Overview

This guide is for third-party security software vendors and identity providers that want to receive real-time device posture signals from Jamf using the Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP).

What is SSF/CAEP

Shared Signals Framework (SSF) and Continuous Access Evaluation Protocol (CAEP) are open standards that allow systems to share identity and security signals in real time.

As a software developer, this means you don’t need to query Jamf via API for the current device state. Instead, you get real-time, signed events when devices become non-compliant, recover, or change management status. You can integrate those signals into your access control, policy enforcement, or analytics engine. This is a cornerstone of zero trust architecture, where access decisions reflect the live state of the user and device — not just the moment they authenticated.

How Jamf Implements SSF/CAEP

Jamf acts as an SSF Transmitter, built to emit CAEP-compliant signals about device posture.

As a third-party SSF Receiver, your product can subscribe to those signals and use them to suspend sessions, flag identities, adjust risk scores, or any other action based on policy.

Jamf Signal Flow

Jamf Pro manages the Apple device and monitors compliance.
UEM Connect syncs the device management status to Jamf Security Cloud.
Jamf Security Cloud emits a Device compliance change CAEP event to your product when a management status change is detected.

Supported events include:

Device Compliance Change

📘
Risk Level Change Event
Please note, this event does not adhere to the CAEP framework and is implemented specifically for integrating with Okta.

Each signal includes context (timestamp, subject ID) signed as a JSON Web Token (JWT).

Message Format & Payload Examples

Jamf transmits CAEP events over HTTPS using signed JWTs that comply with SSF specs.

{
  "aud": "https://www.Caep.dev",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/device-compliance-change": {
      "current_status": "not-compliant",
      "event_timestamp": 1746472203321,
      "previous_status": "compliant"
    }
  },
  "iat": 1746472206,
  "iss": "https://sse.jamf.com",
  "jti": "3a39fa3f-1120-482e-86de-e9bdaf30447f",
  "sub_id": {
    "device": {
      "format": "opaque",
      "sub": "7fa93d48-9833-5552-9916-cc90bafb46c4"
    },
    "format": "complex",
    "user": {
      "email": "user@company.com",
      "format": "email"
    }
  }
}

{
  "aud": "https://www.Caep.dev",
  "events": {
    "https://schemas.openid.net/secevent/caep/event-type/device-compliance-change": {
      "current_status": "compliant",
      "event_timestamp": 1746472091371,
      "previous_status": "not-compliant"
    }
  },
  "iat": 1746472094,
  "iss": "https://sse.jamf.com",
  "jti": "fdbeff8b-6b00-4b5a-b30a-6e36cf278418",
  "sub_id": {
    "device": {
      "format": "opaque",
      "sub": "7fa93d48-9833-5552-9916-cc90bafb46c4"
    },
    "format": "complex",
    "user": {
      "email": "user@company.com",
      "format": "email"
    }
  }
}

These payloads are:

Easy to verify using your registered public key
Mapped to standards-based event schemas
Ready for consumption by your access engine or identity platform

How to Integrate Your Product

Register Your Receiver with Jamf

Click Integrations > SSF streams > Create new SSF stream
Define the audience URI you expect in text field. You will be provided a token for use in your receiver. Click Confirm.
The "Well known URL" is shown. Use this and your token to programmatically configure the transmitter via API.
Alternatively, you can manually configure the transmitter by clicking back, Action > Configure
- On this screen you can specify the receivers' Endpoint URL and Authorization headers (if required), and select the Events you would like to receive.

Parse and Act on the Signal

Validate the JWT signature
Extract the information relevant to your integration from the message body
Feed this into your product’s enforcement logic

Apply Real-Time Policy

Whether you're enforcing conditional access, initiating automated response, or logging identity-device context, you now have Jamf’s real-time posture at your fingertips.

Resources & Troubleshooting

📘 OpenID Shared Signals & CAEP Framework
🧪 Use JWT.io or your internal tools to decode and verify event tokens
🖥️ Use CAEP.dev to validate your SSF Receiver or Transmitter
💬 Contact Jamf Technical Partnership's team for test accounts or debugging support