macOS MDM as Code

Shifting from GUI management to Declarative Infrastructure for Apple Fleets.

Provider

Jamf Platform

Utilizing the Jamf-Concepts Terraform provider for resource orchestration.

Declarative

HCL / OpenTofu

Defining the intended state of the fleet. Let the provider handle the API calls.

Workflow

GitOps / CI

Terraform Plan/Apply cycles triggered by PRs. No more manual GUI changes.

The IaC Evolution

Moving away from traditional manual configuration. By treating Jamf Pro as a Terraform-managed platform, I ensure that Smart Groups, Policies, and Configuration Profiles are versioned, peer-reviewed, and consistently deployed across environments.

Standardized resource naming via HCL modules
State management for drift detection in MDM settings
Automated rollback capabilities via Git history

Declarative Jamf Configuration

main.tf

resource "jamf_computer_group" "macos_fleet" {
  name = "All Managed macOS"
  is_smart = true
  criteria {
    name     = "Model"
    priority = 0
    and_or   = "and"
    search_type = "like"
    value    = "Mac"
  }
}

module "baseline_security" {
  source = "./modules/macos-security"
  target_group_id = jamf_computer_group.macos_fleet.id
  enforce_filevault = true
}

Example using the Jamf Platform Terraform provider to define smart groups and baseline security modules.