Jamf Nation Community

swimmityswim · ‎02-27-2023

I'm trying to automate our deployment process using Jira webhooks and the Jamf API and webhooks.

I want to generate a unique invitation URL when a user is added using our existing Jira workflow.

Jira (fully approved) > Webhook to cloud function > Call Jamf API computerinvitations and send to user > Jamf webhook on computer added to site > cloud function to complete user setup.

The docs for the computerinvitations endpoint are sparse (https://developer.jamf.com/jamf-pro/reference/computerinvitations). My particular question is related to the XML payload i need to pass in the request body. There is a sample in the docs, however I'm wondering what of this sample is required/mandatory and what is optional?

For instance the SSH user/password and some other details are set at the org level in settings in "User-initiated enrollment". Also when setting the site in the XML payload, the invitation info in the portal does not show the site i set in the payload.

Any help is appreciated.

stevewood · ‎02-27-2023

Using

https://{{url}}/JSSResource/computerinvitations

you can get a list of all invitations. You should see the different types in there. From what I see in my demo instance:

USER_INITIATED_EMAIL

DEP_CUSTOM_ENROLL

USER_INITIATED_URL

DEFAULT

I'm not sure if there are more than that.

As for Site, I would think you simply need to set the ID value under <enrolled_into_site> or under <site>. I would test both of those individually to see which one provides what you need. But you should only need the ID and not the Name.

View solution in original post

sdagley · ‎02-27-2023

@swimmityswim Is adopting an Automated Device Enrollment (aka DEP) workflow for your devices an option? I don't know about iOS based devices, but for Macs the ADE based enrollment provides a higher level of control than user initiated enrollment. Unless ADE isn't available for your environment I'd strongly encourage you to look into adopting it.

swimmityswim · ‎02-27-2023

Thanks for taking the time to respond.

To expand a little more on what I'm trying to do, this relates to a smaller, secondary site in our Jamf tenant.

We have our Corporate site that has a separate configuration, but this site is for a completely separate group of Contractors that has no integration with any of our directories and the contractors are bringing their own devices.

Once a new contractor is approved via our Jira workflow, I want to generate a one-off enrollment link that expires (expiration is not decided yet, but I'm thinking 48 hours/1 week) and email it to the contractors Corporate email address which is in the Jira ticket. Once the contractor enrolls using this email address and the computer is added to our Contractors site I want to send a request to another cloud function (computerAdded webhook) that will see that it relates to our Contractors site, and match the enrollment email address to the address in the ticket and complete setup in our other cloud products.

My understanding is that because we don't control/own the endpoints, DEP is not applicable.

sdagley · ‎02-27-2023

@swimmityswim While iOS devices support a BYOD approach which carves out a separate managed workspace that's MDM managed there is no such mechanism for macOS. If your contractors have Macs that are managed by their own organization's MDM you cannot enroll them with your Jamf Pro MDM. And even if that is not the case they might not want to enroll a personal device with your org's MDM once they understand the level of control/access that will give your org to the Mac.

swimmityswim · ‎02-27-2023

Understood. This is an offshore group of contractors solely dedicated to our "project". The devices they are bringing are purchased solely for use on this project, and will only be managed by our Jamf policies.

We have already onboarded a small number by manually creating the enrollment invitations. I'm just trying to replicate what we do manually via the Classic API and having trouble with the XML payload to have them added to the correct site upon enrollment.

stevewood · ‎02-27-2023

I did a very quick test and it appears that you need at least the following keys:

<computer_invitation>
    <invitation_type>DEFAULT</invitation_type>
    <expiration_date>2023-12-07 11:13:35</expiration_date>
    <ssh_username></ssh_username>
    <ssh_password></ssh_password>
</computer_invitation>

You can see that I was able to leave the SSH info blank and the invitation was created.

swimmityswim · ‎02-27-2023

Really appreciate you taking time to help with this.

I'm also having an issue populating/setting the "Site" details and wondering what the possible values of <invitation_type> are.

There's a schema for the response to a lot of these endpoints, but a request schema for anything that requires a payload be PUT/POSTed would be very nice.

stevewood · ‎02-27-2023