Jamf Onboarding Overview

End-to-end onboarding workflow for IT admins deploying thoth governance across managed macOS fleets with Jamf Pro.

Use this guide when your IT or security team is onboarding thoth governance across employee Macs managed by Jamf Pro.

ℹ

Audience

This workflow is for your Jamf administrators and security engineers. Employees should not need to configure anything manually.

What thoth changes on employee Macs

After onboarding:

MCP tool calls from Claude Desktop are governed by thoth policy.
Session intent controls are enforced.
Endpoint behavior is visible through audit-ready telemetry.

Employee workflow in Claude Desktop should remain unchanged.

Onboarding values from thoth

Your thoth onboarding provides:

tenant_id
apex_domain
user identity mapping strategy for THOTH_USER_ID (must be valid email)

These values must be deployed through Jamf configuration, not hardcoded in scripts.

Prerequisites checklist

Jamf Pro permissions for scripts, packages, and policy assignments.
thoth onboarding values are available and validated.
Claude Desktop is already present on managed Macs.
Node.js baseline is deployed to managed Macs.
thoth binary baseline is deployed to managed Macs.

Recommended Jamf policy model

Use three policies in sequence:

Prerequisites policy: install/verify thoth, node, and npx.
Config policy: deploy onboarding values.
Setup policy: wrap Claude Desktop config and enable governed runtime.

This model lets your team rotate onboarding values without rebuilding installation baselines.

Jamf rollout pattern

Use staged scope:

Test smart group (1-5 devices)
Pilot smart group (5-15% of fleet)
Broad production rollout

Validate each stage with:

thoth health --json
thoth status

Jamf runbooks

Previous

Deployment Guides

Next

Jamf macOS Runbook

On this page

What thoth changes on employee Macs Onboarding values from thoth Prerequisites checklist Recommended Jamf policy model Jamf rollout pattern Jamf runbooks