macOS - Software Lifecycle - JAMF List Software Plans

What the JAMF software plan retriever does

This Automox Worklet™ queries your JAMF API to retrieve managed software update plans assigned to endpoints based on a configurable tag. The Worklet uses the WDK command-line interface to communicate securely with your JAMF instance, authenticating with stored API credentials and returning plan details in structured format.

During the evaluation phase, the Worklet checks whether software update plans exist for tagged endpoints. If plans are found, it flags the endpoint for remediation. The remediation phase retrieves and outputs the full plan details, making them available for logging, reporting, or further automation.

Why retrieve JAMF software update plans

Tracking software update plan assignments across your macOS fleet is essential for compliance and patch management governance. This Worklet automates the discovery of which endpoints have which plans, giving your IT operations team visibility without manual console queries.

By integrating JAMF data into your Automox workflow, you can report on plan coverage, identify endpoints missing critical update plans, and coordinate patch deployment across both Automox and JAMF. This reduces configuration drift and maintains consistent update policies across your organization.

How JAMF plan retrieval works

1. Evaluation phase: The Worklet calls the WDK `mdm jamf plans` command with your configured tag (default: JAMF). The WDK authenticates to your JAMF API using stored credentials and checks whether any software update plans are associated with endpoints matching that tag. If the API returns zero plans, evaluation succeeds and no remediation is needed. If one or more plans exist, evaluation fails, triggering remediation.

2. Remediation phase: The Worklet executes the same WDK command to retrieve the complete list of software update plans. The plan data is output to standard output, where it can be captured for logging, reporting, or passed to downstream tools. If the API call fails, the error is logged to standard error and the Worklet exits gracefully.

JAMF plan retrieval requirements

• macOS endpoints (Server or Workstation)

• WDK version with JAMF MDM support installed on the endpoint

• JAMF API credentials stored as organization secrets: AX_JAMF_CLIENT_ID, AX_JAMF_CLIENT_SECRET, AX_JAMF_BASE_URL

• Automox credentials stored as organization secrets: AX_AUTOMOX_API_KEY, AX_AUTOMOX_ORG_UUID

• JAMF API client must have read permissions for computers and managed software updates

• Worklet policy must be scoped to a single endpoint to avoid unintended behavior

• PATCH_TAG parameter in the Worklet must match a tag assigned to your JAMF endpoints

Expected JAMF update plan output

After the Worklet runs remediation, the Activity Log contains the list of software update plans assigned to endpoints matching your configured tag. Each plan entry includes details such as plan name, scope, and target endpoints. This data can be captured for compliance reporting or piped to downstream monitoring and ticketing systems.

If no plans are found, remediation will output an empty result, indicating your tagged endpoints have no update plans currently assigned. If the Worklet encounters API authentication errors or network issues, the error message will be logged so your team can troubleshoot connectivity or credential configuration.

How to validate jamf list software plans changes

1. Run this Worklet on a pilot macOS endpoint and review evaluation output for jamf list software plans.

2. Confirm Automox activity logs show successful completion and exit code 0.

3. Verify endpoint state using checks aligned to evaluation script logic, such as WDK, return, OTTOQ.

4. Validate remediation effects from script operations such as WDK, return, cleanup, then rerun evaluation for compliance.