Jamf API- Set Recovery Lock

jamfSetRecoveryLock.sh

#!/bin/bash

# POC script for Jamf Pro API

# Variables first
# API user accounts here. One for reading, one for writing back. Security.
# Generate API base64 credentials by using:
# printf "username:password" | iconv -t ISO-8859-1 | base64 -i -
# You can either place the base64 creds in the variable below or use the policy variables in Jamf
apib64="$4"
# Current JSS address
jssurl=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
# Use our base64 creds to generate a temporary API access token in JSON form
# Use tr to strip out line feeds or the JXA will not like the input
# Retrieve the read token from the JSON response
echo "Connecting to Jamf and getting authorization token."
jsonresponse=$( /usr/bin/curl -s "${jssurl}api/v1/auth/token" -H "authorization: Basic ${apib64}" -X POST | tr -d "\n" )
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$jsonresponse\`).token" )

if [[ $token != "" ]]; then
    echo "Received bearer token from Jamf."
fi

#
# Hardware UDID of the Mac you're running this on
echo "Requesting Mac's Jamf Computer ID."
udid=$( /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }' )
# Use our base64 creds to generate a temporary API access token in JSON form
# Use tr to strip out line feeds or the JXA will not like the input
# Retrieve the read token from the JSON response
jsonresponse=$( /usr/bin/curl -s "${jssurl}api/v1/auth/token" -H "authorization: Basic ${apib64}" -X POST | tr -d "\n" )
token=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$jsonresponse\`).token" )
# Use the read token to find the ID number of the current Mac
computerrecord=$( /usr/bin/curl -s "${jssurl}api/v1/computers-inventory?section=USER_AND_LOCATION&filter=udid%3D%3D%22${udid}%22" -H "authorization: Bearer ${token}" )
id=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$computerrecord\`).results[0].id" )
echo "Jamf Computer ID: $id"


## Do things here

echo "Finding Management ID for Jamf Computer $id..."
inventoryrecords=$(/usr/bin/curl -s "${jssurl}api/preview/computers?page-size=2000" -H "Accept: application/json" -H "Authorization: Bearer ${token}")
indexNum=$( /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$inventoryrecords\`).results.findIndex(m => m.id == $id)")
computerInfo=$(/usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$inventoryrecords\`).results[$indexNum]")
managementID=$(echo "$computerInfo" | tr ', ' '\n' | grep "managementId" | sed 's/managementId://')
echo "Jamf Management ID: $managementID"

echo "Generating 6-digit Recovery Lock Passcode..."
# create random six digit passcode
for ((int=1; int <= 6; int++)); do
    digit=$(( $RANDOM % 10 ))
    randPass="$randPass$digit"
done

echo "Setting Recovery Lock passcode to: $randPass"

JSONDATA=$(cat <<-EOF
'{
    "clientData": [
        {
            "managementId": "${managementID}",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": "${randPass}",
    }
}'
EOF
)

/usr/bin/curl --location --request POST "${jssurl}api/preview/mdm/commands" \
--header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' \
--data-raw "$JSONDATA"



# Ok we're done now.
# Invalidate the token
echo "Jamf API task complete, invalidating token."
/usr/bin/curl -s -k "${jssurl}api/v1/auth/invalidate-token" -H "accept: application/json" -H "authorization: Bearer ${token}" -X POST

echo "Token invalidated, exiting script."
exit 0