Skip to content

Instantly share code, notes, and snippets.

@ExperimentalHeaven
Last active December 15, 2023 21:20
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52 to your computer and use it in GitHub Desktop.
Save ExperimentalHeaven/09eeafa1122dd4bbac30cb9b91309b52 to your computer and use it in GitHub Desktop.
Clear Recovery Lock in macOS Using the Jamf Pro API with shell
#!/bin/bash
#https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html
#https://lzone.de/cheat-sheet/jq
#https://stedolan.github.io/jq/download/
#chmod +x ~/Downloads/*jq-osx-amd64* cp ~/Downloads/jq-osx-amd64 /usr/local/bin
# server connection information
URL="https://yourjamfserver:8443"
username=""
password=""
#checkflag for checking if all machines are found in list of serials
sourcecheck=0
# put serial number list here or modify script to use Jamf parameters
serialNumberList=(
LX954-placeholder
H16X3-placeholder2
)
machinecount=${#serialNumberList[@]}
#timestamp for logging - not implemented
timestamp() {
date +"%Y-%m-%d_%H-%M-%S" # current time
}
#now=$(echo "$(timestamp)")
# created base64-encoded credentials
encodedCredentials=$( printf "$username:$password" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )
# generate an auth token
authToken=$( /usr/bin/curl "$URL/api/auth/tokens" \
--silent \
--request POST \
--header "Authorization: Basic $encodedCredentials" )
# parse authToken for token, omit expiration
token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
# get managemenId # page size is depending of number of machines read #https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html
allmgmtid=$( /usr/bin/curl --location --request GET "$URL/api/preview/computers?page=1&page-size=1000" --header "Authorization: Bearer $token" )
#echo $allmgmtid
##### Data SAMPLE
###{ "totalCount" : 1422, "results" : [ { "id" : "3645", "location" : { "username" : "username, "realName" : null, "emailAddress" : null, "position" : null, "phoneNumber" : null, "department" : null, "building" : null, "room" : null }, "site" : null, "name" : "mac-10", "udid" : "9921E353-A3F1", "serialNumber" : "C02YLVDM", "operatingSystemVersion" : "12.4.0", "operatingSystemBuild" : "21F79", "macAddress" : "38:58:3B", "assetTag" : null, "modelIdentifier" : "MacBookPro15,2", "mdmAccessRights" : 0, "lastContactDate" : "2022-08-22T14:15:23.933Z", "lastReportDate" : "2022-08-21T16:11:24.242Z", "lastEnrolledDate" : "2021-09-30T08:44:50.925Z", "ipAddress" : null, "managementId" : "id", "isManaged" : true },
#parsing examples#
total=$( echo $allmgmtid | jq-osx-amd64 '.totalCount')
echo '\n'
echo Total found data $total
#check if machine is found in all data
for machine in "${serialNumberList[@]}"; do
found=$( echo "$allmgmtid" | grep -o $machine )
if [ "$machine" == "$found" ]; then
echo '\n'
echo "$machine Found"
mgmtid=$( echo $allmgmtid | jq-osx-amd64 -r --arg machine "$machine" '.results |.[]| select(.serialNumber == $machine) | {managementId}| join(" ")')
#echo managemenId $mgmtid
###################################
#building payload for setting empty PW
#define json data
pdata=$(jq-osx-amd64 --null-input --arg mgmtid "$mgmtid" \
'{
"clientData": [
{
"managementId": $mgmtid,
"clientType": "COMPUTER"
}
],
"commandData": {
"commandType": "SET_RECOVERY_LOCK",
"newPassword": "",
}
}')
#echo $pdata
#Post
/usr/bin/curl --location --request POST "$URL/api/preview/mdm/commands" \
--header "Authorization: Bearer $token" \
--header "Content-Type: application/json" \
--data-raw "$pdata"
echo '\n'
echo password cleared for $machine
else
echo '\n'
echo "$machine Not Found"
sourcecheck=$((sourcecheck+1))
fi
done
echo '\n'
echo $sourcecheck serialnumbers have not been found
now=$(echo "$(timestamp)")
#log here
# expire the auth token
/usr/bin/curl "$URL/api/auth/invalidateToken" \
--silent \
--request POST \
--header "Authorization: Bearer $token"
exit 0
@ExperimentalHeaven
Copy link
Author

ExperimentalHeaven commented Aug 30, 2022

Bash script to set Recovery Lock key for Apple M1 computers.

Prerequisites:

jq for parsing the json

URL of your Jamf Pro
Username and password from Jamf Pro (e.g. https://[company].jamfcloud.com) -> System Settings -> Jamf Pro User Accounts & Groups

Serialnumbers of target machines to set the recovery lock

Info for Usage:

  • Right now the password is set to "" - thereby clearing the password
    Of course you can use the script to set a "not empty" password

  • The recovery key will be shown after a recon (!) under Jamf Pro > Computer > Inventory > Security > Recovery Lock Password
    (Show Password)
    Recovery Lock status will be shown as Not Enabled until the next inventory collection.

@joshnovotny
Copy link

@ExperimentalHeaven Hello, I am attempting to run this, but it does not find the serial number, and I've tried quite a few of them.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  859k    0  859k    0     0   749k      0 --:--:--  0:00:01 --:--:--  754k


Total found data 4481


serialnumberhere Not Found


1 serialnumbers have not been found

So it seems to find all my computers in my Jamf instance, but can't find the actual serial number. My list of one looks like:

# put serial number list here or modify script to use Jamf parameters
serialNumberList=(
12345678
)

Thanks!

@ExperimentalHeaven
Copy link
Author

ExperimentalHeaven commented Mar 31, 2023

@ExperimentalHeaven Hello, I am attempting to run this, but it does not find the serial number, and I've tried quite a few of them.

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  859k    0  859k    0     0   749k      0 --:--:--  0:00:01 --:--:--  754k


Total found data 4481


serialnumberhere Not Found


1 serialnumbers have not been found

So it seems to find all my computers in my Jamf instance, but can't find the actual serial number. My list of one looks like:

# put serial number list here or modify script to use Jamf parameters
serialNumberList=(
12345678
)

Thanks!

Sorry to hear that!
I tried the code right now again in our environment and it worked.
Just an idea: Does your API access have enough/the right access rights?
And:
Maybe look into the page size and which data get returned
`# get managemenId # page size is depending of number of machines read #https://docs.jamf.com/technical-articles/Recovery_Lock_Enablement_in_macOS_Using_the_Jamf_Pro_API.html
allmgmtid=$( /usr/bin/curl --location --request GET "$URL/api/preview/computers?page=1&page-size=1000" --header "Authorization: Bearer $token" )

echo $allmgmtid`

Hope that helps!

@rhs615
Copy link

rhs615 commented Jun 19, 2023

@ExperimentalHeaven - I commented on the Jamf thread where you linked this, but I ran into the same issue as @joshnovotny. The issue is the allmgmtid command you have there starts with page=1, so it starts with Computer # 1001. If you change it to page=0, it'll start on the first page of results, which is where those of us with smaller environments fall into.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment