-
-
Save ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
#https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html | |
#https://lzone.de/cheat-sheet/jq | |
#https://stedolan.github.io/jq/download/ | |
#chmod +x ~/Downloads/*jq-osx-amd64* cp ~/Downloads/jq-osx-amd64 /usr/local/bin | |
# server connection information | |
URL="https://yourjamfserver:8443" | |
username="" | |
password="" | |
#checkflag for checking if all machines are found in list of serials | |
sourcecheck=0 | |
# put serial number list here or modify script to use Jamf parameters | |
serialNumberList=( | |
LX954-placeholder | |
H16X3-placeholder2 | |
) | |
machinecount=${#serialNumberList[@]} | |
#timestamp for logging - not implemented | |
timestamp() { | |
date +"%Y-%m-%d_%H-%M-%S" # current time | |
} | |
#now=$(echo "$(timestamp)") | |
# created base64-encoded credentials | |
encodedCredentials=$( printf "$username:$password" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - ) | |
# generate an auth token | |
authToken=$( /usr/bin/curl "$URL/api/auth/tokens" \ | |
--silent \ | |
--request POST \ | |
--header "Authorization: Basic $encodedCredentials" ) | |
# parse authToken for token, omit expiration | |
token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs ) | |
# get managemenId # page size is depending of number of machines read #https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html | |
allmgmtid=$( /usr/bin/curl --location --request GET "$URL/api/preview/computers?page=1&page-size=1000" --header "Authorization: Bearer $token" ) | |
#echo $allmgmtid | |
##### Data SAMPLE | |
###{ "totalCount" : 1422, "results" : [ { "id" : "3645", "location" : { "username" : "username, "realName" : null, "emailAddress" : null, "position" : null, "phoneNumber" : null, "department" : null, "building" : null, "room" : null }, "site" : null, "name" : "mac-10", "udid" : "9921E353-A3F1", "serialNumber" : "C02YLVDM", "operatingSystemVersion" : "12.4.0", "operatingSystemBuild" : "21F79", "macAddress" : "38:58:3B", "assetTag" : null, "modelIdentifier" : "MacBookPro15,2", "mdmAccessRights" : 0, "lastContactDate" : "2022-08-22T14:15:23.933Z", "lastReportDate" : "2022-08-21T16:11:24.242Z", "lastEnrolledDate" : "2021-09-30T08:44:50.925Z", "ipAddress" : null, "managementId" : "id", "isManaged" : true }, | |
#parsing examples# | |
total=$( echo $allmgmtid | jq-osx-amd64 '.totalCount') | |
echo '\n' | |
echo Total found data $total | |
#check if machine is found in all data | |
for machine in "${serialNumberList[@]}"; do | |
found=$( echo "$allmgmtid" | grep -o $machine ) | |
if [ "$machine" == "$found" ]; then | |
echo '\n' | |
echo "$machine Found" | |
mgmtid=$( echo $allmgmtid | jq-osx-amd64 -r --arg machine "$machine" '.results |.[]| select(.serialNumber == $machine) | {managementId}| join(" ")') | |
#echo managemenId $mgmtid | |
################################### | |
#building payload for setting empty PW | |
#define json data | |
pdata=$(jq-osx-amd64 --null-input --arg mgmtid "$mgmtid" \ | |
'{ | |
"clientData": [ | |
{ | |
"managementId": $mgmtid, | |
"clientType": "COMPUTER" | |
} | |
], | |
"commandData": { | |
"commandType": "SET_RECOVERY_LOCK", | |
"newPassword": "", | |
} | |
}') | |
#echo $pdata | |
#Post | |
/usr/bin/curl --location --request POST "$URL/api/preview/mdm/commands" \ | |
--header "Authorization: Bearer $token" \ | |
--header "Content-Type: application/json" \ | |
--data-raw "$pdata" | |
echo '\n' | |
echo password cleared for $machine | |
else | |
echo '\n' | |
echo "$machine Not Found" | |
sourcecheck=$((sourcecheck+1)) | |
fi | |
done | |
echo '\n' | |
echo $sourcecheck serialnumbers have not been found | |
now=$(echo "$(timestamp)") | |
#log here | |
# expire the auth token | |
/usr/bin/curl "$URL/api/auth/invalidateToken" \ | |
--silent \ | |
--request POST \ | |
--header "Authorization: Bearer $token" | |
exit 0 |
@ExperimentalHeaven Hello, I am attempting to run this, but it does not find the serial number, and I've tried quite a few of them.
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 859k 0 859k 0 0 749k 0 --:--:-- 0:00:01 --:--:-- 754k
Total found data 4481
serialnumberhere Not Found
1 serialnumbers have not been found
So it seems to find all my computers in my Jamf instance, but can't find the actual serial number. My list of one looks like:
# put serial number list here or modify script to use Jamf parameters
serialNumberList=(
12345678
)
Thanks!
@ExperimentalHeaven Hello, I am attempting to run this, but it does not find the serial number, and I've tried quite a few of them.
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 859k 0 859k 0 0 749k 0 --:--:-- 0:00:01 --:--:-- 754k Total found data 4481 serialnumberhere Not Found 1 serialnumbers have not been found
So it seems to find all my computers in my Jamf instance, but can't find the actual serial number. My list of one looks like:
# put serial number list here or modify script to use Jamf parameters serialNumberList=( 12345678 )
Thanks!
Sorry to hear that!
I tried the code right now again in our environment and it worked.
Just an idea: Does your API access have enough/the right access rights?
And:
Maybe look into the page size and which data get returned
`# get managemenId # page size is depending of number of machines read #https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html
allmgmtid=$( /usr/bin/curl --location --request GET "$URL/api/preview/computers?page=1&page-size=1000" --header "Authorization: Bearer $token" )
echo $allmgmtid`
Hope that helps!
@ExperimentalHeaven - I commented on the Jamf thread where you linked this, but I ran into the same issue as @joshnovotny. The issue is the allmgmtid
command you have there starts with page=1
, so it starts with Computer # 1001. If you change it to page=0
, it'll start on the first page of results, which is where those of us with smaller environments fall into.
Bash script to set Recovery Lock key for Apple M1 computers.
Prerequisites:
jq for parsing the json
chmod +x ~/Downloads/jq-osx-amd64 cp ~/Downloads/jq-osx-amd64 /usr/local/bin
or change PATH to your liking
URL of your Jamf Pro
Username and password from Jamf Pro (e.g. https://[company].jamfcloud.com) -> System Settings -> Jamf Pro User Accounts & Groups
Serialnumbers of target machines to set the recovery lock
Info for Usage:
Right now the password is set to "" - thereby clearing the password
Of course you can use the script to set a "not empty" password
The recovery key will be shown after a recon (!) under Jamf Pro > Computer > Inventory > Security > Recovery Lock Password
(Show Password)
Recovery Lock status will be shown as Not Enabled until the next inventory collection.