The Console Playbook Builder's Guide
If you work in IT or Operations, you already know that resolving a simple request can mean hopping between Okta, Jamf, Google Workspace, Slack, and ticketing tools. Console helps turn those repeatable workflows into natural-language automations called playbooks.
Locked out of laptop, Okta MFA Reset, and Create Google Group.
How Console Playbooks Work
A Console playbook has three core parts:
- Trigger — The plain-language condition that tells Console when this playbook should run. Example: "A user requests that their Okta password be reset."
- Instructions — The step-by-step natural-language procedure the AI follows. These instructions can include decisions, clarifying questions, and action calls.
- Mentions and action chips — The editor lets you reference Console resources directly inside instructions:
- Type
#to insert an Action or another Playbook, such as#Okta:Reset Passwordor#Jamf:List Computers. - Type
@to reference workspace resources such as users, groups, apps, policies, articles, or channels.
- Type
When you insert an action with #, Console adds it as an action chip. Clicking that chip opens configuration options such as Confirm with user and Require approval.
# references actions and @ references resources. Click Got it! to dismiss it.Password Reset
Device Recovery
Google Group
Policy
Build by Chat
The Quick Win — Okta Password Reset
Goal: Learn the basic playbook editor, insert one action, configure it, and test the result.
Password resets are a good first playbook because the workflow is simple, common, and easy to test.
Step 1: Create the Playbook
- In the left sidebar, go to Train > Playbooks.
- Click New Playbook. (If this is your first time, you may see a new playbook introduction modal; dismiss it to see the blank editor.)
- Click the title field, which defaults to Untitled Playbook.
- Rename it to Reset Okta Password.
You should now see the playbook editor with these main areas: Trigger, Instructions, Test, Publish Changes, Configure permissions, and Access.
Step 2: Set the Trigger
- In Trigger Type, leave the value set to Request.
- In the Conditions field, enter:
A user requests that their Okta password be reset, or asks for help resetting/recovering their Okta login credentials.
This condition is how Console decides whether an incoming request should use this playbook.
Step 3: Write the Instructions
Click into the Instructions editor and add:
1. Determine the target user for the password reset:
- If the requester is resetting their own password, use the requester.
- If the request is on behalf of someone else, ask for that user's email address before proceeding.
2. Reset the user's Okta password using #Okta:Reset Password, leaving the reset email enabled so the user receives reset instructions.
3. Tell the user the password has been reset and that they should check their email for a link to set a new password.
To insert the Okta action:
- Place your cursor where you want the action.
- Type
#. - Type
Oktato filter the action menu. - Select Okta: Reset Password.
Console inserts the action as a chip: #Okta:Reset Password.
# in the Instructions editor opens the action menu, listing all available integrations and their actions.
#Okta filters the menu to show only Okta actions, including "Reset Password."Step 4: Configure the Action
- Click the
#Okta:Reset Passwordchip. - Review the Details tab. The action describes the available parameters, including the target user and whether to send the reset email.
- Open the Configure tab.
- Check Confirm with user if you want Console to ask the requester before executing the reset.
- Turn on Require approval only if this reset should require an approval workflow before execution.
For a beginner workflow, start with Confirm with user. It creates a useful safety pause without adding a full approval chain.
Step 5: Test the Playbook
- Click Test at the top of the editor.
- In the Test this Playbook panel, keep Use Mock APIs enabled.
- Confirm the Run as User value.
- Optional: add context in Describe a Scenario.
- In the message field, type:
I forgot my Okta password.
Console should select the Reset Okta Password playbook and invoke the Okta reset action. If you enabled Confirm with user, the test should include a confirmation step before the action executes.
Step 6: Publish
After the test behaves the way you expect, click Publish Changes.
If Console warns that an integration is not connected, connect that integration in Settings > Organization > Integrations before publishing or running the playbook in a real workspace.
Try It Yourself: Interactive Walkthrough
Now that you've read the steps, click through a live, interactive simulation of building the Okta Password Reset playbook. Click the highlighted areas to advance through each step — just like the real Console UI.
Conditional Logic — Device Recovery
Goal: Chain multiple actions together and use earlier results in later steps.
This playbook helps a user who is locked out of a Mac and needs FileVault recovery guidance.
