Skip to main content

Jamf Workplace Auto Sign-in

Connect your MDM to Envoy to detect when employees are at the workplace.

Updated today

Overview

Envoy’s Auto sign-in via Jamf integration helps organizations automatically detect when employees are in the workplace using their managed devices. By integrating with your mobile device management (MDM) platform, Envoy can confirm device activity and network location to infer on-site presence without requiring manual check-ins.

How does this integration work?

When a managed device reports activity through Jamf, such as a login, startup, or network connection, Envoy evaluates that signal and verifies whether the device is connected to your office network. If the device activity matches your office location, Envoy can automatically mark the employee as on-site.

PREREQUISITES

  • JAMF Pro account

  • JAMF Administrator privileges

Enabling the Jamf + Envoy integration

Step 1: Create a Jamf Pro API Role and Client

  1. In Jamf Pro, click Settings in the sidebar.

  2. In the System section, click API roles and clients.

  3. The APl Role tab should be opened by default. Click + New.

    image-20260126-235900.png

  4. Enter a display name for the API client.

  5. Give your new role (at minimum) the permissions to Create, Delete and Read webhooks.

    image-20260122-224826.png

  6. Click Save when all permissions are added. Now we need to create an API client based on that role.

  7. Navigate to the API Clients tab, then click + New.

    image-20260127-000622.png

  8. Give the new API Client a name (suggested: Envoy Presence), add the API role you just created, and set the Access Token lifetime to 60.

  9. Click Enable API Client.

  10. Once your client is created, you can generate a client secret. This will only be shown once, so make sure to save this in a secure location. You will be using this code in the next step.

Step 2: Install the Jamf app in the Envoy Dashboard

  1. In the Envoy web dashboard, navigate to Integrations, then search for Jamf. Click Install.

  2. Once the integration is added, click Connect Account. This launches the connection window.

  3. Enter your Client ID, Client Secret (retrieved in the previous step), and Jamf server URL. Click Save.

  4. Once connected, proceed to the Workplace Configuration step. Here, you'll select the corresponding Envoy location and provide the CIDR block that matches your location's network.

  5. Click Complete Setup.

Viewing auto check-in results

Once your integration installation is complete, navigate to Workplace > Access log. For any signals sent by this integration, "Jamf" will be listed in the Integration name column. Only successful authentications are logged within Envoy and counted towards sign-ins; any errors, interruptions, or warnings are filtered out.

If Jamf is the first signal received from that employee, it will create a sign-in entry in the Employee log, with the check-in listing via MDM event.

FAQ

How does this work with a VPN?

  • Jamf does not detect VPN usage. The information Envoy receives from Jamf regarding network data is the MAC address, IP address, and the last reported IP address.

Related Articles
Supported Hardware for Envoy Workplace
Workplace billing
Envoy Workplace
Okta Auto check-in for Workplace
Entra ID Auto Check-in for Workplace
Did this answer your question?