Skip to main content
Jamf Nation, hosted by Jamf, is a knowledgeable community of Apple-focused admins and Jamf users. Join us in person at the ninth annual Jamf Nation User Conference (JNUC) this November for three days of learning, laughter and IT love.

Secure Scripts

Scripts deployed with Jamf Pro should contain only publicly disclosable information. It is recommended that you remove all key material or confidential information from your scripts, especially credentials for authentication of any kind.

If key material or confidential information is required to run a script, pass that information as a parameter using a policy or Casper Remote. Using parameters to pass sensitive information ensures that the values stored in them are only available at runtime and not stored anywhere they can be accessed.

For more information on using parameters with scripts, see Script Parameters.

Like Comment
Order by:
SOLVED Posted: by krispayne

Helpful reminder to sanitize your scripts even if you "never" store sensitive information in them.

Like
SOLVED Posted: by krispayne

Also, before I make the feature request, is there a way to pass parameters to scripts during imaging? I've looked in Admin, the Web GUI for configurations, etc, and am not seeing it.

Like
SOLVED Posted: by mscottblake

As @krispayne mentioned, this is only useful information if your scripts are never used in an imaging configuration since you cannot send parameters.

Like
SOLVED Posted: by dave.rotch

@krispayne if you click on "show custom," and go to the script you are deploying in Casper Imaging you can utilize variables during imaging. Fairly manual.

Let me know if you have any other questions.

Like
SOLVED Posted: by krispayne

https://www.jamf.com/jamf-nation/feature-requests/5849

Feature Request made.

Like
SOLVED Posted: by dan-snelson

The following may prove helpful: Encrypted Script Parameters

Like
SOLVED Posted: by krispayne

@dave.rotch

This isn't tenable for imaging large amounts of machines at once. Setting up all parameter values for each machine is a large waste of time when multiplied by deployment.

@dan.snelson

is the idea of that to run this after imaging is done or during first boot when imaging is installing software? I'm not sure this solves the problem as I'm looking at it but is interesting, nonetheless.

Like
SOLVED Posted: by dan-snelson

@krispayne We use PreStage Imaging to specify a Script Parameter once in the JSS, which is then auto-populated when booting from a Casper Imaging NBI from a defined Network Segment.

We run ours during first boot when imaging is installing software.

Like
SOLVED Posted: by dave.rotch

@krispayne You can always add scripts and pass parameter values in PreStage Imaging as @dan.snelson mentioned. This works great for new or "unknown" devices. You can also set scripts with variables provided as part of autorun data. This can be done on any one of, and up to all of your enrolled computers.

http://docs.jamf.com/9.97/casper-suite/administrator-guide/Autorun_Imaging.html

Like
SOLVED Posted: by EdLuo

Is it safe to have confidential information in a Policy under Files and Processes, Execute Command?

Like

Jamf would like to hear your feedback around Restrictions payload (computers and devices)