Please consider amending this section of the Jamf Pro Deployment page as follows, to help contextualize the suggestion about limiting the API account's privileges.
Configuration Profile payload for API service account
A valid Jamf Pro API credential is required for super to push software updates via MDM commands. This is required for Apple Silicon Macs. The super script will automatically handle the generation and invalidation of the bearer token with Jamf.
By default, the API account should be given "Computers: Read" permissions. For added security, if you want to restrict that account from reading computer records at all, you must deploy a Configuration Profile that contains the computer's Jamf Pro device ID ($JSSID) as a managed preference. This will save super from having to separately poll Jamf to obtain the computer ID.
Please consider amending this section of the Jamf Pro Deployment page as follows, to help contextualize the suggestion about limiting the API account's privileges.
Configuration Profile payload for API service account
A valid Jamf Pro API credential is required for
super
to push software updates via MDM commands. This is required for Apple Silicon Macs. Thesuper
script will automatically handle the generation and invalidation of the bearer token with Jamf.By default, the API account should be given "Computers: Read" permissions. For added security, if you want to restrict that account from reading computer records at all, you must deploy a Configuration Profile that contains the computer's Jamf Pro device ID (
$JSSID
) as a managed preference. This will savesuper
from having to separately poll Jamf to obtain the computer ID.