TL;DR: Device control and access deprovisioning still fail when lifecycle steps stay split across tools, according to Zluri. Its Jamf integration centralises Mac enrollment, software management, and offboarding workflows, and notes that 320 prospects visited its JNUC booth.
At a glance
What this is: This is a Zluri recap of its Jamf integration demo at JNUC, with the key finding that device management, software control, and user offboarding are still fragmented across separate systems.
Why it matters: It matters because IAM teams have to govern access as users move across devices, apps, and lifecycle states, and split workflows create gaps in offboarding, privilege removal, and software oversight.
By the numbers:
- A whopping 320 curious prospects visited our booth.
👉 Read Zluri's recap of the Jamf and Zluri integration at JNUC
Context
Device access governance breaks down when enrollment, application access, and offboarding are managed in different systems. In this post, the primary identity question is not the event itself but how Mac device management and SaaS access provisioning stay aligned across the user lifecycle.
For IAM and IGA teams, the practical issue is lifecycle consistency. If a device is locked in one system but cloud access remains active in another, the offboarding state is incomplete and the identity surface stays exposed. The same coordination problem appears across human identity programmes and adjacent non-human access processes such as account provisioning and revocation.
Key questions
Q: How should teams align device enrollment with access provisioning?
A: Teams should define one lifecycle trigger that binds endpoint enrollment to account activation, then make each downstream app or SaaS entitlement depend on that state. If the device is managed but the user is not provisioned, or vice versa, the identity record is already inconsistent. The goal is one authoritative onboarding sequence, not separate endpoint and access projects.
Q: Why do offboarding workflows often leave access behind?
A: Offboarding fails when revocation stops at one control plane and never reaches the others. A device lock does not automatically remove SaaS privileges, and an IAM deprovisioning event does not always touch the endpoint. Teams need propagation checks that prove the revocation reached every system where the identity had standing access.
Q: How do organisations know whether software governance is working?
A: Software governance is working when assigned licenses, installed apps, and actual usage all reconcile against the same identity record. If usage data shows inactive apps still assigned to active users, or if app inventory cannot be tied to a person or device, the governance model is incomplete. Reconciliation is the signal, not the existence of a tool.
Q: What is the difference between endpoint management and access governance?
A: Endpoint management controls the device itself, including enrollment, software, and lock state. Access governance controls what the identity can reach across applications and systems. In practice, the two must be linked because a secured device with open SaaS access is still an exposure, and revoked access on a live endpoint can still leave the user able to work.
Technical breakdown
Zero-touch onboarding and device enrollment flow
Zero-touch onboarding combines device enrollment with downstream identity provisioning so that a new Mac can be brought under management without manual handoffs. In the Jamf and Zluri pattern described here, device registration triggers access workflow steps that connect endpoint state to application readiness. That matters because the identity state of the user is not complete until the endpoint, account, and software layers agree. When those layers are disconnected, teams get orphaned access states and inconsistent policy enforcement.
Practical implication: map enrollment triggers to identity lifecycle events so provisioning does not depend on manual follow-up.
Software deployment, silent agents, and effective license position
Silent software deployment is useful for standardising endpoint posture, but it also creates governance visibility into what is actually installed and used. Effective License Position, or ELP, is the difference between licenses assigned and licenses truly consumed. That becomes an identity and access issue when software entitlements are managed separately from user state, because dormant access and unused apps create governance noise and audit gaps. Endpoint management can therefore support both security and cost control when it is tied to lifecycle data.
Practical implication: connect software inventory and usage data to identity records before the next entitlement review.
Offboarding as a cross-system revocation workflow
Offboarding is only effective when it removes access everywhere the identity is recognised. In this pattern, device locking through Jamf and cloud-app deprovisioning through Zluri are presented as linked actions rather than separate tasks. That reflects a common failure mode in identity governance: one team revokes account access while another leaves the endpoint or application trail open. The control objective is not just disabling a user, but ensuring the revocation state propagates across devices, SaaS, and policy enforcement layers.
Practical implication: test offboarding as an end-to-end revocation sequence, not as isolated endpoint and app tasks.
