Jamf API CLI tool: one solution for secure Jamf API access in policies and scripts

The Jamf API CLI tool

Griffith’s Jamf API CLI tool, called the apitokentool, is a “command-line utility that provides an API bearer token key and its expiration information without exposing the sensitive credentials” from the device it was called from.

How it works

Let’s examine how the tool works.

1. When invoked, the tool sends the signing information of the tool and the serial number of the device to an initializing webhook.
2. If the sent values are verified, the initializing webhook returns an address to the authorization webhook.
3. The tool sends a client token key from the device to the authorization webhook.
4. If the client token key is verified, the authorization webhook returns the appropriate API bearer token and its expiration information.

From here, the tool can use the bearer token information to make API calls to the Jamf server based on the permission level of the token key.

Why you should use it

The apitokentool removes the need to embed obfuscated API credential information directly in a script and can securely provide different levels of API access.

Overview of the security model

Griffith explains the security features of his tool. To summarize:

• Security layer one: The tool must be signed with an organizationally-recognized signing certificate; the tool signature must indicate that it hasn’t been altered; and the tool must be run from a device.
• Security layer two: The tool must present a valid client token key; the authorization webhook authenticates the client token key; and the authenticated client token key determines API access permissions.

Setting it up and building it

To set up and build the tool, you first need to decide what config profile identifier you’ll use for the token key, how many API levels of access are needed, which Apple developer signing certificate you want to use and the hosting location for your webhook responders.

From here, Griffith lists the procedure for the apitokentool and Jamf server.

Preliminary steps

apitokentool:

1. Generate and document client token keys.
2. Upload and configure apitokentool webhook responders.
3. Document webhook responder URLs.

Jamf server:

1. Create config profiles for each client token key.
2. Set up appropriate API user accounts with proper permissions.
3. Create necessary transition scripts and policies for existing scripts and policies that make Jamf API calls.

Intermediate steps

apitokentool

1. Set initial webhook responder URL and config profile identifier in the apitokentool binary source.
2. Build, sign and package the binary.
3. Set signing info, Jamf server URL, Jamf API read-only access credentials and authorization webhook URL in the initial webhook responder.
4. Set the authenticated token key values, Jamf server URL and corresponding Jamf API credentials in the authorization webhook responder.
5. Deploy apitokentool package to applicable test devices.
6. Assign client token key config profiles to applicable test devices.
7. Test all the new scripts and policies that use the apitokentool for Jamf API calls.

Final steps

apitokentool

1. Open Terminal on a test device and use the apitokentool binary.
2. Verify functionality of presented API bearer token.

Jamf server steps

1. Roll out changes to scripts and policies that use the apitokentool for Jamf API calls.
2. Deploy apitokentool package to all appropriate devices.
3. Assign client token key config profiles to all appropriate devices.

Additional resources

Griffith’s apitokentool is available on GitHub!