Getting Started with Nexus

Add your Jamf Pro server and start managing your fleet in under 2 minutes.

System Requirements

macOS 14 (Sonoma) or later
Jamf Pro 10.35 or later
An active Nexus subscription (or 7-day free trial)

Step 1: Download Nexus

Download Nexus from the Mac App Store. Tap Get to start your free 7-day trial. No payment is charged until the trial ends.

Step 2: Add Your Jamf Server

When you first launch Nexus, you'll see the “No servers added yet” screen.

Click Add Jamf Server
Enter a profile name (e.g. “Production”)
Enter your Jamf Pro URL (e.g. https://yourcompany.jamfcloud.com)
Enter your API Client ID and Client Secret (OAuth2)
Click Save Server

Step 3: Create an API Client in Jamf Pro

Nexus connects using OAuth2 API credentials — not legacy Basic Auth. Here's how to create them:

In Jamf Pro, go to Settings → System → API Roles and Clients
Create a new API Role with the permissions listed below
Create a new API Client using that role
Copy the Client ID and generate a Client Secret
Paste both into Nexus

Note: Nexus uses Jamf API bearer tokens (OAuth2), not the legacy username/password Basic Auth. Bearer tokens are automatically refreshed by Nexus before they expire — you never need to re-authenticate manually. Nexus will show a warning in the dashboard if a token is approaching expiry and cannot be refreshed automatically.

Required Jamf Pro Permissions

Create an API Role in Jamf Pro with the following privileges. All are read-only unless noted — Nexus is designed to be a read-first tool that makes surgical changes only when you explicitly request them.

Permission	Access Level	Used By
Computers	Read	Device Lookup, Fleet Commander, Ghost Hunter, Scope Inspector
Mobile Devices	Read	Device Lookup, Smart Groups (mobile), Scope Inspector
Policies	Read	Ghost Hunter, EA Scanner, Blast Radius, Scope Inspector
Scripts	Read + Write*	Script Library, Ghost Hunter (* Write only needed for in-app editing)
Smart Computer Groups	Read	Smart Groups, Scope Inspector, EA Scanner, Ghost Hunter
Smart Device Groups	Read	Smart Groups (mobile tab), Scope Inspector
Configuration Profiles	Read	Scope Inspector, Ghost Hunter, Blast Radius
Extension Attributes	Read	EA Scanner, Ghost Hunter, Blast Radius
Patch Management Titles	Read	Patch Compliance, Scope Inspector
Categories	Read	Script Library, Ghost Hunter filtering
MDM Commands	Create	Device Lookup (Lock, Restart, Wipe, etc.), Fleet Commander

Note: Script Write access is only required if you use the in-app editor to save changes back to Jamf Pro. If you use Script Library in read-only mode (browse, copy, export), Script Read is sufficient.

Step 4: Connect

Click Save Server — Nexus validates your credentials and loads your fleet. The Dashboard opens automatically once the connection is confirmed.

If the connection fails, check the following:

Your Jamf Pro URL must not have a trailing slash (use https://example.jamfcloud.com, not https://example.jamfcloud.com/)
Your API Client must be enabled in Jamf Pro — disabled clients return auth errors even with valid credentials
The Client Secret is only shown once when generated — if you didn't copy it, generate a new one
Firewall or proxy rules may block outbound connections from the Mac running Nexus to your Jamf Pro URL

Multi-server Profiles

Nexus supports connecting to unlimited Jamf Pro servers. This is useful for organizations managing multiple Jamf instances — production and staging environments, separate tenants for different business units, or multiple client environments for MSPs.

To add additional servers:

Click the server name in the top of the sidebar (or the menu bar icon if using menu bar mode)
Select Add Server from the profile switcher
Enter a distinct profile name (e.g. “Staging”, “Client A”) and the server URL and credentials
Click Save Server

Switch between servers instantly by clicking the server name in the sidebar and selecting from the profile list. Nexus loads the new server's data without requiring a relaunch. Each server profile has its own independent scan history, dismissed Ghost Hunter items, and settings.

API Token Management

Nexus manages Jamf API bearer tokens automatically. When you save a server profile, Nexus immediately exchanges your Client ID and Client Secret for a bearer token, which is used for all subsequent API calls.

Token behavior:

Automatic refresh — Nexus refreshes tokens before they expire without any user interaction required
Expiry warning — if a token is within 10 minutes of expiry and Nexus cannot refresh it (e.g., no network connection), a yellow warning banner appears in the dashboard
Re-auth without re-entering credentials — if a token expires and cannot be refreshed, Nexus uses the stored Client Secret from the Keychain to obtain a new token automatically
Keychain storage — all credentials (Client ID, Client Secret, and current bearer token) are stored exclusively in the macOS Keychain. They are never written to disk in plain text or sent to any third-party service.

Note: Nexus stores your API credentials exclusively in the macOS Keychain — the same encrypted store used by Safari and iCloud Keychain. Your credentials never leave your Mac.