Help

Jamf Pro API Script Remote Device Lock - "The request requires user authentication"

MathiasO_TK
New Contributor II

Posted on ‎07-10-2024 02:06 AM

hey folks!

I Need some help with my Script to trigger API Computer Command "Remote Device Lock"

Purpose: I want a script which requests user input with "Computer Name" , get the Computer Jamf ID (this works!), and afterwords send the Remote Command "Lock Device" with this ID -> at this point I get a Error:

Script result: <html>
<head>
<title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>
<p>The request requires user authentication</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>

Here are more Informations: I user the API Client&Roles Setting in Jamf, created a API Client with some Priviliges:
"Read Computer Inventory Collection, Update Computers, Read Computers, Create Computers, Send Computer Remote Lock Command"

This is my Script:

 

Script:
***************************************************************
#!/bin/zsh
read -r -d '' applescriptCode <<'EOF'
   set dialogText to text returned of (display dialog "Bitte trage die MacBook-Namen ein." default answer "no input")
   return dialogText
EOF
computerName=$(osascript -e "$applescriptCode");
# API login
bearerToken=""
url=https://XXXXXXXX.XXXX:8443
client_id="API Client ID
client_secret="API Client Secret"
# Create Token
token=$(curl --location --request POST "$url/api/oauth/token" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "client_id=$client_id" \
     --data-urlencode "grant_type=client_credentials" \
     --data-urlencode "client_name=Test" \
     --data-urlencode "client_secret=$client_secret")
# Catch Token
bearerToken=$(echo "$token" | plutil -extract access_token raw -)
# determine Jamf Pro device id
deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computers/name/"$computerName" | xmllint --xpath '/computer/general/id/text()' -)
#echo "$deviceID"
# Execute Device Lock Command
curl -s -H "Accept: application/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computercommands/command/DeviceLock/passcode/615243/id/"$deviceID" -X POST

 

0 Kudos
Reply
7 REPLIES 7

jamf-42
Valued Contributor II

Posted on ‎07-10-2024 03:09 AM

maybe a typo but this is not closed 

client_id="API Client ID

0 Kudos
Reply

MathiasO_TK
New Contributor II
In response to jamf-42

Posted on ‎07-10-2024 04:08 AM

This is just a Placeholder for the real Name of the API Client :D 

in the real script there is an other ID and secret..

I guess it is something like Access Rights could be the Error, but I cant think of something I forgot..

0 Kudos
Reply

RaGL
New Contributor III

Posted on ‎07-10-2024 03:58 AM

I never tried this specific command via API before, but when checking the API Description for this command it says, that only "ScheduleOSUpdate" is a supported command currently and it's basically also deprecated since 2022. So I guess "DeviceLock" might just not be a supported command anymore.

Xnip2024-07-10_12-57-41.jpg

0 Kudos
Reply

MathiasO_TK
New Contributor II
In response to RaGL

Posted on ‎07-10-2024 04:09 AM

Hey, thanks for reply..
on our API Site I used this:

Bildschirmfoto 2024-07-10 um 13.08.58.png

 This is the one extra for Device Lock.

0 Kudos
Reply

stevewood
Honored Contributor II
Honored Contributor II

Posted on ‎07-10-2024 07:01 AM

If you're doing this from a management workstation, like your own, and sending the commands to devices that are enrolled in your Jamf Pro, take a look at Jamf Actions. Jamf Actions are shortcuts for the Shortcuts app that allow you to send MDM commands easily from your workstation.

There are other Jamf created items on that Jamf Concepts GitHub repo.

0 Kudos
Reply

bchehreh
New Contributor II

Posted on ‎07-25-2024 10:49 AM

Did you ever get this one figured out? We have a workflow for device decommissioning in our Helpdesk that relies on this API to do device locking for Macs, and it seems to have broken on me when trying to reconfigure the script for using modern API now that authenticating with credentials got deprecated in the past few months.

0 Kudos
Reply

MathiasO_TK
New Contributor II
In response to bchehreh

Posted on ‎08-21-2024 03:56 AM

Hey, sorry for the late answer! Gotta resolved it that way:

 

#!/bin/zsh

# API login
bearerToken=""
url=https://XXXX.XX.XX:8443
client_id="XXXX"
client_secret="XXX"
 
# Create Token
token=$(curl --location --request POST "$url/api/oauth/token" \
     --header "Content-Type: application/x-www-form-urlencoded" \
     --data-urlencode "client_id=$client_id" \
    --data-urlencode "grant_type=client_credentials" \
     --data-urlencode "client_name=lock_Device" \
     --data-urlencode "client_secret=$client_secret")

  

# Catch Token
bearerToken=$(echo "$token" | plutil -extract access_token raw -)


# determine Jamf Pro device id
deviceID=$(curl -s -H "Accept: text/xml" -H "Authorization: Bearer ${bearerToken}" ${url}/JSSResource/computers/name/"$computerName" | xmllint --xpath '/computer/general/id/text()' -)

# test for 1st command
echo "$deviceID"

# Execute Device Lock Command
curl -s -H "Authorization: Bearer ${bearerToken}" "$url/JSSResource/computercommands/command/DeviceLock/passcode/615243/id/$deviceID" -H "Content-Type: application/xml" -X POST

 


I got Problems with the Bearer Token... cant get a valid access_token.. so I tested with multiple full Admins and got to see it were a API Client Problem :) 

The $computerName will go through our Ansible Prompt.

0 Kudos
Reply