Skip to main content
Question

Just got access to Blueprints by turning on SSO, Missing App installs, Macos update enforcement

  • February 25, 2026
  • 3 replies
  • 58 views
S
Forum|alt.badge.img

As the title says, I just got access to blueprints and eager to start learning this, but right away i notice im missing things.  Jamf chat box told me this
You'll need the Cloud Services Connection (Read) privilege in addition to your existing Blueprint permissions. This privilege is required for app installation functionality within Blueprints. To resolve this, you can: • Contact your Jamf Pro administrator to add the Cloud Services Connection (Read) privilege to your user account • If you have a custom privilege set, ensure it includes both Blueprint permissions and Cloud Services Connection access Once these privileges are added, you should be able to access app installation features alongside the declarative configurations you're currently seeing.

Now after checking everything and confirming with Chatgpt,  I am being told App installations in Blueprints are not Enabled at the Tenant Level.  Something about being a Backend feature flag.  
 

i am unsure how to proceed with this. Any help will greatly be appreciated.

    3 replies

    FerrisBNA
    Forum|alt.badge.img+1
    • FerrisBNA
    • New Contributor
    • February 26, 2026

    I wish I had the answer for you.  I’ve been affraid to make the SSO changes to enable Blueprints since I’m not clear what will be affected.

    -Pat

    -Pat
    talkingmoose
    Forum|alt.badge.img+36
    • talkingmoose
    • Community Manager
    • February 26, 2026

    Unfortunately, what Jamf’s AI chat assistant told you is only partially correct.

    A few things:

    First, the Cloud Services connection is automatic, and there’s nothing for you to configure. You can verify it’s connected by viewing Jamf Pro Settings > Global > Cloud Services connection. So long as it’s enabled, there’s nothing to do.

    Second, Apple has made app deployment using declarative management possible. However, Jamf hasn’t yet rolled it out to all its products.

    Earlier this month, Jamf released Elevate, which is unified frontend for Jamf Pro, Jamf Protect, and Jamf Security Cloud. It’s not a new product but rather a simplified interface for these three products. And it does support deploying apps using declarative management, which is what blueprints use in Jamf Pro.

    That feature is only available while using Elevate, though, and Elevate is only rolling out right now to new small business customers as a simplified setup tool. So, you won’t see it in Jamf Pro.

    So, where does that leave you? Right now, for existing Jamf Pro customers without Elevate, it’s not available. I think it’s safe to say if the work is done in Elevate, then it’s only a matter of time before we see it come to Jamf Pro. I can’t speak to the timeline.

    Finally, keep in mind third-party AI tools like ChatGPT have a much larger language model than something Jamf would have used to train its own AI Assistant. Take anything with a grain of salt when using any AI. (Or even a canister of salt.) Rely on published documentation instead, and pay attention to Jamf Pro release notes to get the most accurate information about Jamf products.

    I’m so sorry for the confusion this has caused you!

    just_a_pm
    • just_a_pm
    • New Contributor
    • February 27, 2026

    Hey ​@sspangler1 — sorry for the confusion. I'm Ty, the Product Manager for AI Assistant at Jamf. Posts like this help us find where things aren't working.

    1. The guidance about "Cloud Services Connection (Read)" privilege doesn't match how AI Assistant works here. That response may have come from a different chat interface — we're looking into it. For Blueprints access, open a support ticket so the team can check your tenant's agreement status directly.

    2. Blueprints in Jamf Pro and app installation within Blueprints are separate things. You can have access to Blueprints without app installs being enabled for your tenant. That's an availability question, not a privilege one, and separate from what ​@talkingmoose described about Elevate.

    3. AI Assistant is built on Claude (Anthropic's model) via AWS Bedrock. Jamf doesn't train a custom model — customer data is never used for training. On top of that, Jamf adds a knowledge layer: AI Assistant searches Jamf documentation, support cases, community posts, and Apple resources, then synthesizes a single answer — context a general-purpose tool doesn't have. It can still get things wrong. Verify anything access- or configuration-related against documentation or support. If you want the full technical and security details: https://www.jamf.com/resources/technical-papers/ai-assistant-architecture-security/

     

    --------


    @FerrisBNA — the hesitation makes sense, and Jamf documentation gives a clear picture of what's actually involved.

    End-user authentication for enrollment and Self Service is completely unaffected. The official docs are explicit — "End user authentication for enrollment and Self Service can continue to use SAML" after enabling OIDC for administrators.

    The admin-side transition isn't gradual (it's a complete cutover from your existing SAML-based SSO configuration). Jamf recommends testing in a non-production environment first, planning a maintenance window, and saving your failover URL before making any changes so you can recover if something goes wrong.

    Worth doing, and worth planning first. Full guide here: https://learn.jamf.com/en-US/bundle/technical-articles/page/Transitioning_Jamf_Pro_from_SAML-Based_SSO_to_OIDC-Based_SSO_through_Jamf_Account.html

    If you want a guided walkthrough, your Jamf account team can help you plan the cutover.

    Terms & ConditionsCookie settingsAccessibility statement