⭐ Add jamf provider

[AdamVB]

Summary

Adds a new Jamf Pro provider to mql, enabling querying of Jamf-managed infrastructure via the Jamf Pro API.

Usage

Connect using OAuth2 client credentials and your Jamf Pro instance domain:

mql shell jamf --client-id <CLIENT_ID> --client-secret <CLIENT_SECRET> --instance-domain https://yourdomain.jamfcloud.com

Credentials can also be provided via environment variables: CLIENT_ID, CLIENT_SECRET, INSTANCE_DOMAIN.

Example queries

# List all computers with their OS version and encryption status
jamf.computerInventory { name operatingSystemVersion fileVault2Enabled firewallEnabled }

# Check SSO configuration
jamf.sso { ssoEnabled ssoForEnrollmentEnabled idpProviderType }

# Look up a specific user
jamf.userByName("jsmith") { fullName email position }

# List smart groups
jamf.smartGroups { name smartGroup }

# Get installed packages
jamf.packages { name fileName priority }

# Check Jamf Pro version
jamf.version

New resources

Resource	Description
jamf	Root resource — provides access to inventory, packages, SSO, users, smart groups, and version
jamfComputer	Computer inventory record (hardware, OS, security settings, enrollment info)
jamfComputer.localUserAccounts	Local user accounts on a managed computer (lazy-loaded per computer)
jamf.userByName	Look up a Jamf user by username (supports init for direct queries)
jamfUsers	User summary (id, name)
jamfPackages	Software package definition (name, file, category, priority)
ssoSettings	SSO configuration (provider type, enrollment settings, session timeout)
computerGroups	Smart/static computer groups

[github-actions]

Test Results

6 128 tests  ±0   6 124 ✅ ±0   2m 12s ⏱️ +3s
  440 suites ±0       4 💤 ±0 
   35 files   ±0       0 ❌ ±0 

Results for commit 254ecc0. ± Comparison against base commit fb07cfe.

♻️ This comment has been updated with latest results.

[vjeffrey]

/review

[mondoo-code-review]

New Jamf provider may panic on nil pointer dereferences when API returns nil optional fields, and SSO field naming violates MQL conventions.

Superseded by new review

[mondoo-code-review]

Previous review findings (nil panic, naming conventions, typo, id bug) are all addressed; date fields remain as strings.

[tas50]

Review: Nil Handling, Performance, and Logic

Nil Handling

1. No nil checks on any API response. Every resource file dereferences the SDK return value without checking for nil. If any Jamf SDK method returns (nil, nil), these all panic:

• sso_settings.go — info.SsoEnabled
• computer_inventory.go — inventory.Results
• computer_inventory.go:localUserAccounts() — inventory.LocalUserAccounts
• computer_groups.go — groups.Results
• users.go — users.Users
• packages.go — inventory.Results
• user_by_name.go — user.ID, user.Name, etc.
• version.go — info.Version is nil-checked, but info itself is not

2. Nested struct dereferences in computer_inventory.go. c.General.Name, c.Hardware.Make, c.OperatingSystem.Name, c.Security.AutoLoginDisabled — if any sub-struct (General, Hardware, OperatingSystem, Security) is nil, this panics. The Jamf API can return partial records.

3. sso() returns a singular resource pointer (*mqlSsoSettings). If this ever needs to return nil (e.g., SSO not configured, access denied), it must set a.Sso.State = plugin.StateIsSet | plugin.StateIsNull before return nil, nil. See CLAUDE.md "Never return nil, nil from a singular resource accessor without setting StateIsNull first."

Logic Errors

4. ParseCLI leaks client secret into plaintext conf.Options. (provider.go:55-56):

conf.Options["client_secret"] = clientSecret

The secret already flows through conf.Credentials — storing it again in Options means it could be logged, serialized, or exposed in debug output. Remove client_id and client_secret from conf.Options.

5. ParseCLI env var fallback is tangled. (provider.go:60-74) When credentials come from env vars, the local variables are populated but conf.Options is only partially updated. Consider restructuring: resolve all sources (flags then env) first, then populate conf once at the end.

6. __id is never set in any CreateResource call. Per codebase conventions, __id must be explicitly set for caching. Without it, the runtime can't cache resources and the same API object fetched twice won't get a cache hit. Every CreateResource call needs:

"__id": llx.StringData("some-unique-stable-id"),

7. Fragile id() cache keys — using names instead of unique IDs.

• mqlComputerGroups.id() returns Name.Data — group names aren't guaranteed unique
• mqlJamfPackages.id() returns Name.Data — package names can collide
• mqlJamfUsers.id() returns Name.Data — should use numeric ID (strconv.Itoa)

Use the actual unique ID field (formatted as string) for reliable caching.

8. Resource naming inconsistency in jamf.lr. Mixed prefixing and pluralization: jamfComputer, jamfPackages (plural), jamfUsers (plural), ssoSettings (no prefix), computerGroups (no prefix). Resource types should be singular and consistently named.

Performance

9. computerInventory() has no pagination. (computer_inventory.go:24) GetComputersInventory(url.Values{}) is called with empty params. The Jamf Pro inventory API is paginated — this will silently return only the first page. Customers with more computers than the default page size will get incomplete data. Must loop with page/page-size params.

10. computerInventoryCount() fetches ALL inventory records just to count them. (computer_inventory_count.go) It calls r.GetComputerInventory() which triggers the full inventory fetch, then counts the slice length. Jamf has a dedicated count endpoint — use it instead.

11. localUserAccounts() triggers N+1 API calls. Each jamfComputer.localUserAccounts call hits GetComputerInventoryByID. When iterating all computers' accounts, that's N additional API calls. Consider fetching local accounts in the initial inventory call if the SDK supports a section filter.

[tas50]

Address the issues in the comment and let's see if we can get a testing doc for the provider in place so it's easy for folks to check this.

Also it needs tests.