Help

Jamf Extension Attributes

peterlbk
Contributor II
‎05-22-2025 11:00 AM

As organizations scale their Apple device deployments, maintaining visibility, control, and compliance across endpoints becomes increasingly complex. Jamf offers a powerful yet often underutilized feature to address this challenge: Extension Attributes. These customizable data points enable administrators to extend the default inventory capabilities of Jamf Pro, creating a more detailed, flexible, and actionable view of managed devices.  

What Are Jamf Extension Attributes? 

Extension Attributes (EAs) in Jamf Pro are custom scripts or input fields that gather specific information about devices beyond the standard inventory data (e.g., OS version, hardware model, serial number). Admins can write scripts—typically in Bash, Python, or Zsh—that query system details during inventory collection. The results are stored in the Jamf database and can be used in smart groups, reports or policies.  

For example, an EA can report whether FileVault is enabled, if a specific application is installed, or the last time a device ran a security scan. These attributes unlock granular insights that are critical for compliance, auditing, and proactive support.  

 

Use Cases for Extension Attributes  

  1. Security Compliance Monitoring Organizations can use EAs to detect the presence of unauthorized software, confirm the status of security configurations like firewall, SIP (System Integrity Protection), or Gatekeeper, and monitor antivirus installations. This allows IT and security teams to enforce endpoint compliance more effectively.  
  2. Application Version Tracking EAs are frequently used to extract the version of installed apps—particularly third-party software not tracked by Jamf’s default inventory (for example Oracle Java) . This helps ensure devices are running up-to-date applications, and simplifies patch management workflows.  
  3. User and Department Mapping EAs can help map device assignments by collecting user information like department or location data.  
  4. Custom Hardware Reporting Information such as the number of battery cycles, disk type (SSD vs HDD), or connected peripherals can be obtained with EAs, providing a richer hardware inventory view.  

 

Advantages of Using Extension Attributes  

  • Customization: EAs offer tailored data collection based on an organization’s specific needs. Whether for education, healthcare, or enterprise IT, admins can adapt inventory tracking to any operational requirement.  
    • Automation-Ready: Since EAs integrate with smart groups and policies, they facilitate automated actions—such as enforcing encryption on devices missing FileVault or triggering updates on outdated software.  
    • Enhanced Reporting and Auditing: With detailed data available in inventory records, EAs empower better decision-making and more precise compliance reporting.  
    • Cross-Team Value: Aside IT, security and compliance teams benefit from EAs by leveraging custom reports for governance and audit trails.  

Conclusion

Jamf Extension Attributes transform device management from reactive oversight into proactive control. By extending the reach of inventory data and automating custom checks, EAs empower IT teams to enforce company policy, track assets with precision, and meet compliance requirements in the continuously evolving Apple ecosystem.  

For organizations who take their Apple fleet management seriously, Extension Attributes are not just an enhancement—they are a strategic necessity. 

9 Comments
Chubs
Contributor II
‎05-22-2025 11:56 AM
‎05-22-2025 11:56 AM

Can also use EAs for dynamic "attributes" for user opt-in...for instance, users that want to be part of a beta/preview update ring....or how about setting a user opt-in (into a smart group) for a jamf app catalog installer?

We have a standardized plist that we edit and the EAs all read from that same plist via a SS script that is picked up in an EA.  It's clean, easy to understand, simple to manipulate, and isn't persistent (should devices get wiped, etc.).

Lots of "cool" things can be done with these.  Now, let's talk about MOBILE extension attributes - as this article seems to be postured directly at macOS...

Jordy-Thery
Contributor III
‎05-22-2025 12:09 PM
‎05-22-2025 12:09 PM

👌🏻🙌🏻 Yay for extention attributes.

peterlbk
Contributor II
‎05-22-2025 12:39 PM
‎05-22-2025 12:39 PM

@Chubs , indeed. We also have some early adopters groups where people can opt-in and opt-out via an extension attribute. Works really well.

bcbackes
Contributor III
‎05-22-2025 12:43 PM
‎05-22-2025 12:43 PM

I'd be interested in adding in a workflow for user to opt in and out of beta testing. Any have any links to documentation?

0 Kudos
Person
New Contributor III
‎05-22-2025 01:10 PM
‎05-22-2025 01:10 PM

I typically just leverage Jamf’s native capabilities, but it’s nice that Extension Attributes can also integrate with external automation tools for approval workflows. Once approved, devices can be automatically assigned to tasks based on those Extension Attributes and not have worry about manual intervention.

0 Kudos
peterlbk
Contributor II
‎05-22-2025 11:09 PM
‎05-22-2025 11:09 PM

@bcbackes Out setup is not really documented for the moment. You can however check out the @dan-snelson  setup - or get at least inspired by his work.

 

 

https://snelson.us/2022/10/beta-test-opt-in-opt-out-via-self-service/

0 Kudos
PaulHazelden
Valued Contributor
‎05-23-2025 01:07 AM
‎05-23-2025 01:07 AM

I run Extension Attributes for...
Information Collection, Some of these are not used for Groups, but are there simply to provide information not in the normal inventory. Others provide me with group membership.
As a part of the inital setup, I have EA's looking for Files I create during the setup, these will adjust membership of groups. E.G. I tend to want the Jamf Connect setup to be one of the last things in the setup process - If they cant log in, they cant complain about software that hasnt installed yet. So I use an EA to look for a file I drop on the Mac, once found the EA will then report and change membership of a group. I use similar for other parts of the setup process, to control when things happen. 

I wouldnt want to work without them.

0 Kudos
bethjohnson
Contributor
‎05-23-2025 12:11 PM
‎05-23-2025 12:11 PM

@bcbackes here's how we do it, with just some simple workflow using Self Service policies:

  • Established a plist file that we use to store various informational keys (in this case, the key is "PatchCycle" and string values are "Early Adopters, Production, Exempt" etc.
  • The plist file lives in a system location (/Library/Preferences/{our org name in reverse DNS}.inventory
  • A Jamf policy scoped to potential members (excluding current members) simply uses a Files and Processes payload to write the value: /usr/bin/defaults write /Library/Preferences/{our plist} PatchCycle -string "Early Adopters"
  • Extension Attributes read the key from that plist, and we have a Smart Group for each potential value of that file.
  • The policy includes an Inventory payload so the membership updates right away and also drops a file with information about the program on the logged in user's desktop.
  • A reverse policy to write the key to Production is scoped to members of the Early Adopters group, so users can join or leave at any time.
0 Kudos
rastogisagar123
Contributor II
‎06-09-2025 07:36 PM
‎06-09-2025 07:36 PM

EA are very powerful utility, if its used in a right way

0 Kudos
Contributors