Getting Started with Nexus
Add your Jamf Pro server and start managing your fleet in under 2 minutes.
System Requirements
- macOS 14 (Sonoma) or later
- Jamf Pro 10.35 or later
- An active Nexus subscription (or 7-day free trial)
Step 1: Download Nexus
Download Nexus from the Mac App Store. Tap Get to start your free 7-day trial. No payment is charged until the trial ends.
Step 2: Add Your Jamf Server
When you first launch Nexus, you'll see the “No servers added yet” screen.
- Click Add Jamf Server
- Enter a profile name (e.g. “Production”)
- Enter your Jamf Pro URL (e.g.
https://yourcompany.jamfcloud.com) - Enter your API Client ID and Client Secret (OAuth2)
- Click Save Server

Step 3: Create an API Client in Jamf Pro
Nexus connects using OAuth2 API credentials — not legacy Basic Auth. Here's how to create them:
- In Jamf Pro, go to Settings → System → API Roles and Clients
- Create a new API Role with the permissions listed below
- Create a new API Client using that role
- Copy the Client ID and generate a Client Secret
- Paste both into Nexus
Required Jamf Pro Permissions
Create an API Role in Jamf Pro with the following privileges. All are read-only unless noted — Nexus is designed to be a read-first tool that makes surgical changes only when you explicitly request them.
| Permission | Access Level | Used By |
|---|---|---|
| Computers | Read | Device Lookup, Fleet Commander, Ghost Hunter, Scope Inspector |
| Mobile Devices | Read | Device Lookup, Smart Groups (mobile), Scope Inspector |
| Policies | Read | Ghost Hunter, EA Scanner, Blast Radius, Scope Inspector |
| Scripts | Read + Write* | Script Library, Ghost Hunter (* Write only needed for in-app editing) |
| Smart Computer Groups | Read | Smart Groups, Scope Inspector, EA Scanner, Ghost Hunter |
| Smart Device Groups | Read | Smart Groups (mobile tab), Scope Inspector |
| Configuration Profiles | Read | Scope Inspector, Ghost Hunter, Blast Radius |
| Extension Attributes | Read | EA Scanner, Ghost Hunter, Blast Radius |
| Patch Management Titles | Read | Patch Compliance, Scope Inspector |
| Categories | Read | Script Library, Ghost Hunter filtering |
| MDM Commands | Create | Device Lookup (Lock, Restart, Wipe, etc.), Fleet Commander |
Step 4: Connect
Click Save Server — Nexus validates your credentials and loads your fleet. The Dashboard opens automatically once the connection is confirmed.
If the connection fails, check the following:
- Your Jamf Pro URL must not have a trailing slash (use
https://example.jamfcloud.com, nothttps://example.jamfcloud.com/) - Your API Client must be enabled in Jamf Pro — disabled clients return auth errors even with valid credentials
- The Client Secret is only shown once when generated — if you didn't copy it, generate a new one
- Firewall or proxy rules may block outbound connections from the Mac running Nexus to your Jamf Pro URL
Multi-server Profiles
Nexus supports connecting to unlimited Jamf Pro servers. This is useful for organizations managing multiple Jamf instances — production and staging environments, separate tenants for different business units, or multiple client environments for MSPs.
To add additional servers:
- Click the server name in the top of the sidebar (or the menu bar icon if using menu bar mode)
- Select Add Server from the profile switcher
- Enter a distinct profile name (e.g. “Staging”, “Client A”) and the server URL and credentials
- Click Save Server
Switch between servers instantly by clicking the server name in the sidebar and selecting from the profile list. Nexus loads the new server's data without requiring a relaunch. Each server profile has its own independent scan history, dismissed Ghost Hunter items, and settings.
API Token Management
Nexus manages Jamf API bearer tokens automatically. When you save a server profile, Nexus immediately exchanges your Client ID and Client Secret for a bearer token, which is used for all subsequent API calls.
Token behavior:
- Automatic refresh — Nexus refreshes tokens before they expire without any user interaction required
- Expiry warning — if a token is within 10 minutes of expiry and Nexus cannot refresh it (e.g., no network connection), a yellow warning banner appears in the dashboard
- Re-auth without re-entering credentials — if a token expires and cannot be refreshed, Nexus uses the stored Client Secret from the Keychain to obtain a new token automatically
- Keychain storage — all credentials (Client ID, Client Secret, and current bearer token) are stored exclusively in the macOS Keychain. They are never written to disk in plain text or sent to any third-party service.