1st, Certificate Of Destruction™ is my new band name.
2nd, I found useful info on page 230 of the the Absolute User Guide.
○ Request Name: the name of the Data Delete request
(this could be the name of a script you ran to get the info...)
○ Identifier: the device’s Identifier
(the UDID or serial number of the computer)
○ Make: the name of the device manufacturer
(Apple)
etc.
Use the Jamf Pro API to pull the record of the computer you are deleting. It has all the information you need:
<?xml version="1.0" encoding="UTF-8"?>
<computer>
<general>
<id>1</id>
<name>foo</name>
<network_adapter_type>Ethernet</network_adapter_type>
<mac_address>CA:CA:CA:CA:CA:CA</mac_address>
<alt_network_adapter_type>IEEE80211</alt_network_adapter_type>
<alt_mac_address>77:77:77:77:77:77</alt_mac_address>
<ip_address>10.11.12.123</ip_address>
<last_reported_ip>12.34.56.78</last_reported_ip>
<serial_number>XYZ123ABC456</serial_number>
<udid>AF3B4F06-487D-66F4-979E-32D5205977A</udid>
...
<storage>
<device>
<disk>disk0</disk>
<model>APPLE HDD HTS541010A9E632</model>
<revision>JA0AB5N0</revision>
<serial_number>KE9113E9FMA5XF</serial_number>
<size>1000204</size>
<drive_capacity_mb>1000204</drive_capacity_mb>
<connection_type>NO</connection_type>
<smart_status>Verified</smart_status>
<partitions>etc.
To get the Mac's UDID as a variable in a script from Jamf Pro, e.g.
/usr/bin/curl -ksS -X GET -H "accept: application/xml" -u username:password "https://yourJamfPro.domain.com:8443/JSSResource/computers/id/1" -o ~/Downloads/foo.xml
udidstr="$(/usr/bin/xmllint -format -xpath "//computer/general/udid/text()" ~/Downloads/foo.xml)"For each field in the Absolute Certificate Of Destruction example use the matching key / value in the Jamf Pro computer record XML to make a readable document. You can include the action in Jamf Pro you used to actually erase the thing as a field with a time stamp.
If you're really feeling fancy save it as a .pdf & add some ribbons & clip art!
But perhaps it could be just a script that writes it out as a here file, e.g.
#!/bin/sh
...some code stuff...
/bin/cat << EOF > ~/Desktop/cod.txt
REQUEST NAME: $(/usr/bin/basename "$0")
IDENTIFIER: $udidstr
MAKE: Apple
etc.
EOF
...additional code stuff...NOTE: I am not quoting variables & command substitutions because inside the here file tags they will expand correctly. (Bonus! When the top EOF tag is unquoted (as above) variable expansion in a here file works. If the top EOF tag is quoted (i.e., "EOF") variable expansion is prevented.)
What about signing? Any Certificate Authority will do.
I am going to use the Jamf Pro CA & assume Java keytool is available but you could use the CA in /Applications/Utilities/Keychain Access on your Mac or make a self-signed cert with OpenSSL: Sign and verify files using OpenSSL
Run the following command:
keytool -genkeypair -alias cod -keyalg RSA -keysize 4096 -validity 2100 -keystore ~/Desktop/cod.jksThis will prompt the interactive mode. Answer the questions to make it "super official":
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: cod
What is the name of your organizational unit?
[Unknown]: IT
What is the name of your organization?
[Unknown]: Awesome
What is the name of your City or Locality?
[Unknown]: San Jose
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=cod, OU=IT, O=Awesome, L=San Jose, ST=CA, C=US correct?Type "yes", then, create the certificate signing request (CSR):
keytool -certreq -alias cod -keyalg RSA -keystore ~/Desktop/cod.jksYou will get output like this:
-----BEGIN NEW CERTIFICATE REQUEST-----
zzCCArcCAQAwWjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMREwDwYDVQQH
EwhTYW4gSm9zZTEQMA4GA1UEChMHQXdlc29tZTELMAkGA1UECxMCSVQxDDAKBgNV
BAMTA0NPRDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJ0UUiWdmtrK
j/oUJ5A1H9txRPdRz8ksIryBdXEk3wn7rhjVWKsgeQivV6dCl4Mg0PTayc9grv/g
8PgR3vZ/DLnLUsyNBAfof6ujRlZtT4TtQSscW+JLal58aWQ5QXykWLAfDWsA6w5o
-----END NEW CERTIFICATE REQUEST-----Select all of the text including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags) and copy it. On your Jamf Pro server:
- Login with credentials for a full admin Jamf Pro user
- In the top-right corner of the page click Settings (the gear...)
- Click PKI Certificates
- Click on the Manage Certificate Template tab
- Click the Create Certificate from CSR button
- Paste all of the text generated above into the CSR window
- Select Web Server Certificate from the Certificate Type pulldown
- Click Create to download the signed certificate
Change the name of the downloaded file to "reply.pem" just to make things a bit easier, then, run the following:
keytool -import -trustcacerts -alias cod -file ~/Downloads/reply.pem -keystore ~/Desktop/cod.jksYou now have a .jks containing the signature of your Jamf Pro Certificate Authority. Put it somewhere safe & don't lose the password. (You only have to do this part again when the certificate you just created expires, i.e., 2100 days in this case...)
Extract the private key from the .jks, sign / hash the cod.txt file & delete the private key. Do this each time you want to make a new "Certificate Of Destruction":
sudo openssl pkcs12 -info -in ~/Desktop/cod.jks -nodes -nocerts -out /private/tmp/private.key
sudo openssl dgst -sha256 -sign /private/tmp/private.key -out ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txt
sudo rm -rf /private/tmp/private.keyVerify the signature (i.e., the public key):
openssl x509 -in ~/Downloads/reply.pemVerify the hash using the public key:
openssl dgst -sha256 -verify <(openssl x509 -in ~/Downloads/reply.pem -pubkey -noout) -signature ~/Desktop/cod.txt.sha256 ~/Desktop/cod.txtIf it's good you will see:
Verified OKFor fun, change the contents of ~/Desktop/cod.txt then run the command above again. You will see this instead because the hash doesn't match:
Verification FailureLast, make a workflow for all of this. Make a "Certificate Of Destruction" folder containing all the files, hashes & the reply.pem file used to sign them. Make the boss happy. This (theoretically) will make you happy. Good luck!!
