There are so many inventive applications for these techniques, and they’re really good… except for the direct API call part. The script could use the API to record its findings to an extension attribute in Jamf so you can create an automated response based on values there. You could create a launch daemon that’s triggered by some event or it could run a script periodically to look for the existence of some condition. Or, maybe we want to set an extension attribute when some event you’re interested in happens.
JAMF PRO EXTENSION ATTRIBUTES PRO
You might be tempted to present the users with a form to ask for the information and then write it up to Jamf Pro extension attributes using the API. Or maybe you will ask your users some other questions and use the data to add them to some groups you’ll use to scope policies and profiles. Maybe you would like to ask students what grade and school they attend and write those to extension attributes. Suppose we want to set an extension attribute from a user device. How can you do it and still stay safe?Īpproach Number 1: On Macs, Let Recon Do It They are not for client-side scripts or apps.īut there are tons of use cases where you need something on a user device to interact with Jamf Pro’s API.
JAMF PRO EXTENSION ATTRIBUTES MAC
If you don’t agree, listen to the Jamf session at this year’s BlackHat and to the researchers’ follow-up visit to the Mac Admins podcast to hear them rail against this practice.ĭirect connections to the Jamf Pro API are intended for automation scripts and apps running on secure administrator devices or process automation servers.
Sooner or later one of your devices is going to be compromised and if there are any API credentials there, they’re sitting ducks.
Even if you limit the API user’s permissions or don’t think your users are hacker types, you’re taking a risk. You send them out over a network connection from a client - clients can look at their own network traffic and/or re-direct it anywhere they want.Ĭonsider this in the case of the apps or scripts you put on user devices and that interact with Jamf Pro APIs.You put them on a user’s device in any form that’s readable by any automation running there.Bottom line - you risk exposing credentials any time…
0 kommentar(er)
