Jamf Nation Community

What @stevewood said. This is possible using the classic API endpoint he referenced.

You will need to get the Jamf Computer ID for the command to be posted to the device, so you may need to first run an API call from the computer to Jamf to get it's own ID, and then use that as a variable for the above command.

Is it possible to use the API script to check for machines in a smart group? I want the script to be executed only on macs that have a certain PKG installed on it. 

---

Yes, you would create a Smart Group using the "Packages Installed By Casper" criteria (<-- old throw back name). Pick the package name from a list you can pull up and any Mac with that package installed on it, and has had an inventory collection run on it since then, will fall into that group.

Keep in mind the list that Jamf Pro displays when adding this criteria to a Smart Group is dependent on at least one Mac having had that package installed AND an inventory collection done on it, otherwise it may not show up in the list to choose from.

@Olga1 @stevewood and @mm2270 have described the endpoint to use for un-managing a device and creating a targeting Smart Group, but could you clarify your statement "I want to use the API so that jamf itself sends the MDM command to uninstall the profile. If I create a policy, it will package it up and run it on the device"?

Do you want the script to run via a Policy on the device to be removed, or are you looking to run a script from your own Mac that would target the Macs in Smart Group you've created for removal? I'm reading it as the latter, in which case you can use the /computergroups/id/{id} endpoint to retrieve the list of Macs in scope for the smart group described by @mm2270 , parse the IDs from that result, then use the endpoint @stevewood lists to send the UnmanageDevice command.

Putting all of the posts from @stevewood , @mm2270 , and myself into an example script (actual sending of the UnmanageDevice command wasn't tested, and you'd definitely want to add some error checking):

#!/bin/bash

# Quick and dirty script to query a JSS for a list of computer IDs in a group, then send
# an UnmanageDevice command to those computers
#
# Written by @sdagley with input from @mm2270 and @stevewood

jssURL="https://yourjss.company.com:8443"

apiID="$(osascript -e 'Tell application "System Events" to display dialog "Enter a Jamf Pro API ID:" default answer ""' -e 'text returned of result' 2>/dev/null)"
apiPassword="$(osascript -e 'Tell application "System Events" to display dialog "Enter the password for the Jamf Pro API ID:" default answer ""' -e 'text returned of result' 2>/dev/null)"
groupID="$(osascript -e 'Tell application "System Events" to display dialog "Enter the group number to extract computer IDs from:" default answer ""' -e 'text returned of result' 2>/dev/null)"

GetJamfProAPIToken() {
	apiToken=""
	
    # This function uses Basic Authentication to get a new bearer token for API authentication.
    # Use user account's username and password credentials with Basic Authorization to request a bearer token.

    if [[ $(/usr/bin/sw_vers -productVersion | awk -F . '{print $1}') -lt 12 ]]; then
        apiToken=$(/usr/bin/curl -X POST --silent -u "${apiID}:${apiPassword}" "${jssURL}/api/v1/auth/token" | python -c 'import sys, json; print json.load(sys.stdin)["token"]')
    else
        apiToken=$(/usr/bin/curl -X POST --silent -u "${apiID}:${apiPassword}" "${jssURL}/api/v1/auth/token" | plutil -extract token raw -)
    fi
}

APITokenValidCheck() {
    # Verify that API authentication is using a valid token by running an API command
    # which displays the authorization details associated with the current API user. 
    # The API call will only return the HTTP status code.

    api_authentication_check=$(/usr/bin/curl --write-out %{http_code} --silent --output /dev/null "${jssURL}/api/v1/auth" --request GET --header "Authorization: Bearer ${apiToken}")
}

InvalidateToken() {
    # Verify that API authentication is using a valid token by running an API command
    # which displays the authorization details associated with the current API user. 
    # The API call will only return the HTTP status code.

    APITokenValidCheck

    # If the api_authentication_check has a value of 200, that means that the current
    # bearer token is valid and can be used to authenticate an API call.

    if [[ ${api_authentication_check} == 200 ]]; then

        # If the current bearer token is valid, an API call is sent to invalidate the token.

        authToken=$(/usr/bin/curl "${jssURL}/api/v1/auth/invalidate-token" --silent  --header "Authorization: Bearer ${apiToken}" -X POST)
    fi
}

GetJamfProAPIToken

# Use the groupID provides to get the list of computer IDs in that group
apiURL="JSSResource/computergroups/id/$groupID"

idList=$(curl -s \
	--header "Authorization: Bearer ${apiToken}" --header "accept: text/xml" \
	--url "${jssURL}/${apiURL}" \
	--request GET | /usr/bin/xpath -e '/computer_group/computers/computer/id/text()' 2>/dev/null | /usr/bin/tr '\n' ',' | /usr/bin/sed 's/,$//')

# Send an UnmanageDevice comamnd to the list of IDs
apiURL="JSSResource/computercommands/command/UnmanageDevice/id/$idList"

curl -s \
	--header "Authorization: Bearer ${apiToken}" --header "accept: text/xml" \
	--url "${jssURL}/${apiURL}" \
	--request POST

InvalidateToken

exit 0