Step 1: Create the Playbook
- Go to Playbooks.
- Click New Playbook.
- Name the playbook Locked out of laptop.
Step 2: Set the Trigger
Use this condition:
When a user reports that they are locked out of their Mac computer, forgot their Mac password, or cannot log into their laptop.
Step 3: Write the Instructions
In the Instructions editor, add:
1. Ask the user to confirm whether this is a Mac login password issue.
- If it is not a password issue, use #Console:Create Ticket.
2. Once the user confirms, use #Jamf:List Computers for the requester. If they have multiple computers, ask them to select which one they are having issues with.
3. Once they respond, use #Jamf:Get Computer FileVault Info for the selected computer.
4. Tell the user their FileVault key and provide specific, step-by-step instructions for using it at the Mac login screen.
Insert each action with the # menu:
#Console:Create Ticket#Jamf:List Computers#Jamf:Get Computer FileVault Info
Step 4: Configure Action Safety
Click each action chip and review its configuration.
For this playbook:
- Use Confirm with user on actions where you want an explicit pause.
- Use Require approval if your organization wants a human reviewer before revealing or retrieving sensitive recovery information.
#Jamf:Get Computer FileVault Info action chip opens its configuration popover with "Confirm with user" and "Require approval" options.Step 5: Test the Flow
- Click Test.
- Keep Use Mock APIs enabled.
- Type:
I forgot my Mac password and I'm locked out of my laptop.
Expected behavior:
- Console selects the locked out of laptop playbook.
- Console asks a clarifying question to confirm it is a Mac login password issue.
- After confirmation, Console invokes Jamf lookup actions.
- Console returns FileVault recovery guidance.
Structured Inputs — Create Google Group
Goal: Use a form to collect structured data, then chain several actions.
Creating a Google Group requires exact information: group name, owner, members, and sometimes manager or visibility details. A trigger form helps collect that information before actions run.
Step 1: Create the Playbook
- Go to Playbooks.
- Click New Playbook.
- Name it Create Google Group.
Step 2: Set the Trigger
Use this condition:
If the user asks to create a new Google group, email list, distribution list, etc.
Step 3: Add the Form and Actions
In the Instructions editor, add:
1. Use #Console:Trigger Form titled "New Google Group" with these fields:
- Group Name (input, required) -- the name of the group.
- Group Owner (user select, required) -- the user who will be set as the owner of the group.
- Reason for group (input, required).
- Group Members (user multi-select, optional) -- users to be added as members.
- Group Managers (user multi-select, optional).
- Is this going to be public or private? (select, required).
2. Use #Google:Create Group using the name typed in the form. IMPORTANT: make sure the group is created before adding anyone to it.
3. Use #Google:Add to Group to add the specified owner with the owner role.
4. Use #Google:Add to Group to add the specified members with the member role.
5. Provide the user with a concise summary of the steps taken and whether the group was successfully created.
Insert each action with the # menu:
#Console:Trigger Form#Google:Create Group#Google:Add to Group
Step 4: Configure Permissions
Click Configure permissions under the playbook title.
Console separates two important controls:
- Action Scope — This controls who the playbook's actions are allowed to operate on. Options include:
- Requester Only
- Direct Reports of Requester
- All Reports of Requester
- All Users
- Restrict Playbook — This controls who can invoke the playbook.
#Google:Add to Group action will fail with an error stating it cannot resolve the target user because the action is not scoped to all users. Change Action Scope to All Users for this playbook to succeed.
For a Google Group creation workflow, use Restrict Playbook to limit who can run the playbook, such as your IT team, help desk team, or authorized managers. Use Action Scope to limit what users or groups the actions can affect.
Step 5: Test
Use Test and provide a realistic request:
Please create a Google Group for the onboarding team.
In Describe a Scenario, you can add mock details such as:
Pretend the requested group name is onboarding-team and the owner is Jeff Geronimo.
Access Governance — Software Access Policy
Goal: Use Access Policies for governed app access with approvals, provisioning, and revocation.
Access Policies are different from standard playbooks. Use them when you need structured access requests, approval routing, access duration, automatic provisioning, and automatic revocation.
Example: granting temporary Anthropic admin access.
Step 1: Start a New Policy
- Navigate to Access Policies in the left sidebar.
