Apple Business Admin API: first look at what you can automate

The headlines covered the Apple Business launch. The Admin API is the story underneath it that matters more for anyone running Apple at scale.

If you only read Apple's keynote materials, the Admin API looks like a footnote. In practice, it's the piece that decides whether Apple Business slots into the automation pipelines you already have, or whether it stays a standalone web console. Here's what we've found after a day of kicking the tyres.

What the Admin API actually covers

The API exposes four broad resource types:

• Devices — enrolment status, serial numbers, assigned user, last seen, model, OS version
• Users — Managed Apple Account details, group membership, identity provider sync state
• MDM records — installed profiles, pending commands, compliance flags (where surfaced)
• Audit logs — every admin action in the console, exportable as JSON

It's read-mostly today. You can write back user assignments and trigger some MDM actions, but editing Blueprints, app assignments, and most configuration still requires the web console. Expect that gap to narrow fast.

Authentication is the first gotcha

Tokens are issued to a service account — a Managed Apple Account with the right role. OAuth isn't supported yet, so rotation and secret storage are your problem. Apple recommends rotating every 90 days and storing tokens in a secrets manager, which is reasonable advice.

There's also a rate limit. 100 requests per minute per token at launch, which is fine for reporting jobs but tight if you're pulling full inventory every hour for a large fleet. Plan your polling carefully or you'll see 429s.

What you can automate today

Three things we've already set up in test tenants:

• User provisioning from Microsoft Entra ID — SCIM hooks up natively, and the API fills the gaps (custom attributes, group nesting) that SCIM doesn't carry cleanly
• Daily audit log export — pulls the previous 24 hours into our SIEM, no more console screenshots for change control
• Device inventory reconciliation — cross-checks Apple Business's device list against Jamf Pro nightly and flags anything that's drifted

None of these are groundbreaking on their own. They're the small integrations that quietly remove a few hours of manual work each week.

What's missing

The things you can't do yet, if you're planning integrations:

• Create, edit, or delete Blueprints programmatically
• Push or recall app assignments at scale
• Trigger device wipe or lock via the API — only through the console
• Bulk-update Managed Apple Account attributes
• Webhook out — there's no event stream yet, only polling

The webhook gap is the one that stings. For anything near-real-time, you'll still need scheduled jobs until Apple ships events.

How it fits alongside Jamf

If you're running Jamf Pro today, the Admin API doesn't replace anything — it sits alongside. The most useful pattern so far is treating Apple Business as the source of truth for identity and enrolment state, and Jamf as the source of truth for compliance and configuration. A small reconciliation job between the two keeps both aligned. (If you haven't yet, Jamf Pro 11.26 added a few things worth knowing before you upgrade.)

For clients running hybrid deployments, this is where our team is spending most of its time right now. The integration surface is small today, but the payoff is immediate and it compounds as Apple expands what the API can do.