Skip to main content

hey folks!

I Need some help with my Script to trigger API Computer Command "Remote Device Lock"

Purpose: I want a script which requests user input with "Computer Name" , get the Computer Jamf ID (this works!), and afterwords send the Remote Command "Lock Device" with this ID -> at this point I get a Error:

Script result: <html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

Here are more Informations: I user the API Client&Roles Setting in Jamf, created a API Client with some Priviliges:
"Read Computer Inventory Collection, Update Computers, Read Computers, Create Computers, Send Computer Remote Lock Command"

This is my Script:

 

Script: *************************************************************** #!/bin/zsh read -r -d '' applescriptCode <<'EOF' set dialogText to text returned of (display dialog "Bitte trage die MacBook-Namen ein." default answer "no input") return dialogText EOF computerName=$(osascript -e "$applescriptCode"); # API login bearerToken="" url=https://XXXXXXXX.XXXX:8443 client_id="API Client ID client_secret="API Client Secret" # Create Token token=$(curl --location --request POST "$url/api/oauth/token" \\ --header "Content-Type: application/x-www-form-urlencoded" \\ --data-urlencode "client_id=$client_id" \\ --data-urlencode "grant_type=client_credentials" \\ --data-urlencode "client_name=Test" \\ --data-urlencode "client_secret=$client_secret") # Catch Token bearerToken=$(echo "$token" | plutil -extract access_token raw -) # determine Jamf Pro device id deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computers/name/"$computerName" | xmllint --xpath '/computer/general/id/text()' -) #echo "$deviceID" # Execute Device Lock Command curl -s -H "Accept: application/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computercommands/command/DeviceLock/passcode/615243/id/"$deviceID" -X POST

 

maybe a typo but this is not closed 

client_id="API Client ID

I never tried this specific command via API before, but when checking the API Description for this command it says, that only "ScheduleOSUpdate" is a supported command currently and it's basically also deprecated since 2022. So I guess "DeviceLock" might just not be a supported command anymore.

maybe a typo but this is not closed 

client_id="API Client ID


This is just a Placeholder for the real Name of the API Client :D 

in the real script there is an other ID and secret..

I guess it is something like Access Rights could be the Error, but I cant think of something I forgot..

I never tried this specific command via API before, but when checking the API Description for this command it says, that only "ScheduleOSUpdate" is a supported command currently and it's basically also deprecated since 2022. So I guess "DeviceLock" might just not be a supported command anymore.


Hey, thanks for reply..
on our API Site I used this:

 This is the one extra for Device Lock.

If you're doing this from a management workstation, like your own, and sending the commands to devices that are enrolled in your Jamf Pro, take a look at Jamf Actions. Jamf Actions are shortcuts for the Shortcuts app that allow you to send MDM commands easily from your workstation.

There are other Jamf created items on that Jamf Concepts GitHub repo.

Did you ever get this one figured out? We have a workflow for device decommissioning in our Helpdesk that relies on this API to do device locking for Macs, and it seems to have broken on me when trying to reconfigure the script for using modern API now that authenticating with credentials got deprecated in the past few months.

Did you ever get this one figured out? We have a workflow for device decommissioning in our Helpdesk that relies on this API to do device locking for Macs, and it seems to have broken on me when trying to reconfigure the script for using modern API now that authenticating with credentials got deprecated in the past few months.


Hey, sorry for the late answer! Gotta resolved it that way:

 

#!/bin/zsh # API login bearerToken="" url=https://XXXX.XX.XX:8443 client_id="XXXX" client_secret="XXX" # Create Token token=$(curl --location --request POST "$url/api/oauth/token" \\ --header "Content-Type: application/x-www-form-urlencoded" \\ --data-urlencode "client_id=$client_id" \\ --data-urlencode "grant_type=client_credentials" \\ --data-urlencode "client_name=lock_Device" \\ --data-urlencode "client_secret=$client_secret") # Catch Token bearerToken=$(echo "$token" | plutil -extract access_token raw -) # determine Jamf Pro device id deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computers/name/"$computerName" | xmllint --xpath '/computer/general/id/text()' -) # test for 1st command echo "$deviceID" # Execute Device Lock Command curl -s -H "Authorization: Bearer ${bearerToken}" "$url/JSSResource/computercommands/command/DeviceLock/passcode/615243/id/$deviceID" -H "Content-Type: application/xml" -X POST

 


I got Problems with the Bearer Token... cant get a valid access_token.. so I tested with multiple full Admins and got to see it were a API Client Problem :) 

The $computerName will go through our Ansible Prompt.

Terms & ConditionsCookie settingsAccessibility statement