Jamf Concepts
Guides

Guides

Form to Wipe — n8n Deployment

~6 min read
Was this helpful?

Form to Wipe — n8n Deployment

This guide covers the n8n implementation of Form to Wipe. It uses a Slack slash command to open a modal, routes the request to an approver via Slack DM, and sends erase commands via the Jamf Platform API. Approvers can be sourced from Microsoft Entra, Okta, or a Slack usergroup.

Prerequisites

  • n8n self-hosted (≥ 1.30) or n8n Cloud
  • Slack app with the required scopes (see Step 2 below)
  • Jamf Platform API OAuth2 client with erase privileges (see Form to Wipe)
  • One of: Microsoft Entra app registration, Okta API token, or a Slack usergroup for approvers

Step 1 — Import the Workflow

In n8n: Workflows → Import from file → select Jamf-FTW-n8n-template.json.

The workflow imports as inactive. Do not activate yet — complete credential and variable setup first.

Step 2 — Credentials

Create the following credentials in Settings → Credentials before wiring the workflow.

Slack Auth Token

  1. Create a Slack app at api.slack.com/apps

  2. Add the following Bot Token Scopes under OAuth & Permissions:

    Scope Purpose
    commands Receive slash commands
    chat:write Send DMs and channel messages
    chat:delete Clean up approval messages after a decision
    users:read Look up users by ID
    users:read.email Look up users by email (Okta/Entra paths)
    usergroups:read Read Slack usergroup membership
    views:open Open modals
    views:update Update modals on validation error
  3. Install the app to your workspace and copy the Bot User OAuth Token

  4. In n8n: create a new HTTP Bearer Auth credential, paste the token, name it Slack Auth Token

Jamf Platform API

  1. In Jamf Pro: Settings → API roles and clients → API Clients → New

  2. Assign a role with the privileges listed in Form to Wipe

    Note on static computer groups: The Platform API does not have a native static computer group membership endpoint. The workflow falls back to the Classic API proxy (/api/proclassic/...), which is covered by the same Read Computer Groups privilege.

  3. Generate a client secret and note the Client ID and Secret

  4. In n8n: create a new OAuth2 API credential:

    • Grant type: Client Credentials
    • Token URL: https://YOUR_INSTANCE.jamfcloud.com/api/oauth/token
    • Client ID / Secret: from above
  5. Name it Jamf Platform API

API Gateway access: The workflow also calls the Jamf Platform API Gateway (apigw.jamf.com). Contact your Jamf representative if you do not have access.

Okta API — only if IDP_PROVIDER = okta

  1. In Okta: Security → API → Tokens → Create Token
  2. In n8n: create a new Okta API credential with your Okta domain and the token
  3. Name it Okta account

Microsoft Entra — only if IDP_PROVIDER = entra

  1. In Azure: App registrations → New registration
  2. Add API permission: GroupMember.Read.All (Application type) and grant admin consent
  3. Create a client secret
  4. In n8n: create a new Microsoft Entra OAuth2 credential
  5. Name it Microsoft Entra ID (Azure Active Directory) account

Step 3 — Variables

Create each variable in n8n under Settings → Variables.

Required Variables

Variable Description Example
JAMF_TENANT_NAMES Comma-separated display names for your Jamf tenants Production,Staging
JAMF_TENANT_IDS Comma-separated tenant UUIDs — same order as names aaaaaaaa-...,bbbbbbbb-...
APPROVER_SOURCE Where to pull the approver list from: scim, idp, or dev idp
IDP_PROVIDER Required if APPROVER_SOURCE=idp: entra or okta entra
APPROVAL_TIMEOUT_SECONDS How long before the request expires 3600
AUDIT_LOG_CHANNEL_ID Slack channel ID for all audit events C0123456789
WEBHOOK_VERIFY_TOKEN A UUID or random secret — also set in the Slack slash command URL your-secret-uuid

Variables by Approver Source

If APPROVER_SOURCE = scim (Slack usergroup):

Variable Value
APPROVER_USERGROUP_ID Slack usergroup ID — format: S0XXXXXXXX

If APPROVER_SOURCE = idp + IDP_PROVIDER = okta:

Variable Value
IDP_OKTA_GROUP_ID Okta group ID — format: 00gXXXXXX
IDP_OKTA_SLACK_EMAIL_FIELD Profile field to use for Slack email lookup (usually email)

If APPROVER_SOURCE = idp + IDP_PROVIDER = entra:

Variable Value
ENTRA_APPROVER_GROUP_ID Azure AD Object ID of your approver group

If APPROVER_SOURCE = dev (alternate Slack usergroup, for testing):

Variable Value
DEV_APPROVER_USERGROUP_ID Slack usergroup ID for dev/test approvers

Multi-Tenant Configuration

The JAMF_TENANT_NAMES and JAMF_TENANT_IDS variables must be in the same order — index 0 of names maps to index 0 of IDs. The tenant dropdown in the Slack modal is built dynamically at runtime from these variables; no additional per-tenant configuration is needed.

API Gateway region: The workflow defaults to us.apigw.jamf.com. If your tenants are in EU or APAC, update the REGION constant in the Find Group + Build Members URL and Determine Management Id Lookup URL code nodes.

Step 4 — Slack App Setup

Slash Command

  1. In your Slack app: Slash Commands → Create New Command
  2. Command: /device-wipe (or your preferred name)
  3. Request URL: https://YOUR_N8N_INSTANCE/webhook/jamf-device-wipe?token=YOUR_WEBHOOK_VERIFY_TOKEN
  4. Short description: Submit a Jamf device wipe request

Interactivity

  1. In your Slack app: Interactivity & Shortcuts → Turn On
  2. Request URL: https://YOUR_N8N_INSTANCE/webhook/jamf-device-wipe?token=YOUR_WEBHOOK_VERIFY_TOKEN

Both the slash command and interactive components (modal submissions, button clicks) must point to the same webhook URL with your verify token as a query parameter.

Step 5 — Activate

  1. Open the workflow in n8n
  2. Re-link each node to its credential (n8n clears credential links on import)
  3. Click Activate
  4. Test with /device-wipe in Slack

Flow Summary

/device-wipe (Slack)
  → Webhook → Verify Token → Parse Webhook
  → Switch on webhook type:
      slash_command       → Open Wipe Request Modal
      view_submission     → Parse Submission → Validate →
                            Resolve Device IDs → Send to Approval
      approver_response   → approve: LOG → Parse → Send Final Confirmation to Requestor
                          → deny:    LOG → DM Requestor
      final_confirmation  → confirm: LOG → Split per-device →
                                          Send Erase Command × N →
                                          Merge Results → DM Results → LOG
                          → cancel:  LOG → DM Requestor
      timeout path        → DM Requestor if no approval within APPROVAL_TIMEOUT_SECONDS

Troubleshooting

Modal doesn't open Verify the slash command Request URL includes ?token=YOUR_WEBHOOK_VERIFY_TOKEN. The Verify Token node rejects requests where the token doesn't match.

Approver list is empty

  • scim: confirm APPROVER_USERGROUP_ID is correct and the Slack app has usergroups:read
  • okta: confirm IDP_OKTA_GROUP_ID and that the Okta credential has group read access
  • entra: confirm ENTRA_APPROVER_GROUP_ID and that the Entra app has GroupMember.Read.All

Erase command returns 4xx Confirm the Jamf Platform API credential has erase privileges and that you're using the correct API Gateway region.

Tenant dropdown shows placeholder values Set JAMF_TENANT_NAMES and JAMF_TENANT_IDS variables before activating the workflow.

Was this helpful?