NHI Mgmt Group analysis
Device management becomes an identity control only when it is tied to lifecycle state. The Jamf and Zluri pattern shows that endpoint administration is not just an IT operations function when user enrollment and cloud access are linked. Without that linkage, device policy and access policy drift apart. Practitioners should treat endpoint management as part of lifecycle governance, not a separate administrative layer.
Offboarding failures are usually propagation failures, not policy failures. This recap points to a familiar governance gap: one system can lock a device while another still leaves SaaS access active. That is a cross-system revocation problem, not a missing checkbox problem. The implication is that offboarding must be measured by how completely revocation propagates across the identity surface.
Access governance for Macs is now a lifecycle orchestration problem. The combination of enrollment, software visibility, and deprovisioning shows how identity control depends on sequencing across multiple tools. That aligns with NIST Cybersecurity Framework 2.0 thinking around identity governance and operational consistency. Practitioners should evaluate whether their current process produces a single authoritative lifecycle state or several partial ones.
Centralised endpoint and SaaS control reduces entitlement ambiguity, but only if the data model is unified. When software usage, device state, and user status live in disconnected systems, recertification becomes guesswork. A unified view is what turns endpoint activity into enforceable access governance. Teams should focus on whether their IGA and MDM systems can agree on who should have access right now.
From our research:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why fragmented lifecycle control is such a persistent governance issue.
- For a broader control model, see NIST Cybersecurity Framework 2.0 and the identity governance functions that depend on consistent state across systems.
What this signals
Lifecycle consistency is becoming the real control boundary. When onboarding, licensing, and revocation are split across endpoint and SaaS workflows, practitioners lose a reliable identity state. That is why the problem is less about tool count and more about whether the programme can maintain one authoritative lifecycle record across devices and access systems.
The governance pattern here extends beyond Macs. Any environment that uses separate systems for device posture, app entitlement, and account lifecycle will struggle to prove that access was actually removed, not just requested. Teams should watch for partial state transitions, because they are where offboarding and audit failures usually begin.
As identity programmes mature, the question shifts from whether controls exist to whether they converge. A process can look complete on paper and still fail operationally if MDM, IAM, and SaaS records disagree about the same user. That is the point at which lifecycle governance becomes measurable and defensible.
For practitioners
- Map enrollment to access provisioning Define the exact trigger points where a new Mac device should create or activate SaaS access, and document which system is authoritative for each step.
- Test offboarding as a full revocation chain Verify that device locking, application deprovisioning, and account disablement all complete in the same workflow, with no manual handoff between teams.
- Tie software usage to entitlement reviews Use installed-app and usage data to confirm whether assigned software licenses still match active users, then remove stale entitlements before the next review cycle.
- Create a single lifecycle state for endpoint and access data Avoid treating MDM status and IAM status as separate records. Build a process that shows whether the user is onboarded, active, locked, or fully revoked across both systems.
Key takeaways
- The central issue is lifecycle fragmentation: onboarding, software control, and offboarding only work when they move together.
- The operational signal is reconciliation, not activity, because partial state changes create hidden access gaps.
- Practitioners should treat endpoint management and access governance as one control chain and test revocation end to end.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Linked onboarding and offboarding reflect access management across systems. |
| NIST Zero Trust (SP 800-207) | Zero trust depends on continuous identity state alignment across devices and apps. | |
| NIST CSF 2.0 | PR.DS-5 | Software inventory and usage visibility support data and asset governance. |
Treat device posture and access state as continuously verified signals, not one-time setup data.
Key terms
- Zero-touch onboarding: Zero-touch onboarding is a process that provisions a user, device, and required access with minimal manual intervention. In identity governance, it only works when enrollment, account creation, and policy assignment are tied to the same authoritative lifecycle state.
- Effective License Position: Effective License Position is the comparison between what software licences are assigned and what is actually being used. It helps security and IT teams identify waste, but it also exposes entitlement drift when access remains active after the user no longer needs the software.
- Offboarding: Offboarding is the controlled removal of a user’s access, devices, and entitlements when they no longer need them. It is only complete when revocation reaches every system that recognises the identity, including endpoint management, SaaS applications, and identity providers.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.
This post draws on content published by Zluri: Zluri Features Zluri + Jamf - Rewinding to the Jamf Nation User Conference (JNUC). Read the original.
Published by the NHIMG editorial team on 2025-06-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