- Click New Policy.
- In the New policy modal, choose the application first, such as Anthropic.
- Console opens the policy editor. Rename Untitled policy to Anthropic Admin Access.
Step 2: Configure Details
On the Details tab, configure:
- Policy Visibility — Choose who can see this request option, such as Engineering.
- MFA Verification — Decide whether the requester must complete MFA before making the request.
- Require justification — Leave this enabled if requesters should be required to explain why they need access.
- Access length — Choose how long users can have access. Options include: 1 hour, 1 day, 1 week, 1 month, 3 months, 6 months, 1 year, Indefinite, or User-specified dates.
Console uses access length to support time-bound access and revocation.
Step 3: Set Up Approvals
- Click the Approvals tab.
- Under Approval Step #1, choose the approver, such as App owner.
- Optional: click Add Approvals to add another approval step.
- Optional: enable Escalate if the request should escalate when it is not approved in time.
Step 4: Automate Granting Access
- Click the Grant access tab.
- Click Add Grant access, choose Add to Group, and select
anthropic_admins.
This tells Console how to provision the access after approval.
Step 5: Automate Revoking Access
- Click the Revoke access tab.
- Click Add Revoke access, choose Remove from Group, and select
anthropic_admins.
This tells Console how to remove access when the access period ends or the policy is revoked.
Step 6: Publish
Review every tab, then click Publish Policy.
Do not publish until:
- Visibility is correct.
- Approval routing is correct.
- Grant and revoke steps are configured.
- The target integration is connected and tested.
The AI Assistant — Build by Chat
Goal: Let Console draft a playbook from a natural-language prompt, then review and refine it.
Console includes an Assistant that can help build or improve playbooks. This is useful when you know the workflow outcome but are not sure which actions to use.
Step 1: Open Assistant
- Click Assistant in the left sidebar.
- In the chat box, enter a request.
Use a prompt that maps to actions available in your workspace. For example:
Build me a playbook that resets a user's Okta password.
Step 2: Watch the Assistant Work
The Assistant may:
- Search available actions.
- Check whether the relevant integration is connected.
- Draft a playbook with trigger conditions and instructions.
- Open the drafted playbook for review.
If the Assistant says an integration is not connected, go to Settings > Organization > Integrations and connect it before publishing or running the workflow.
Step 3: Review the Draft
When the Assistant opens the playbook, review:
- The playbook title.
- The trigger condition.
- The instruction steps.
- Every inserted action chip.
- Action configuration, including Confirm with user and Require approval.
- Action scope and playbook restrictions.
Step 4: Refine with the Editor Assistant
Inside a playbook editor, use the Assistant panel with the prompt:
Edit, debug, and improve this playbook...
You can ask for changes such as:
Add a step to create a ticket if the Jamf action fails.
or:
Ask the user to confirm the device name before running the action.
Always test the final playbook before publishing.
Best Practices and Troubleshooting
Test Thoroughly
Use Test before publishing. In the test panel:
- Keep Use Mock APIs enabled while learning.
- Use Run as User to simulate a realistic requester.
- Use Describe a Scenario to create edge cases, such as:
Pretend the user has two computers assigned in Jamf.
or:
Return an internal error when searching Slack.
Use Run Log for Published Playbooks
If a published playbook fails, open the playbook and use the Playbook actions menu near Publish Changes. Select Run Log to inspect where execution got stuck.
The same menu also includes options such as:
- Versions
- Unpublish Playbook
- Move to Workspace
- Duplicate Playbook
- Delete Playbook
Be Explicit in Instructions
Console can reason over natural language, but clear instructions produce better automations.
Use phrases like:
IMPORTANT: create the group before adding members.If the user has multiple devices, ask which one is affected.If the action fails, create a ticket and summarize the failure.
Configure Safety Controls Deliberately
- Confirm with user when the requester should approve an action before it runs.
- Require approval when a human reviewer should approve the action before it runs.
- Action Scope to limit who actions can operate on.
- Restrict Playbook to limit who can invoke the playbook.
Publish Only When Ready
Before publishing, confirm:
- The trigger is specific enough.
- The instructions are complete.
- All action chips are configured.
- Tests behave as expected.
- Integrations are connected.
- Permissions and scopes match your security model.