Query on attestation/reporting on device wipes, for audit purposes

DJKebab
New Contributor

Just wondered if anyone knows of any way to get reports (that could be used in an audit for example) to verify MacOS device wipes initiated from within JAMF Pro? It doesn't look like this functionality exists within the product but wanted to check.

We also tested device wipe using a solution from Blancco, however, while it does generate comprehensive reports, it does so prior to the wipe actually executing, meaning the report cannot be relied upon. It wasn't worth the additional effort to deploy a separate solution in that case.

 

Many thanks.

 

 

1 ACCEPTED SOLUTION

joshuasee
Contributor III

If you want it in a pretty-ish form for a particular device with a bare minimal of additional work, find the page for the device in the webUI, collapse the menu, print the device management command history page, and attach it to the disposal report.

For more detailed work, the information is in there, but it'll require a dive into the API and parsing the results into something presentable. Hopefully the following will point you in a useful direction:

 

If you want the just an acknowledgment of erasures for a batch of devices, pull the info on all uses of the EraseDevice command from the API and parse out what you want.

curl -u ${username}:${password} -X GET "https://yourjss.url:8443/JSSResource/mobiledevicecommands/name/EraseDevice" -H "accept: application/xml" 

If you want acknowledgement of erasure for a particular device, pull its command history. There are separate timestamps for the command being sent and acknowledged.

curl -u ${username}:${password} -X GET "https://yourjss.url:8443/JSSResource/mobiledevicehistory/id/${device_id}/subset/ManagementCommands" -H "accept: application/xml"

${device_id} will be the numeric id of the device object in Jamf. Getting that from the device name will require a separate MDM command.

The above are for the "Classic" API, which will be sunset at some point in favor of the modern complex and modern UAPI, but I don't know of any date for that having been set yet.

 

View solution in original post

3 REPLIES 3

joshuasee
Contributor III

If you want it in a pretty-ish form for a particular device with a bare minimal of additional work, find the page for the device in the webUI, collapse the menu, print the device management command history page, and attach it to the disposal report.

For more detailed work, the information is in there, but it'll require a dive into the API and parsing the results into something presentable. Hopefully the following will point you in a useful direction:

 

If you want the just an acknowledgment of erasures for a batch of devices, pull the info on all uses of the EraseDevice command from the API and parse out what you want.

curl -u ${username}:${password} -X GET "https://yourjss.url:8443/JSSResource/mobiledevicecommands/name/EraseDevice" -H "accept: application/xml" 

If you want acknowledgement of erasure for a particular device, pull its command history. There are separate timestamps for the command being sent and acknowledged.

curl -u ${username}:${password} -X GET "https://yourjss.url:8443/JSSResource/mobiledevicehistory/id/${device_id}/subset/ManagementCommands" -H "accept: application/xml"

${device_id} will be the numeric id of the device object in Jamf. Getting that from the device name will require a separate MDM command.

The above are for the "Classic" API, which will be sunset at some point in favor of the modern complex and modern UAPI, but I don't know of any date for that having been set yet.

 

Thank you, this is exactly the kind of thing I was looking for. The API commands look to be working well, only change required was to substitute "mobiledevicehistory" for "computerhistory" to return the MacOS records. Can now work to refine a process around this (and the screenshot/print of the command history is good in the interim).

Hi, I tried running this exact string in Terminal (swapping out credentials and URL) and got some errors.

Response:

zsh: command not found: -X

curl: no URL specified!                                                                                  

curl: try 'curl --help' or 'curl --manual' for more information

----------------

I changed it to this and got a response, but the response says "This request required user authentication" even though I am providing admin account details and do not have SSO enabled.

curl --request GET  --url https://[url].jamfcloud.com/JSSResource/computercommands/name/EraseDevice --header "Accept: application/xml" -u api:[password]

 

Response:

<html>

<head>

<title>Status page</title>

</head>

<body style="font-family: sans-serif;">

<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>

<p>The request requires user authentication</p>

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

</body>

</html>

-----------

Any ideas?

 

Thanks,

Jon