Prune is a macOS application that helps you clean up your Jamf Pro server by identifying and removing unused items. As your Jamf server ages, it often accumulates outdated packages, unscoped policies, mobile device apps, and other unused objects. Prune scans your server to find these items and helps you safely remove them.
π Download Prune (Latest Release)
- Scan: Prune connects to your Jamf Pro server and scans for unused items across multiple object types.
- Review: The app generates a list of potentially unused items that you can review and edit.
- Edit: Remove items from the deletion list or open them directly on your Jamf server.
- Delete: Once you're confident, delete the unused items to clean up your server.
β οΈ Error Handling: If the server indicates an error while reading an object, it will be logged and you'll receive an alert indicating the results may be inaccurate.
Once the list of unused items is generated, you can edit it directly within the app:
- Remove an item from the deletion list: Option-click the item to keep it (it won't be deleted from the server)
- Review an item on the server: Double-click any item to open it directly on your Jamf server (you may need to authenticate first)
-
Connect to Your Server
- Enter your Jamf Pro server URL and credentials
- π‘ Recommended: Use API Client Credentials for authentication instead of user accounts
- To generate a list only: Use an auditor account (read-only) or client credentials with read permissions
- To delete items: Use an account with delete permissions or client credentials with delete permissions
- Enter your Jamf Pro server URL and credentials
-
Select Object Types to Scan
- Choose the object types you want to scan (packages, scripts, computer groups, policies, etc.)
- Tip: Option-click to select or deselect all object types at once
-
Start the Scan
- Click the Scan button
- Wait for Prune to analyze your server and identify unused items
-
Review and Edit the Results
- Review the generated list of unused items
- Option-click any item to remove it from the deletion list (keeps it on your server)
- Double-click any item to open it on your Jamf server for detailed review
-
Delete Items (Optional)
- Click Delete to remove the listed items from your server
- To delete only a specific object type: Change the View option to the desired type, then click Delete
-
Export Results (Optional)
- Click Export to save lists to your Downloads folder (one file per object type)
- These files can be imported later by clicking the import button or dragging the file onto it
- Option-click Export to export all items to a single CSV file
- Blueprints are not scanned: Groups used only in blueprints will show as unused since blueprints aren't analyzed.
API Client Credentials are the recommended method for authenticating with your Jamf Pro server. They provide better security and are more suitable for programmatic access than user accounts.
-
Log into Jamf Pro
- Open your Jamf Pro web interface
- Sign in with an account that has administrative privileges
-
Navigate to Client Credentials
- Go to Settings (βοΈ)
- Select API roles and clients from the System Settings section
-
Create a New API Role
- Click the New button (+) to create a new API role
- Fill in the required information:
- Display Name: Enter a descriptive name (e.g., "Prune.app - Read & Delete Objects")
- Privileges: Choose the appropriate privileges based on your needs:
- For read-only access (scanning only): Grant Read permissions for all object types you want to scan
- For full functionality (scanning and deleting): Grant both Read and Delete permissions for the object types you want to manage
If you want to use Prune with all available object types, you'll need to grant the following privileges in your API role:
Object Type Required Privileges Classes Read Classes, Delete Classes Computer Extension Attributes (EAs) Read Computer Extension Attributes, Delete Computer Extension Attributes Computer Groups Read Smart Computer Groups, Delete Smart Computer Groups, Read Static Computer Groups, Delete Static Computer Groups Computer Objects (General) Read Computer PreStage Enrollments Computer Profiles Read macOS Configuration Profiles, Delete macOS Configuration Profiles eBooks Read eBooks, Delete eBooks Mac Apps Read Mac Applications, Delete Mac Applications Mobile Device Apps Read Mobile Device Applications, Delete Mobile Device Applications Mobile Device Configuration Profiles Read iOS Configuration Profiles, Delete iOS Configuration Profiles Mobile Device Extension Attributes (EAs) Read Mobile Device Extension Attributes, Delete Mobile Device Extension Attributes Mobile Device Groups Read Smart Mobile Device Groups, Delete Smart Mobile Device Groups, Read Static Mobile Device Groups, Delete Static Mobile Device Groups Mobile Device Objects (General) Read Mobile Device PreStage Enrollments Packages Read Packages, Delete Packages Policies Read Policies, Delete Policies Printers Read Printers, Delete Printers Restricted Software Read Restricted Software, Delete Restricted Software Scripts Read Scripts, Delete Scripts Tip: You can create separate API roles for different use cases (e.g., one for read-only scanning and one for full delete access) and assign them to different API clients as needed.
