User Roles and Groups in macOS Security
- Last UpdatedOct 16, 2025
- 4 minute read
You can assign Jamf Protect users specific permissions based on user roles and groups. User roles can be configured locally in the Jamf Protect macOS security portal or by mapping groups from your cloud identity provider (IdP).
- User-based assignment—Roles can be directly assigned to a user by editing the user's settings.
- Group-based assignment—Groups allow you to configure roles for a group that can include one or more users directly in Jamf Protect.
- Identity provider mappings—Identity provider mappings allow you to use a group membership in your IdP to automatically assign roles to users in Jamf Protect.
The following shows how users can receive roles based on the available methods:
By default, there are two pre-configured roles in Jamf Protect. You can also create additional custom roles and manually assign permissions.
- Full Admin
- Can read and write all data and settings in Jamf Protect.Note:
New users are added to the Default group in Jamf Protect during their first sign-in, where it is assigned the Full Admin role by default. Before you change the role of this group and to prevent lockout and sign-in errors, make sure you are assigned the Full Admin role using another method, such as a user-based assignment or group-based assignment from another group.
Roles with all permissions granted will also include all future permissions added by new Jamf Protect features.
- Read Only
- Can read all data and settings in Jamf Protect but cannot create or edit settings.
- Custom
- Can read or write a custom combination of settings configured within the role. Creating a custom role allows you to manually assign privileges to users.
- Configure permissions for your role.
To help you configure roles, you can use the in-app help documentation to learn more about each permission.
You can assign roles to a group in Jamf Protect and then assign users to your group.
- In Jamf Protect, click .
- Click the Groups tab.
- Click Create Group.
- Name your group.
- Choose the roles you want to assign to members of the group from the Roles pop-up menu.
- Click Save.
Identity provider (IdP) mappings automatically assign roles to users based on IdP group membership, when Jamf Account SSO is used to log in to the macOS Security portal. When a user signs in, Jamf Account uses an ID token from the IdP to look for groups that are mapped to a role in macOS Security.
The Default group in the macOS Security portal is assigned the Full Admin role by default. New users are automatically added to the Default group during their initial sign-in. Before configuring roles, you should change the role of the Default group to Read Only or to a custom role, to ensure all users are not given Full Admin permissions upon sign-in.
Jamf Account configured as the SSO provider
The IdP group names used for mapping must contain the string
jamf(case insensitive), unless an alternative filter is configured in Jamf Account
Users with a membership to the group can sign in to the macOS Security portal using Jamf Account SSO and are assigned the roles associated with their identity provider groups, as specified in the mappings.