Gone are the days of rigid admin roles that either granted full access or left team members in the cold with zero control. Now, with granular role-based access to Jamf Remote Management Commands, you can empower your team with precision—giving them exactly the access they need and nothing more. Here’s how this new functionality works and why it’s a game-changer for Jamf management.
Why This Matters
In the past, your ServiceNow team had limited options: either they were full Jamf Admins with unrestricted access to all Remote Management Commands in the ITS Jamf Integration or had no control at all. Now, each command has its own application role so you can easily assign granular roles to users, granting them access to only the Remote Management Commands they need. This helps reduce the risk of error and enhances security while ensuring the right ServiceNow users have the right level of access to support Mac users across your organization.
Breaking Down the New Granular Roles
With the Jamf 2.3.0 update, ServiceNow administrators can assign one or more of the roles tailored to each of the 15 Remote Management Command. Now, you can grant distribute control with precision and be more selective about who can perform powerful commands like Lock Device or Erase Device and who can perform less impactful commands like Enable or Disable Bluetooth.
These are the roles now available and the Remote Management Commands they grant access to:
|
Application |
Command |
Command |
|
X_itsp_its_jamf.jamf_admin |
*All Commands* |
Ability to view and execute all commands is granted by the integration’s ‘jamf_admin’ role. Previously this was the only option, making it 'all or nothing'! |
|
x_itsp_its_jamf.blank_push |
Blank Push |
Sends a blank push notification, prompting the computer to check in with Apple Push Notification service (APNs) |
|
x_itsp_its_jamf.enable_bluetooth |
Enable Bluetooth |
Enables Bluetooth on the computer. The target computer must be on OS version 10.13.4 or later. |
|
x_itsp_its_jamf.disable_bluetooth |
Disable Bluetooth |
Disables Bluetooth on the computer |
|
x_itsp_its_jamf.enable_remote_desktop |
Enable Remote Desktop |
Enables remote desktop on the computer. The target computer must be on OS version 10.14.4 or later. |
|
x_itsp_its_jamf.erase_device |
Erase Device |
Permanently erases all data on the computer. To restore the computer to factory settings, the user must enter the 6 digit passcode specified, and then reinstall the operating system |
|
x_itsp_its_jamf.lock_device |
Lock Device |
Logs the user out of the computer, restarts the computer, and locks it. To unlock, the user must enter the 6 digit passcode specified. |
|
x_itsp_its_jamf.retrieve_filevault_recovery_key |
Retrieve FileVault Recovery Key |
Get the computer’s FileVault recovery key where it is stored in Jamf |
|
x_itsp_its_jamf.schedule_os_update |
Schedule OS Update |
Updates the OS version and built-in apps on the computer. You can choose to download the update for users to install, or to download and install the update and restart computers after installation |
|
x_itsp_its_jamf.schedule_os_update_and_install |
Schedule OS Update and Install |
Updates the OS version and built-in apps on the computer. You can download and install the update and restart computers after installation |
|
x_itsp_its_jamf.sync_computer_from_jamf |
Sync Computer from Jamf |
Update a CI on demand with latest data available in Jamf |
|
x_itsp_its_jamf.unlock_user_account |
Unlock User Account |
Unlocks a local user account that has been locked due to too many failed password attempts |
|
x_itsp_its_jamf.unmanage_device |
Unmanage Device |
Removes the MDM profile from the computer, along with any configuration profiles that were distributed with Jamf Pro. If the MDM Profile is removed, you can no longer send remote commands or distribute configuration profiles to the computer |
|
x_itsp_its_jamf.initiate_remote_assist_session |
Initiate Remote Assist Session |
Provides guidance for initiating Remote Assist Session over SSH |
By using this table, admins can clearly see the scope of each role and assign them appropriately to different team members. If someone doesn't have one of the roles above, they won't have access to the corresponding Remote Management Command. This improves operational efficiency without sacrificing security.
View the ITS Jamf Integration on the ServiceNow Store →
How to Implement Role-Based Controls in ServiceNow
The power of this new Jamf update lies in how easy it is to implement. By navigating to the *ITS Jamf Remote Management Command Settings* table in ServiceNow, administrators can configure access roles. Each command now has its own dedicated role, and you can assign roles that fit your team’s unique needs without granting unnecessary permissions.
When a Jamf Admin user logs onto the SN instance, this is what their view of the ITS Jamf Remote Management Command Settings table looks like. They can activate or deactivate commands and easily see, or even modify, which roles are required to use each command:
Users with the integration's Jamf Admin role can also perform any of the commands from a computer record and see all actions logged in the Remote Management Command History table:
Below is an example of how one of the granular controls looks on the platform:
*Figure 1: Example of granular command roles configuration in ServiceNow.*
Every time a user executes one of these commands, the action is logged in the Jamf Remote Management Command History table and users can only see logs if they have a command's corresponding role. This allows administrators to maintain a full audit trail of who executed what command and when, but limits who can see sensitive data like unlock codes.
Testing with Different User Archetypes
Singular Role User ("Level 1 Help Desk" example)
With one assigned granular role and the baseline role Jamf User [x_itsp_its_jamf.jamf_user] – This is a user that is typically responsible for testing/validation. In this demo scenario, the user is given the role, Blank Push [x_itsp_its_jamf.blank_push]. This is what they can expect to see on the ServiceNow platform with the one granular, specified role and the one baseline Jamf User role:
Before - Without granular control, you might want to enable Help Desk fulfillers to do Blank Push but only want admins to Lock or Erase Device. Giving all Help Desk users access to all commands opens up more risk and may lead to accidents.
After - The user can only see the “Blank Push” command, reducing the complexity of their interface and ensuring they can only perform commands appropriate for their role.
*Figure 2: Singular role user interface displaying only the Blank Push command histories.*
Multi-Role User ("Level 2 Help Desk" example)
This user might have a few more responsibilities—such as enabling/disabling Bluetooth or locking devices. They are assigned three roles and can see and execute those commands without full admin privileges.
This is a user that has a more technical dimension in their day-to-day role. In this demo scenario, the user is given the roles:
Clicking the ITS Jamf Remote Management Suite UI Action on a Computer record registered within the ITS Jamf integration, one can verify that the user only has access to the specified, three Remote Management commands (Enable Bluetooth, Disable Bluetooth, and Lock Device).
Further Notes about the Different Roles and Security Configuration for Jamf Remote Management Commands:
The Read ACLs for both the ITS Jamf Remote Management History Table and the ITS Jamf Remote Management Command Settings table have been updated to check if the logged in user has the specified command roles they are trying to access.
These examples highlight the new flexibility you now have to tailor roles and access levels for your team, making for smoother, more secure support operations.
View the ITS Jamf Integration on the ServiceNow Store →
The latest Jamf 2.3.0 update represents a major step forward in the ITS Jamf Integration with ServiceNow. By granting users only the access they need through role-based controls, you enhance security and productivity across your organization. Whether your team is large or small, these granular controls will empower them to work more effectively without the risks of full admin access.