Form to Wipe — n8n Deployment
This guide covers the n8n implementation of Form to Wipe. It uses a Slack slash command to open a modal, routes the request to an approver via Slack DM, and sends erase commands via the Jamf Platform API. Approvers can be sourced from Microsoft Entra, Okta, or a Slack usergroup.
Prerequisites
- n8n self-hosted (≥ 1.30) or n8n Cloud
- Slack app with the required scopes (see Step 2 below)
- Jamf Platform API OAuth2 client with erase privileges (see Form to Wipe)
- One of: Microsoft Entra app registration, Okta API token, or a Slack usergroup for approvers
Step 1 — Import the Workflow
In n8n: Workflows → Import from file → select Jamf-FTW-n8n-template.json.
The workflow imports as inactive. Do not activate yet — complete credential and variable setup first.
Step 2 — Credentials
Create the following credentials in Settings → Credentials before wiring the workflow.
Slack Auth Token
Create a Slack app at api.slack.com/apps
Add the following Bot Token Scopes under OAuth & Permissions:
Scope Purpose commandsReceive slash commands chat:writeSend DMs and channel messages chat:deleteClean up approval messages after a decision users:readLook up users by ID users:read.emailLook up users by email (Okta/Entra paths) usergroups:readRead Slack usergroup membership views:openOpen modals views:updateUpdate modals on validation error Install the app to your workspace and copy the Bot User OAuth Token
In n8n: create a new HTTP Bearer Auth credential, paste the token, name it
Slack Auth Token
Jamf Platform API
In Jamf Pro: Settings → API roles and clients → API Clients → New
Assign a role with the privileges listed in Form to Wipe
Note on static computer groups: The Platform API does not have a native static computer group membership endpoint. The workflow falls back to the Classic API proxy (
/api/proclassic/...), which is covered by the sameRead Computer Groupsprivilege.Generate a client secret and note the Client ID and Secret
In n8n: create a new OAuth2 API credential:
- Grant type:
Client Credentials - Token URL:
https://YOUR_INSTANCE.jamfcloud.com/api/oauth/token - Client ID / Secret: from above
- Grant type:
Name it
Jamf Platform API
API Gateway access: The workflow also calls the Jamf Platform API Gateway (
apigw.jamf.com). Contact your Jamf representative if you do not have access.
Okta API — only if IDP_PROVIDER = okta
- In Okta: Security → API → Tokens → Create Token
- In n8n: create a new Okta API credential with your Okta domain and the token
- Name it
Okta account
Microsoft Entra — only if IDP_PROVIDER = entra
- In Azure: App registrations → New registration
- Add API permission:
GroupMember.Read.All(Application type) and grant admin consent - Create a client secret
- In n8n: create a new Microsoft Entra OAuth2 credential
- Name it
Microsoft Entra ID (Azure Active Directory) account
Step 3 — Variables
Create each variable in n8n under Settings → Variables.
Required Variables
| Variable | Description | Example |
|---|---|---|
JAMF_TENANT_NAMES |
Comma-separated display names for your Jamf tenants | Production,Staging |
JAMF_TENANT_IDS |
Comma-separated tenant UUIDs — same order as names | aaaaaaaa-...,bbbbbbbb-... |
APPROVER_SOURCE |
Where to pull the approver list from: scim, idp, or dev |
idp |
IDP_PROVIDER |
Required if APPROVER_SOURCE=idp: entra or okta |
entra |
APPROVAL_TIMEOUT_SECONDS |
How long before the request expires | 3600 |
AUDIT_LOG_CHANNEL_ID |
Slack channel ID for all audit events | C0123456789 |
WEBHOOK_VERIFY_TOKEN |
A UUID or random secret — also set in the Slack slash command URL | your-secret-uuid |
Variables by Approver Source
If APPROVER_SOURCE = scim (Slack usergroup):
| Variable | Value |
|---|---|
APPROVER_USERGROUP_ID |
Slack usergroup ID — format: S0XXXXXXXX |
If APPROVER_SOURCE = idp + IDP_PROVIDER = okta:
| Variable | Value |
|---|---|
IDP_OKTA_GROUP_ID |
Okta group ID — format: 00gXXXXXX |
IDP_OKTA_SLACK_EMAIL_FIELD |
Profile field to use for Slack email lookup (usually email) |
If APPROVER_SOURCE = idp + IDP_PROVIDER = entra:
| Variable | Value |
|---|---|
ENTRA_APPROVER_GROUP_ID |
Azure AD Object ID of your approver group |
If APPROVER_SOURCE = dev (alternate Slack usergroup, for testing):
| Variable | Value |
|---|---|
DEV_APPROVER_USERGROUP_ID |
Slack usergroup ID for dev/test approvers |
Multi-Tenant Configuration
The JAMF_TENANT_NAMES and JAMF_TENANT_IDS variables must be in the same order — index 0 of names maps to index 0 of IDs. The tenant dropdown in the Slack modal is built dynamically at runtime from these variables; no additional per-tenant configuration is needed.
API Gateway region: The workflow defaults to
us.apigw.jamf.com. If your tenants are in EU or APAC, update theREGIONconstant in the Find Group + Build Members URL and Determine Management Id Lookup URL code nodes.
Step 4 — Slack App Setup
Slash Command
- In your Slack app: Slash Commands → Create New Command
- Command:
/device-wipe(or your preferred name) - Request URL:
https://YOUR_N8N_INSTANCE/webhook/jamf-device-wipe?token=YOUR_WEBHOOK_VERIFY_TOKEN - Short description:
Submit a Jamf device wipe request
Interactivity
- In your Slack app: Interactivity & Shortcuts → Turn On
- Request URL:
https://YOUR_N8N_INSTANCE/webhook/jamf-device-wipe?token=YOUR_WEBHOOK_VERIFY_TOKEN
Both the slash command and interactive components (modal submissions, button clicks) must point to the same webhook URL with your verify token as a query parameter.
Step 5 — Activate
- Open the workflow in n8n
- Re-link each node to its credential (n8n clears credential links on import)
- Click Activate
- Test with
/device-wipein Slack
Flow Summary
/device-wipe (Slack)
→ Webhook → Verify Token → Parse Webhook
→ Switch on webhook type:
slash_command → Open Wipe Request Modal
view_submission → Parse Submission → Validate →
Resolve Device IDs → Send to Approval
approver_response → approve: LOG → Parse → Send Final Confirmation to Requestor
→ deny: LOG → DM Requestor
final_confirmation → confirm: LOG → Split per-device →
Send Erase Command × N →
Merge Results → DM Results → LOG
→ cancel: LOG → DM Requestor
timeout path → DM Requestor if no approval within APPROVAL_TIMEOUT_SECONDS
Troubleshooting
Modal doesn't open
Verify the slash command Request URL includes ?token=YOUR_WEBHOOK_VERIFY_TOKEN. The Verify Token node rejects requests where the token doesn't match.
Approver list is empty
scim: confirmAPPROVER_USERGROUP_IDis correct and the Slack app hasusergroups:readokta: confirmIDP_OKTA_GROUP_IDand that the Okta credential has group read accessentra: confirmENTRA_APPROVER_GROUP_IDand that the Entra app hasGroupMember.Read.All
Erase command returns 4xx Confirm the Jamf Platform API credential has erase privileges and that you're using the correct API Gateway region.
Tenant dropdown shows placeholder values
Set JAMF_TENANT_NAMES and JAMF_TENANT_IDS variables before activating the workflow.