automate the deployment and lifecycle management of your Jamf Pro objects.
- Integrate Git and Terraform into a CI/CD pipeline (using tools like GitLab CI or GitHub Actions) to fully automate testing and deployment.
- Explore the new Jamf Platform provider to start managing modern resources like Blueprints and Compliance Benchmarks as code.
