Hi @maffettb

no. I'm stuck on this. Tried to find any guide or information, but not available.

@mm2270 might able to help?

Haven't used this specific script, but it looks like the purpose of the encrypted strings function is to generate the encrypted password and hash/salt phrases. Looks you will need to do a few steps:

Download the EncryptedString.sh script. The easiest way to generate the encrypted string is to edit the script at the bottom and add the following line:

GenerateEncryptedString "<<yourOrgAdminPassword>>"

You will get an output like:

Encrypted String: U2FsdGVkX1900X/Nu7QM9lzaurWKLIwdbVQGO+UPHnA=
Salt: 74d17fcdbbb40cf6 | Passphrase: 39f273b3b7ec4f189a3963af

Edit the removeTempAdmin.py script and update lines 76 & 77 with the Salt and Passphrase from your generated output. (Don't forget to change line 75 to your local admin account, don't change the second part of the dictionary, that will be passed via script arguments.

Upload the script to Jamf and create the policy with that script. Put the encrypted string generated above in as Parameter 4.

Got it Thanks to you but had to slightly change stuff.
@pairjal After digging yesterday, I found another thread that explained how to run the .sh script and get an out put BUT, turns out that the .sh version doesn't correctly output the encrypted strings and will actually change your orgadmin password on you.

The python version of encrypted strings does work though but I couldn't figure out how to get any output until @RBlount pointed me in the right direction!

You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.

!/usr/bin/python2.7

Python wrapper for 'openssl' to create an encrypted Base64 string for script parameters

Additional layer of security when passing account credentials from the JSS to a client

import subprocess

Use GenerateEncryptedString() locally - DO NOT include in the script!

The 'Encrypted String' will become a parameter for the script in the JSS

The unique 'Salt' and 'Passphrase' values will be present in your script

def GenerateEncryptedString(inputString): '''Usage >>> GenerateEncryptedString("String")''' salt = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '8']).rstrip() passphrase = subprocess.check_output(['/usr/bin/openssl', 'rand', '-hex', '12']).rstrip() p = subprocess.Popen(['/usr/bin/openssl', 'enc', '-aes256', '-a', '-A', '-S', salt, '-k', passphrase], stdin = subprocess.PIPE, stdout = subprocess.PIPE) encrypted = p.communicate(inputString)[0] print("Encrypted String: %s" % encrypted) print("Salt: %s | Passphrase: %s" % (salt, passphrase))
GenerateEncryptedString("MyOrgAdminPassword")

@maffettb

Hey Just reading your response

You just need to copy that first part of the python script and add a line at the bottom following the python scripts usage syntax and then you can run the script in terminal.

Not sure what you mean by this. can you provide me a screen shot... Or if you can walk me through it.

sorry in advance for such a silly question.

Encrypted strings, while it is technically a mitigation, does not really get you the protections you think it might. In the end, simple tools like pstree can collect information on processes that will show code and positional parameters in clear text. Meaning, it would still be somewhat trivial to decrypt values. Not to mention, it still will get decrypted on disk for a small period of time. Tools like hunters.ai can easily detect these threats. In the end you should never pass credentials on the client endpoint for anything. Registration tokens and other way less risky type of credentials can be passed (and there is no choice sometimes) with a minimal accepted risk. Having gone through countless and various security and compliance audits in my 20 year career it has become painfully obvious to me to avoid these type of workflows any chance you can.

In my opinion, you should spend your efforts on reworking your workflows where you aren't passing credentials to the endpoint at all versus spending all this effort to encrypt strings in every piece of code you deploy. To my best knowledge no tool out there does full E2EE where an agent will do a GET request and execute code locally on the device. If there is a tool that does this I would be happy to know! I still try to always enforce my personal rules of no curl scripts on the client side, no credentials on the client side, and always put security, threat models, and compliance into consideration when building workflows

solid answer @tlarkin