As stated in this Knowledge Base article on Jamf Nation, Jamf is committed to the EU General Data Protection Regulation (GDPR) and helping our customers comply with GDPR-related requests. While that Knowledge Base article mainly covers how to comply with the GDPR’s "right to erasure" requests, this blog will help you facilitate GDPR "right of access” requests.
Although all information is viewable within Jamf Pro, we want to provide an example that can be used to automate the collection of information. A script was created to obtain the personal information for the requesting user and export it to a file which can then be shared back with them to easily fulfill these “right of access” requests.
The script can be found on Jamf's GitHub repository at https://github.com/jamf/GDPRAutomationTool. There you will also find documentation on how to use it (also explained below).
The script is designed to get all relevant data from the API endpoints that contain a user's personal information. This is then exported to a JSON-formatted file that can be used to show all the personal information of a user stored in Jamf Pro.
As stated in the repository, to fully utilize this script and access the Classic API endpoints, you must use a Jamf Pro account with these read permissions:
- Jamf Pro User Accounts & Groups
- LDAP Servers
- Mobile Devices
Once you have an account with the correct permissions and Python 3 has been installed, you should download the gdpr.py script from GitHub.
Using the script
When running the script, it will ask for the Jamf Pro instance information and the account to be used to authenticate with the Classic API. You will then be prompted to enter a username to search for. If results are found, they will be saved to the JSON output file.
$ python3 gdpr.py Jamf Pro URL:example-url.com Jamf Pro Username:admin Jamf Pro Password:******** Search Username:username User found LDAP account found on: ldap.server.com 2 mobile devices found 2 computers found Saved: example-url.com_username.json Search new user?: [y/n] n
Example output: example-url.com_example-user.json
The script will only output the fields that are found relating to the username being searched for. For example, if the user does not have any mobile devices linked to them, there will not be any mobile devices exported in the output file. This also applies for Active Directory and Apple School Manager information, as this information will only be shown if it's configured and in use with Jamf Pro.
The script is publicly available on GitHub. You can use it as is or make your own version to satisfy your specific needs. For example, you could export the data to a different format other than a single JSON file for each user, or input the required account and instance components through command line arguments to search for a large set of users faster.