-
Create a New API Client
- Navigate back to the API roles and clients section in Jamf Pro
- On the API Clients tab, click the New button (+) to create a new API client
- Fill in the required information:
- Display Name: Enter a descriptive name (e.g., "Prune.app")
- API roles: Select the API role you created in the previous step
- Enable API client: Click the Enable API client button
- Click Save to create the client
-
Generate Client Secret and Copy Credentials
- Click Generate client secret > Create secret
- Important: Copy the Client ID and Client Secret immediately
- The Client Secret will only be displayed once and cannot be retrieved later
- Store these credentials securely (consider using a password manager)
-
Use in Prune
- When connecting in Prune, check the box for Use API client:
- Paste your Client ID and Client Secret into the relevant fields
- When connecting in Prune, check the box for Use API client:
Prune analyzes each object type by checking specific usage locations in your Jamf Pro server. The table below explains how each object type is evaluated:
| Object Type | How Usage is Determined |
|---|---|
| Packages | Checked for usage in policies, patch policies, and computer prestages |
| Scripts | Checked for usage in policies |
| Computer Groups | Checked for usage in policies, computer configuration profiles, computer groups, eBooks, restricted software, advanced searches, app installers, and enabled state |
| Computer Profiles | Checked for scope and usage in computer prestages |
| Policies | Checked for scope |
| Printers | Checked for usage in policies and macOS configuration profiles |
| Mac Apps | Checked for scope |
| Restricted Software | Checked for scope of computer groups |
| Computer Extension Attributes | Checked for scope of computer groups, advanced searches (including display tab), and enabled state |
| eBooks | Checked for scope |
| Mobile Device Groups | Checked for usage in mobile device apps, mobile device configuration profiles, mobile device groups, eBooks, and classes |
| Mobile Device Profiles | Checked for scope |
| Classes | Checked for scope (only looks for students/student groups/mobile device assignments) |
| Mobile Device Extension Attributes | Checked for scope of mobile device groups and advanced searches |
This application deletes items from your Jamf Pro server. Always use with caution!
- Backup First: It's strongly recommended to have a valid backup before deleting any objects. You can:
- Perform a database backup (if on-premise)
- Use Replicator to export the full XML of all objects
- Or do both for maximum safety
Prune may identify some items as unused that are actually in use due to API limitations:
- Policies scoped only to users/user groups: Will show as unused because the API doesn't list users or user groups in policy scopes
- Mac Apps: Enabled/disabled state is not available via the API, so this isn't used to determine usage
- Bookmarks: Not accessible via the API, so groups used only to scope bookmarks will show as unused
Logging information is written to:
~/Library/Containers/com.jamf.pse.prune/Data/Library/Logs/Prune.log
You can access this folder through the menu bar: View β Logs Folder
Prune collects basic hardware, OS, and application usage data and sends it anonymously to TelemetryDeck to help improve the application. You can opt out at any time by clicking "Opt out of analytics" at the bottom of the "About Prune" window.
- Add basic hardware, OS, and application usage collection
- Data is sent anonymously to TelemetryDeck to aid in development
- View 'About Prune' to opt out of sending data
- Address items in issue #55
- Add ability to remove scoped disabled policies
- Include printers as an available object to scan
- Update for Sequoia and accessing shared data
- Misc fixes and cleanup
- Fix crash when exporting after an import
- Fix title being truncated (full name now appears as a tooltip)
- Query App Installers for groups used for scoping
- Update login window
- Add support for bearer token authentication
- Provide alert if some lookups fail, which may result in inaccurate results
- Fix issue #42
- Updated token refresh process to address issue #41
- Improved logging
- Fix issue #39: double quotes in display name
- Better handling of bearer token expiration
- Fix export to CSV for policies
- Enable sharing of keychain items with other apps by the same developer
- Guard against faulty package configurations in computer prestages
- Check for extension attributes used only on the display tab of advanced searches
- Updated logging to prevent potential looping
- Updated UI
- Add ability to export results to a CSV (Option-click Export)
- Add scanning of Mac Apps
- Fix issue where extension attributes used as criteria in smart groups were listed as unused
- Fix computer/mobile device extension attributes not deleting (#29)
- Fix issue where policies that are disabled and scoped were not showing up as unused (#27)
- List policies that are disabled and still scoped (#27)
- List computer extension attributes that are disabled (marked with
[disabled]) - Scan advanced searches (#26) for groups and extension attributes used as criteria
- Adjust URL to view unused scripts based on Jamf Pro version
- Resolve crash when importing
- Fix crash when scanning only computer (configuration) profiles
- Add keyboard shortcut and menu bar item (View β Logs Folder) to open logs folder
- Fix some potential authentication issues
- Add deterministic progress wheel to show current status while deleting items
- Add token authentication to the classic API for Jamf Pro 10.35+
- Add feedback while items are being deleted from the Jamf Pro server
- Fix removal warning always showing 0 items (#13)
- Fix items not getting deleted when importing files (#14)
- Fix crash that could occur if computer groups were not scanned (#15)
- Fix packages in patch policies not being picked up (#16)
- Layout changed with dedicated login window
- Added restricted software as an item to query
- Changed Remove button to Delete
- Fixed issue where eBooks and classes were not getting deleted
- Updated URL used for token request from Jamf Pro API
- Corrected extra comma in exported items
- Added export summary
- Scan computer prestages for packages and configuration profiles
- Remove check against computer configurations
- Fix app crash when only classes is selected
- Fix issue of duplicate API calls
- Additional error handling
- Added scan against eBooks and Classes
- Guard against corrupt policies/scripts (having no name)
- Added warning before deleting is initiated
- Write logging information to
~/Library/Containers/com.jamf.pse.prune/Data/Library/Logs/Prune.log