A digital publication from the J. Willard Marriott Library
Red Block U Logo

From Manual to Automated-Managing Jamf Title Editor at Scale

18 Mar From Manual to Automated-Managing Jamf Title Editor at Scale

Posted at 14:58h in Administration, Automation, Documentation, Enterprise, Higher Education, Information Technology, Jamf Pro Server, Patch Management, Title Editor by
1 Like

Marriott Library Title Editor Automation

Background: Managing Software Patch Compliance at Scale

The J. Willard Marriott Library at the University of Utah manages one of the larger academic Mac fleets in the Intermountain West — thousands of macOS endpoints spanning public computing labs, faculty and staff workstations, specialized media production suites, and administrative offices. Keeping every machine running the correct, current version of every managed application is a core operational responsibility.

Our MDM platform is Jamf Pro, and our patch compliance layer is Jamf Pro Patch Management — a built-in Jamf Pro feature that provides a real-time compliance dashboard across the fleet, sends notifications when new software versions are released, and drives Patch Policies that enforce updates on a schedule. Patch Policies give IT administrators fine-grained control over the update experience: deadlines, deferral limits, grace periods, and customizable user-facing notifications.

Patch Management works from patch sources — catalogs of software title definitions describing what versions of an application exist and how to detect them on a managed Mac. Jamf Pro ships with a built-in catalog covering many popular third-party applications, but a significant portion of the Marriott Library’s software portfolio falls outside that catalog:

  • Restricted and campus-only applications distributed through vendor portals or campus licensing agreements (e.g., Palo Alto Networks GlobalProtect)
  • Repackaged Mac App Store titles — paid or complex applications such as Xcode, Final Cut Pro, Logic Pro, and GarageBand that require post-install scripting or customization that Jamf Pro’s MDM-based App Store delivery cannot provide
  • Open-source and common applications are managed silently via Installomator, where we want patch compliance visibility in the Jamf Pro dashboard

For these categories, we rely on Jamf Title Editor — a separate Jamf-hosted service (built on Mondada’s Kinobi technology, acquired by Jamf in 2021) that acts as a custom external patch source. Once registered in Jamf Pro, every title and version record defined in Title Editor becomes available in Patch Management exactly like a built-in catalog entry. Title Editor does not deploy software itself; it provides the patch definitions — the version histories and detection criteria — that Jamf Pro needs to track compliance and power Patch Policies.

The Problem: Manual Version Management Does Not Scale

Title Editor exposes a comprehensive REST API. Without automation, adding a new software version to Title Editor requires logging into the web interface, navigating to the correct title, and manually filling in version details — a process that must be repeated for every application update, every time. Across dozens of managed titles, this adds up quickly, and bulk-populating a version history for a newly added title (which may have dozens of past releases) is essentially impractical by hand.

To solve this, the Marriott Library IT team has developed and open-sourced a suite of Bash scripts that automate the most common workflows against the Title Editor REST API.

The Title Editor API Automation Toolkit

The toolkit is available at:
https://github.com/univ-of-utah-marriott-library-apple/Title-Editor—API-Automation-Associated-Scripts

It consists of five Bash scripts. Four of them depend on the fifth — the core API library — which must be sourced before any other script runs.

title_editor_api_ctrl.sh — Core API Library

This is the foundation of the entire toolkit. It is sourced (not executed directly) and must be loaded before any of the other scripts run. It handles:

  • Reading credentials from the macOS Login Keychain or a config file
  • Authenticating to Title Editor and obtaining a Bearer token
  • Running a background keep-alive process that refreshes the token five minutes before expiry — critical for long batch operations that would otherwise time out mid-run
  • All HTTP operations against the Title Editor REST API (GET, POST, PATCH, DELETE)
  • Automatic reconnect and retry if a token expires unexpectedly during an operation

All other scripts in the toolkit call into this library for their API interactions. Administrators who want to build their own automation can source this library and call its functions directly.

setup_title_editor_credentials.sh — Credential Wizard

A one-time setup wizard that stores the Title Editor server hostname, API username, and password as secure entries in the macOS Login Keychain under the service name TitleEditorAPI. Credentials stored this way are never written to disk in plaintext and are available to all scripts in the toolkit without further configuration.

The script also supports a --verify flag that tests stored credentials against the live Title Editor API, and a --debug flag that outputs a password fingerprint (length and character class distribution) without ever revealing the plaintext password — useful for diagnosing authentication failures.

For non-interactive environments such as CI/CD pipelines, the password can alternatively be supplied via the TITLE_EDITOR_API_PW environment variable.

title_editor_menu.sh — Interactive Menu and Full CLI

The primary day-to-day script. It operates in two modes:

Interactive mode — a navigable terminal menu that lets administrators browse all software titles in their Title Editor instance, review full patch version histories, inspect kill-app and component definitions, add new patch versions, and export title records as JSON. Useful for exploration and one-off tasks without needing to remember flag syntax.

