Account permissions to rename mobile device using API call

jwbeatty
New Contributor III

I am working on a script to automate naming, renaming, and name enforcement for our mobile devices. The script uses an API call to send the rename command to devices that don't meet our naming convention. I use this call all the time. It works perfectly from my account with full admin rights. However, when I run the script with my API management account which has limited rights the command fails with the following message:

 

<html>
<head>
   <title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

I have  Send Mobile Device Set Device Name Command permission enabled for the account. The account also has permission to view and modify mobile devices. Does anyone know what other permissions are needed to run this command? Here is the command I am using:

curl -X POST  "$server/JSSResource/mobiledevicecommands/command/DeviceName/$deviceName/id/$deviceID" -H "Accept: text/xml" -H "Authorization: Bearer $jss_token"
1 ACCEPTED SOLUTION

mdp
Contributor

It looks like from here that also the "Create - Mobile Devices" permission is necessary. I'd probably try adding the "Read - Mobile Devices" permission as well if just adding the first doesn't work.

---
Matthew Prins -- Jamf Scripts @ Github

View solution in original post

3 REPLIES 3

mdp
Contributor

It looks like from here that also the "Create - Mobile Devices" permission is necessary. I'd probably try adding the "Read - Mobile Devices" permission as well if just adding the first doesn't work.

---
Matthew Prins -- Jamf Scripts @ Github

jwbeatty
New Contributor III

Thanks, Matthew. That did the trick. 

Jmardian
New Contributor III

Hi All- sorry for reopening an "old" thread here, but I am hoping that either of you can maybe help me out with a perhaps similar issue with my naming script and API calls. We have a naming convention that recognizes the mobile device type and assigns it a number (MBA-143 for macbook air, IMC-6 for iMac, etc). Problem is that the variable is not longer being recognized and all I am getting is MBA-1 for each newly enrolled device.  Recently, we instituted SSO with Jamf Connect via Google and I am starting to suspect that this may be causing an issue with the User Permissions piece. Maybe not.  I am not a programmer and the script below I inherited. I recently added the bearer token call in hopes to fix the issue, but I have yet been unsuccessful. Any help appreciated. Script and script result below: 

#!/bin/bash

## This function calls the Jamf (newer) "Pro" API to generate a token for subsequent calls to the "Pro" or "Classic" APIs.
function getAPIToken() {
	jamfURL=$1
	basicAuth=$2

	authToken=$(curl -s \
		--request POST \
		--url "${jamfURL}/api/v1/auth/token" \
		--header "Accept: application/json" \
		--header "Authorization: Basic ${basicAuth}" \
		2>/dev/null \
	)
	
	## Courtesy of Der Flounder
	## Source: https://derflounder.wordpress.com/2021/12/10/obtaining-checking-and-renewing-bearer-tokens-for-the-jamf-pro-api/
	if [[ $(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}') -lt 12 ]]; then
		api_token=$(/usr/bin/awk -F \" 'NR==2{print $4}' <<< "$authToken" | /usr/bin/xargs)
	else
		api_token=$(/usr/bin/plutil -extract token raw -o - - <<< "$authToken")
	fi
	
	echo ${api_token}
}

## Get the token and verify connection
# basicAuth=$(echo -n "${jamfuser}:${jamfpass}" | base64)
token=$(getAPIToken "${jamfurl}" "${basicAuth}")
if [[ "${token}" == "" ]]; then
	echo "Error: Unable to authenticate"
	exit 1
fi

####################################################################################################
#
# This is the essential components needed to make an encrypted API call with variables
#
####################################################################################################


# HARDCODED VALUE FOR JAMF PRO URL IS SET HERE

jamfurl="XXX"
jamfuser="XXX"
jamfpass="XXX"

# ENCRYPTION IS DEFINED HERE. FOR MORE INFORMATION ON HOW TO CREATE ENCRYPTION IN A SCRIPT, VISIT
# https://docs.jamf.com/education-services/resources/20190418/400_Resources_S2_L5_.html

EncryptedString=$4
Salt='ca89daaf664dae66'
Passphrase='06ebc9f526579b8523b376e4'

####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################

# Getting the computer's serial number to make the API call

serialnumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')

# Decrypting the string above

function DecryptString() {
echo "${1}" | /usr/bin/openssl enc -md md5 -aes256 -d -a -A -S "${2}" -k "${3}"
}
string=$(DecryptString $EncryptedString $Salt $Passphrase)

model=$(system_profiler SPHardwareDataType | grep "Model Identifier" | awk '{print $3}' | sed 's/[1-9].*$//')

case $model in
MacBookPro)   short=MBS ;;
MacBook)       short=MB ;;
MacBookAir)   short=MBA ;;
iMac)         short=IMC ;;
*)             short=UNK ;;
esac

# A basic API Call that's getting information for the computer.

# computerxml=$(curl -s -H “Authorization: Bearer ${token}” -H ${jamfurl}/JSSResource/computers/serialnumber/${serialnumber} -X GET)

# Finding a specific component of the XML using xpath (in this case, the ID)

# id=$(echo $computerxml | xpath 'string(/computer/general/id)')

# Create an array of Computer Names in Jamf
var=$(curl -s -H “Authorization: Bearer ${token}” -H ${jamfurl}/JSSResource/computers -X GET | tidy -xml | grep '<name>' | sed -n 's|<name>\(.*\)</name>|\1|p' | grep $short | cut -d'-' -f 2)

# Add computer names to array called "name"
name=($var)

# Adds the number of values in array to varialbe "namen"
namen=${#name[@]}

# Adds the highest number in array to variable "hinumber"
IFS=$'\n'
hinumber=$(echo "${name[*]}" | sort -nr | head -n1)

# Adds the highest number +1 to a varialbe "NUM"
NUM=$(($hinumber+1))

computerName=${short}-${NUM}

serialnumber=$(system_profiler SPHardwareDataType | awk '/Serial/ {print $4}')

curl -s -H “Authorization: Bearer ${token}” -H "Content-Type: application/xml" ${jamfurl}/JSSResource/computers/serialnumber/${serialnumber} -d "<computer><general><name>${computerName}</name></general></computer>" -X PUT

scutil --set ComputerName ${computerName}
scutil --set HostName ${computerName}
scutil --set LocalHostName ${computerName}

echo "Computer name changed to $computerName"

jamf displayMessage -message "The computer name is ${computerName} - Please make a label reflecting this. "

and the script result: 

Script result: No warnings or errors were found.

To learn more about HTML Tidy see http://tidy.sourceforge.net
Please send bug reports to html-tidy@w3.org
HTML and CSS specifications are available from http://www.w3.org/
Lobby your company to join W3C, see http://www.w3.org/Consortium
<html>
<head>
	<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
	Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>Computer name changed to MBA-1