Question

Retrieve members of static, smart computer groups and members of reports

Forum|Forum|1 year ago
July 19, 2024
4 replies
129 views

marekm

I apologize in advance if that question was asked but I cannot find answers :(

I need to retrieve following information through API:

1. retrieve members through API from static computer groups - i need to list computer names that belong to specific computer groups. All i'm able to find is how to list computer groups, but not how to retrieve members.

# Endpoint to retrieve computer groups
$computerGroupsUrl = "$jamfUrl/api/v1/computer-groups"

# Request computer groups
$responseComputerGroups = Invoke-RestMethod -Uri $computerGroupsUrl -Method Get -Headers $headers -ErrorAction Stop

2. retrieve members through API from smart computer groups - i need to list computer names that belong to specific computer groups

3. retrieve data through API from "reports" found under "Search inventory"

williamaddis
New Contributor
Forum|Forum|1 year ago
July 22, 2024

Do you already know the static groups you need the members of? Or do you need to read ALL computer groups, determine which ones are static, then output the members of all of them? Or do you have like 8 static groups and you just want an API script that will list the members?

+10

Tangentism
Honored Contributor
Forum|Forum|1 year ago
July 30, 2024

If its just 1 group then you can do the following. You will need to install JQ (https://jqlang.github.io/jq/download/) as I use this to easily manipulate JSON datasets I get back from the API

If you use this in Jamf, you need to set up an API client & roles then add the following script parameters:

4: Jamf URL
5: Client ID
6: Client Secret
7: Device group ID

If you want to enter more than one group then adapt how it reads parameter 7 and add it to an array instead a variable then loop through it to get each group and assign the results to a new array.

#!/usr/bin/env zsh

# -----------------------------------------------------------------------------
# PREREQUISITES
# -----------------------------------------------------------------------------

# Get the logged in user
ConsoleUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }')

# Log Path
log_path="/Users/${ConsoleUser}/Library/Logs/ComputerGroupReport.log"

# Create log file if it doesnt exist
[[ ! -f "${log_path}" ]] && touch "${log_path}"

# Set up logging
log_message() {
echo "$(date '+%F %X'): $1" | tee -a "$log_path"
}

# -----------------------------------------------------------------------------
# SCRIPT PARAMETERS
# -----------------------------------------------------------------------------

# JAMF Cloud details
jamf_url="${4:-}"

# API login details
client_id="${5:-}"
client_secret="${6:-}"

# Computer group ID
device_group="${7:-}"

[[ "$device_group" == "" ]] && log_message "No group provided. Exiting."; exit 1 || log_message "Group provided: $device_group"


# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# FUNCTIONS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# -----------------------------------------------------------------------------
# API AUTHENTICATION
# -----------------------------------------------------------------------------
# Establish API token. API session is set in API client and roles section
get_access_token() {
response=$(/usr/bin/curl \\
--silent \\
--location \\
--request POST "${jamf_url}/api/oauth/token" \\
--header "Content-Type: application/x-www-form-urlencoded" \\
--data-urlencode "client_id=${client_id}" \\
--data-urlencode "grant_type=client_credentials" \\
--data-urlencode "client_secret=${client_secret}")
current_epoch=$(date +%s)
access_token=$(echo "$response" | plutil -extract access_token raw -)
token_expires_in=$(echo "$response" | plutil -extract expires_in raw -)
token_expiration_epoch=$((+-1))
}

check_token_expiration() {
current_epoch=$(date +%s)
if [[ $token_expiration_epoch -ge $current_epoch ]]; then
echo "Current epoch time: $current_epoch"
echo "Token valid until the following epoch time: " "$token_expiration_epoch"
else
echo "No valid token available, getting new token"
get_access_token
fi
}

invalidate_token() {
responseCode=$(/usr/bin/curl \\
-w "%{http_code}" \\
-H "Authorization: Bearer ${access_token}" $jamf_url/api/v1/auth/invalidate-token \\
-X POST \\
-s -o /dev/null)

if [[ ${responseCode} == 204 ]]; then
echo "Token successfully invalidated"
access_token=""
token_expiration_epoch="0"
elif [[ ${responseCode} == 401 ]]; then
echo "Token already invalid"
else
echo "An unknown error occurred invalidating the token"
fi
}

# -----------------------------------------------------------------------------
# FUNCTIONS: API CALLS
# -----------------------------------------------------------------------------