Non-interactive CLI mode — a complete command-line interface designed for scripting and automation. Key operations include:

  • Create a new software title — define a brand-new title by name, publisher, bundle ID, and initial version
  • Add a single patch version — the most common day-to-day task; adds a new version record to an existing title, inheriting all detection criteria from the most recent existing patch so only the version string needs to be supplied
  • Batch import — reads a pipe-delimited file and creates multiple patch version records in a single operation; versions already present in Title Editor are silently skipped, making batches safe to re-run
  • Dry-run mode — preview exactly what would be created or changed without writing anything to Title Editor; available on all write operations
  • Export title JSON — dumps a full title record (including all patch versions and definitions) to a local JSON file for backup or inspection
  • Resequence patches — re-sorts patch version records into correct semantic version order after out-of-order additions

build_title_editor_batch_from_github.sh — Batch Builder: GitHub Releases

Queries a GitHub repository’s releases or tags via the GitHub API and generates a pipe-delimited batch import file ready for use with title_editor_menu.sh --add-patch-batch. This is particularly useful when onboarding a new open-source application that has published its version history as GitHub releases — the script can pull years of release history in a single run and produce a batch file that populates the entire version timeline in Title Editor.

Supports filtering by release type, a --limit flag to cap how many releases are fetched, and optional filtering by version prefix. Authenticates with the GitHub API via a GH_TOKENenvironment variable, which raises the rate limit from 60 to 5,000 requests per hour — recommended for repositories with large release histories.

build_title_editor_batch_from_release_notes.sh — Batch Builder: Release Notes and Mac App Store

Covers two scenarios where version history is not available from GitHub:

Vendor release-notes pages — scrapes a vendor’s public release-notes web page and extracts version strings into a batch import file. Useful for applications that publish changelogs on their own websites rather than GitHub.

Mac App Store version history — queries the App Store API to retrieve the version history of a named MAS application and produces a batch import file. Automatically resolves the app’s bundle ID on confirmation. This is the mechanism used for repackaged MAS titles such as Xcode, Final Cut Pro, Logic Pro, and GarageBand — allowing their full App Store version histories to be imported into Title Editor in a single operation.

Requirements

The toolkit runs on macOS 12 Monterey or later and requires only tools that are either included with macOS by default (bash, curl, python3) or widely available (jq, optional but recommended for more robust JSON parsing). An active Jamf Pro instance with Title Editor provisioned as an external patch source is required, along with a Title Editor account that has permission to create and manage software titles.

Example: Adding a New Version to an Existing Title

The most common daily workflow — a new version of a tracked application has been released and needs a record in Title Editor so that Jamf Pro Patch Management can start targeting it:

# Source the API library (authenticates using Keychain credentials)
source ~/title_editor/title_editor_api_ctrl.sh

# Add the new version record
bash ~/title_editor/title_editor_menu.sh \
  --add-patch \
  --title-name "Palo Alto GlobalProtect" \
  --version "6.3.0" \
  --yes

Jamf Pro Patch Management picks up the new version on its next patch feed refresh (approximately 30 minutes). The installer package is then attached to the version record in Jamf Pro to activate the Patch Policy.

Example: Onboarding a New Title from GitHub

Setting up a brand-new title for an open-source application — for example, draw.io — including its full release history:

# Build a version history batch file from GitHub releases
bash ~/title_editor/build_title_editor_batch_from_github.sh \
  --repo jgraph/drawio-desktop \
  --title-name "draw.io" \
  --limit 10 \
  --output ~/title_editor/batches/drawio.txt

# Authenticate, create the title, then import version history
source ~/title_editor/title_editor_api_ctrl.sh

bash ~/title_editor/title_editor_menu.sh \
  --create-title \
  --title-name "draw.io" \
  --publisher "JGraph Ltd" \
  --bundle-id "com.jgraph.drawio.desktop" \
  --version "24.5.3" \
  --yes

bash ~/title_editor/title_editor_menu.sh \
  --add-patch-batch \
  --file ~/title_editor/batches/drawio.txt

Get the Scripts

All five scripts are available in the Marriott Library Apple Infrastructure GitHub repository under the University of Utah open-source license:

github.com/univ-of-utah-marriott-library-apple/Title-Editor—API-Automation-Associated-Scripts

The repository includes a full README with installation instructions, a complete script reference, Quick Start walkthroughs for each application category (Installomator-managed apps, restricted/campus-only software, and repackaged Mac App Store titles), and worked examples for specific titles including Xcode, Final Cut Pro, Logic Pro, and GarageBand.

Questions, issues, and contributions are welcome via GitHub.

No Comments

Leave a Reply