Shared Signals Framework and Continuous Access Evaluation Protocol
Integrate with Jamf Security Cloud to receive standards-based security events when Apple devices change compliance state, and use those events to trigger access control enforcement in real time.
Overview
This guide is for third-party security software vendors and identity providers that want to receive real-time device posture signals from Jamf using the Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP).
What is SSF/CAEP
Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP) are open standards that allow systems to share identity and security signals in real time.
As a software developer, this means you don’t need to query Jamf via API for the current device state. Instead, you get real-time, signed events when devices become non-compliant, recover, or change management status. You can integrate those signals into your access control, policy enforcement, or analytics engine. This is a cornerstone of zero trust architecture, where access decisions reflect the live state of the user and device — not just the moment they authenticated.
How Jamf Implements SSF/CAEP
Jamf acts as an SSF Transmitter, built to emit CAEP-compliant signals about device posture.
As a third-party SSF Receiver, your product can subscribe to those signals and use them to suspend sessions, flag identities, adjust risk scores, or any other action based on policy.
Jamf Signal Flow
- Jamf Pro manages the Apple device and monitors compliance.
- UEM Connect syncs the device management status to Jamf Security Cloud.
- Jamf Security Cloud emits a Device compliance change CAEP event to your product when a management status change is detected.
Supported events include:
Risk Level Change Event
Please note, this event does not adhere to the CAEP framework and is implemented specifically for integrating with Okta.
Each signal includes context (timestamp, subject ID) signed as a JSON Web Token (JWT).
Message Format & Payload Examples
Jamf transmits CAEP events over HTTPS using signed JWTs that comply with SSF specs.
{
"aud": "https://www.Caep.dev",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/device-compliance-change": {
"current_status": "not-compliant",
"event_timestamp": 1746472203321,
"previous_status": "compliant"
}
},
"iat": 1746472206,
"iss": "https://sse.jamf.com",
"jti": "3a39fa3f-1120-482e-86de-e9bdaf30447f",
"sub_id": {
"device": {
"format": "opaque",
"sub": "7fa93d48-9833-5552-9916-cc90bafb46c4"
},
"format": "complex",
"user": {
"email": "[email protected]",
"format": "email"
}
}
}
{
"aud": "https://www.Caep.dev",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/device-compliance-change": {
"current_status": "compliant",
"event_timestamp": 1746472091371,
"previous_status": "not-compliant"
}
},
"iat": 1746472094,
"iss": "https://sse.jamf.com",
"jti": "fdbeff8b-6b00-4b5a-b30a-6e36cf278418",
"sub_id": {
"device": {
"format": "opaque",
"sub": "7fa93d48-9833-5552-9916-cc90bafb46c4"
},
"format": "complex",
"user": {
"email": "[email protected]",
"format": "email"
}
}
}
These payloads are:
- Easy to verify using your registered public key
- Mapped to standards-based event schemas
- Ready for consumption by your access engine or identity platform
How to Integrate Your Product
Register Your Receiver with Jamf
- Click Integrations > SSF streams > Create new SSF stream
- Define the audience URI you expect in text field. You will be provided a token for use in your receiver. Click Confirm.
- The "Well known URL" is shown. Use this and your token to programmatically configure the transmitter via API.
Alternatively, you can manually configure the transmitter by clicking back, Action > Configure- On this screen you can specify the receivers' Endpoint URL and Authorization headers (if required), and select the Events you would like to receive.
Parse and Act on the Signal
- Validate the JWT signature
- Extract the information relevant to your integration from the message body
- Feed this into your product’s enforcement logic
Apply Real-Time Policy
Whether you're enforcing conditional access, initiating automated response, or logging identity-device context, you now have Jamf’s real-time posture at your fingertips.
Resources & Troubleshooting
📘 OpenID Shared Signals & CAEP Framework
🧪 Use JWT.io or your internal tools to decode and verify event tokens
🖥️ Use CAEP.dev to validate your SSF Receiver or Transmitter
💬 Contact Jamf Technical Partnership's team for test accounts or debugging support
Updated 6 days ago