macnotes

Using alternative Username Formats in Jamf Pro with Okta and Azure AD

Using Jamf Pro, I wanted to to use Okta for authentication, Azure AD as a Directory Data provider, and I wanted the local accounts on the Macs to be the user’s short name or first.last format. You might use different SAML providers for login or a different directory service, but the principles are the same.

Safer Client API interactions in Jamf Pro? (Zapier Example)

In a past post we discussed some alternatives to making Jamf Pro API calls directly from clients because the API credentials might be misused by a malicious user or an attacker who gains access to a user’s device. Here we’ll take a look at implementing some middleware to make the API calls on the devices’ behalf to limit risk.

Jailbreak Detection in iOS

Organizations are subject to all kinds of auditable compliance standards and having a clear set of measurable benchmarks is an important basis on which to build an information security program. But we need to recognize that just complying with the “letter of the law” or with a pedantic mindset is missing the forest for the trees. Threat actors evolve rapidly so while the compliance “rules” under which we operate are a very useful framework and help us assume a security-first mindset, they should also be taken as a set of guiding principals but the specific requirements they enumerate are far from the end of the story.

Using an Outbound Proxy with Jamf Pro running on Jamf Cloud

Background

Some enterprise networks (and sometimes whole countries, but that’s a topic for another blog…) implement an outbound/client proxy through which all traffic exiting a network must flow. Usually an outbound proxy sits between an enterprise network and the internet, but they could be positioned between subnets, or even intercept every network connection the clients initiate, regardless of the destination.

A Jamf Pro API Helper in Bash

Most simple Jamf API scripts you see getting shared around are written in Bash. They don’t have to do anything super complicated, Bash is built into macOS, and it’s easier to learn than most other common scripting languages.

That was fine for a long time. A quick curl one-liner could get you all the data you needed. But Jamf is starting to make some changes to do a better job of security, handling way larger device fleets, and making new kinds of useful data available. So things are getting trickier. Auth is changing and the json offered up by the new API isn’t easy to deal with unless you install some other tools. So it’s probably time to switch to a new language if you’re up for it. The learning curve is a steep compared to basic Bash, but it pays off eventually.

But, if you’re not ready to go there, here are some complications/techniques you might come across…

Named function parameters
Variable scope in bash
Calling functions and assigning output to a variable
Returning multiple values from functions (albeit in global vars)
Options to log to file or stdout
Use of curl timeouts
How to handle session cookies
Returning http status for API calls
Getting API credentials from keychain
Handles Jamf Pro API auth for you, i.e., fetches auth tokens as needed
Refreshing auth tokens as they near expiration/Clearing them when done.
Error messages relevant to the Jamf Pro API
Demonstrate how to parse out data elements
Convert child object data (e.g. lists of computer names) to iterable arrays
Extract data from json

Jamf Pro API Script Security

DerFlounder posted Updated script for obtaining, checking and renewing Bearer Tokens for the Classic and Jamf Pro APIs recently. It features some ways to load the credentials needed to run the script. Rich’s examples tend to become the canonical way of doing a thing, and for good reason — they’re clear and he explains things in a way people can understand.

In the comments, NinjaFez asks:

“For someone only just staring to use the API to make site changes in JAMF for computers with a script deployed, it makes sense to start using barer tokens out of the gate for future. thanks for putting it all in once place. However trying to avoid static accounts and passwords in the script and/or on the mac, would it make sense to pre base64 the account and password and put them in the script parameters so its already there and not need to do the convert, pass it strait on to the token command?”

Device-Specific Parameters for Jamf Pro Script Policies

In Jamf Pro you can add a script under Settings and label the parameters. For a shell script these would be $1..$11. Then when adding the script to a policy, we could tell Jamf to send a value to use when running the script and it would show up in “$4”. ($1..$3 are automatically populated with some commonly used values — mount point, computer name, and username.) But what if we need to run the script with different parameter value for each computer?

Parse Jamf Pro API JSON data in Shell Scripts

Shell scripts are probably not a first choice for API programming, but if it’s what you know, it’s what you know. You can do some pretty cool stuff in bash and save yourself a ton of work. Plus bash is available on every Mac so shell scripts are super portable.

Shell programming is good at working on the kinds of data people used back when it was created… like lines in a file or delimiter-separated fields. Modern APIs use more structured data formats like XML and JSON that didn’t exist when shell was invented.

It’s all good. We have tricks up our sleeves, at least for the simple stuff.

ResetCellularPlan MDM action with the Jamf Pro API

Their are a lot of flavors to the different MDM command endpoints. There are lots of things you can do and lots of ways to access them. Many commands can be sent to a device or a list of devices with just a URL, some require that you send some additional data in an HTTP post body.

Stop putting Jamf Pro API Credentials on Clients

Bottom line — you risk exposing credentials any time…

You put them on a user’s device in any form that’s readable by any automation running there.
You send them out over a network connection from a client — clients can look at their own network traffic and/or re-direct it anywhere they want.

Jamf Pro API Script to put a new device into the same static groups as an old one

Use case… we are replacing a computer. We want to add the new computer to the same static groups to which the old computer was assigned.

Managing Brew with Jamf Pro

Background

Lot of these developers like to code on a Mac so plenty of Apple admins will have a group of developers to support. Homebrew (or “brew”) is a “package manager” that makes it a lot easier to install and update open-source command line tools on a Mac. It’s the second thing a developer will probably want to install, right after XCode.