With the addition of the entity fieldset to ECS, the following fields need to be mapped for the Jamf Pro integration:
host.entity.attributes.managed
Populate from jamf_pro.inventory.general.remote_management.managed.
-
host.os.version
Populate from jamf_pro.events.event.computer.os_version. It is being mapped to os.version at the moment. It requires to enable operating system section in integration's config.
-
host.entity.lifecycle.last_activity
Events data stream: jamf_pro.events.webhook.event_timestamp is the timestamp of real-time webhook events.
Inventory data stream: jamf_pro.inventory.general.last_contact_time is the most recent MDM communication recorded by the server.
user.entity.relationships.owns
Populated from jamf_pro.inventory.user_and_location.*.
No dedicated "ownership" endpoint exists in the v1 API. The device-user assignment is exclusively surfaced through the USER_AND_LOCATION section of /api/v1/computers-inventory.
With the proposed assigment, it reflects that the device is assigned to/owned by this user (Jamf's asset assignment model).
USER_AND_LOCATION section is opt-in (enable_section_user_and_location: false by default).
Update: As recently discussed this field only reflects the direction owner -> owned, so this will remain unpopulated from the integration as the user_and_location section for devices entities show the opposite way. It reflects the owners for each device, instead of the owned devices. It should be correlated in later steps of the processing.
It is not being populated user.group in Jamf Pro integration. Populate from jamf_pro.inventory.group_memberships.group_name. Document that it requires Enable Group membership data in the integration config.
user.entity.attributes.administered_by
Combined from jamf_pro.inventory.local_user_accounts[*].username (when admin ==true). LOCAL_USER_ACCOUNTS section is opt-in (enable_section_local_user_accounts: false by default).
Apart from local admin accounts, it is recommended to add a new API call to get LAPS-managed admin accounts. It requires a new API call per device to https://developer.jamf.com/jamf-pro/reference/get_v2-local-admin-password-clientmanagementid-accounts.
Add a per-device second request using general.management_id as clientManagementId. Not recommended as default, add a new option flag.
For documentation: additional required privilege "Read Local Admin Password".
Update: this endpoint https://developer.jamf.com/jamf-pro/reference/get_v2-local-admin-password-clientmanagementid-accounts provides the admin accounts for a device that are LAPS capable. This is a subgroup of admin accounts that are already located at jamf_pro.inventory.local_user_accounts[*]. Therefore, we are not adding that extra API call.
With the addition of the entity fieldset to ECS, the following fields need to be mapped for the Jamf Pro integration:
host.entity.attributes.managedPopulate from
jamf_pro.inventory.general.remote_management.managed.host.os.versionPopulate from
jamf_pro.events.event.computer.os_version. It is being mapped toos.versionat the moment. It requires to enable operating system section in integration's config.host.entity.lifecycle.last_activityEvents data stream:
jamf_pro.events.webhook.event_timestampis the timestamp of real-time webhook events.Inventory data stream:
jamf_pro.inventory.general.last_contact_timeis the most recent MDM communication recorded by the server.user.entity.relationships.ownsPopulated from
jamf_pro.inventory.user_and_location.*.No dedicated "ownership" endpoint exists in the v1 API. The device-user assignment is exclusively surfaced through the USER_AND_LOCATION section of /api/v1/computers-inventory.
With the proposed assigment, it reflects that the device is assigned to/owned by this user (Jamf's asset assignment model).
USER_AND_LOCATION section is opt-in (enable_section_user_and_location: false by default).
Update: As recently discussed this field only reflects the direction
owner -> owned, so this will remain unpopulated from the integration as theuser_and_locationsection for devices entities show the opposite way. It reflects the owners for each device, instead of the owned devices. It should be correlated in later steps of the processing.user.groupIt is not being populated
user.groupin Jamf Pro integration. Populate fromjamf_pro.inventory.group_memberships.group_name. Document that it requires Enable Group membership data in the integration config.user.entity.attributes.administered_byCombined from
jamf_pro.inventory.local_user_accounts[*].username(when admin ==true). LOCAL_USER_ACCOUNTS section is opt-in (enable_section_local_user_accounts: false by default).Apart from local admin accounts, it is recommended to add a new API call to get LAPS-managed admin accounts. It requires a new API call per device to https://developer.jamf.com/jamf-pro/reference/get_v2-local-admin-password-clientmanagementid-accounts.
Add a per-device second request using general.management_id as clientManagementId. Not recommended as default, add a new option flag.
For documentation: additional required privilege "Read Local Admin Password".
Update: this endpoint https://developer.jamf.com/jamf-pro/reference/get_v2-local-admin-password-clientmanagementid-accounts provides the admin accounts for a device that are LAPS capable. This is a subgroup of admin accounts that are already located at
jamf_pro.inventory.local_user_accounts[*]. Therefore, we are not adding that extra API call.