Hey Jamf Nation,
In Jamf Pro 10.35 we announced the deprecation of Basic authentication in the Classic API scheduled for a future release of Jamf Pro (https://docs.jamf.com/10.35.0/jamf-pro/release-notes/Deprecations_and_Removals.html). We received some great feedback from the community, and there were some questions around why we chose to make this change. I’d like to address those here.
The change in authorization mechanism in the Classic API was an effort to quickly mitigate the threat of brute force attacks against Jamf Pro instances. Today, the Classic API is the main target for attackers executing brute force attacks to attempt to gain access to a Jamf Pro instance.
By using the same authorization mechanism as the newer Jamf Pro API, we're able to funnel all auth requests through a small number of endpoints that we can rate limit, without limiting every API request.
We know that a change like this causes additional work for customers and partners to update API workflows, but we believe this change is critical to improving the overall security posture of Jamf Pro. We encourage customers not currently using the Classic API to disable basic auth as soon as possible to reduce the attack surface of their Jamf Pro instance. Starting in Jamf Pro 10.36 you can disable this directly within the web interface by unchecking the "Allow Basic authentication in addition to Bearer Token authentication" checkbox in your Password Policy settings as outlined in the release notes (https://docs.jamf.com/10.36.0/jamf-pro/release-notes/Deprecations_and_Removals.html). We continue to evaluate all aspects of our APIs to ensure simple and secure programmatic access to the entire Jamf portfolio of products.
Thanks again to everyone who has provided feedback on this change.