# Gets membership of computer group
get_device_group() {
recovery_devices=$(/usr/bin/curl \\
--silent \\
--request GET \\
--header "Authorization: Bearer ${access_token}" \\
--header "Accept: application/json" \\
--url "${jamf_url}/JSSResource/computergroups/id/$device_group")
}

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# OPERATIONS
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

# Create an API token
get_access_token

# Read the computer group for computer IDs
get_device_group "$device_group"


### Display the raw data back from the API
echo $recovery_devices | jq -r .

### List only the computer names
echo "$recovery_devices" | jq -r '.[].computers[].name'

+23

howie_isaacks
Esteemed Contributor
Forum|Forum|4 days ago
December 23, 2025

Here is a script I wrote for this. It uses the same API command as the one posted above. Near the bottom you can specify if you want the output to be written to a CSV. You can also change the file type to TXT.

#!/bin/zsh --no-rcs

:<<ABOUT_THIS_SCRIPT
---------------------------------------------------------------------------------------------------
Outputs the membership of the group specified in the "group_id" variable. 

Output is computer serials

USAGE:

	Option 1: Activate line 29. Deactivate lines 32-34
	Enter a group ID (smart or static) into the variable "group_id".

	Option 2: Activate lines 32-34. Deactivate line 29. Respond to prompt for group ID.

	Use line 89 to specify if you want the group membership to be output to CSV.

12/23/2025 | Howie Canterbury
---------------------------------------------------------------------------------------------------
ABOUT_THIS_SCRIPT

##############################################
# Specify group ID by either filling it into #
# the value for "group_id" or when prompted. #
# Activate the appropriate lines below.      #
##############################################

# Option 1
#group_id=""

# Option 2
echo "Enter group ID to check its membership."
printf "Group ID:"
read group_id
echo "Checking group ID ${group_id}"

##############################################
#            JAMF PRO API LOGIN              #
##############################################

url="YOUR_SERVER"
client_id="JAMF_PRO_API_CLIENT_ID"
client_secret="CLIENT_SECRET"
verify="" # Specify "yes" if you want your bearer token to be output to verify login info

# Jamf API authentication function
jamfAPI_auth() {
	response=$(curl --silent --location --request POST "${url}/api/oauth/token" \
		--header "Content-Type: application/x-www-form-urlencoded" \
		--data-urlencode "client_id=${client_id}" \
		--data-urlencode "grant_type=client_credentials" \
		--data-urlencode "client_secret=${client_secret}")
	token=$(echo "$response" | plutil -extract access_token raw -)
	token_expires_in=$(echo "$response" | plutil -extract expires_in raw -)
	token_expiration_epoch=$(($current_epoch + $token_expires_in - 1))
}

# Start authenticated API session
jamfAPI_auth

###############################################################################
#                            VALIDATE API LOGIN							      #
#    The token and expiration time will be echoed into the script output	  #	
#    to verify that the API login credentials provided are working.			  #
###############################################################################

if [[ "$verify" == "yes" ]]; then
	echo "API token: ${token}"
	echo "Token expires in: ${token_expires_in} seconds"
fi

################################################
#  OUTPUT LIST OF COMPUTERS IN SPECIFIED GROUP #
################################################

# Check and report group membership. Output list of computer serial numbers.
check_group_members=$(
	/usr/bin/curl --request GET \
	--header "Authorization: Bearer ${token}" \
	--header "Accept: application/json" \
	--url "${url}/JSSResource/computergroups/id/${group_id}"
)

# Output list of computers (serial numbers) that are members of the group
group_membership=$(echo "$check_group_members" | jq -r '.computer_group.computers[].serial_number' )
echo $group_membership

# Output to CSV?
output_to_csv="y" # Enter "y" if output to CSV is needed
if [[ "$output_to_csv" == "y" ]]; then
	currentUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }')
	for serial in "${group_membership[@]}"; do
		echo "${serial}" >> "/Users/${currentUser}/Desktop/Group_${group_id}_members.csv"
	done
fi

mattjerome
Jamf Heroes
Forum|Forum|3 days ago
December 24, 2025

You can also go at it the reverse way. Comb through computers and if the computer is in that group and a the username matches what you want, add it to a list. That’s what I’d do. It’s far less complicated. If you can do python, it’ll be easier with that

Here’s a basic outline:

Have a CSV of the usernames you need
Have a script read the csv
Call all computers with the group memberships
if the username is in the list and the group you want is in computer groups, grab the data you want
output to a csv or other desired destination.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded