Unmanaging macOS devices through API

Ok, think I may be looking at this wrong. I've just noticed that on my test device, all profiles have now gone, and that there is no option in the JSS Record for the device for issuing Management commands, so it looks like it may actually be "unmanaging" the device anyway. 

Does anyone know of anyway to use the API to de-select the ""Allow Jamf Pro to perform management tasks" checkbox anyway? 

I feel like I'm narrowing it down. Looking here: https://developer.jamf.com/jamf-pro/reference/updatecomputerbyid

I've tried the following:

But now getting an error:

Any ideas what I'm missing?

Ok figured it out. The exact command required is:

@rcoleman I trying to get the Unmanaged Command to work, do you know what minimum permissions that is needed? I have Jamf Pro Server Actions -> Send Computer Unmanage Command and Computer Read
Thanks!

@Mikael_lofgren I actually just ran into this issue. We use a dedicated API account with encrypted details for performing API operations and on my last test with this it complained about permissions. During my testing, I used my own account which has full permissions and it worked fine. Unfortunately I don't have time just now to investigate this further however on first look I believe for the account being used to perform API operations you'll need to make sure "Send Computer Unmanage Command" is selected. If you manage to try this let me know if it works:

EDIT - Sorry, I've just realised that you've mentioned this is already selected! In that case I'm not sure what will be required. We also use the account for enabling remote management using MDM command and that works fine. When I get time to investigate further and if I come up with a solution then I'll make sure to post.

@Mikael_lofgren Just to say this worked for myself and I only have the same permissions you listed above, so apologies but I'm not sure what's going wrong at your side :(

@rcoleman My command seems to work when using full permissions, I have opened a support case to get this sorted, can post any findings here when done. Thanks!

@Mikael_lofgren That would be great, many thanks. It's possible I made a change to the permissions a long time ago for our API account but just can't remember, so it certainly would be useful to know exactly what permissions are required.

Ahh think I missed, create in Computer objects, but this is the minimum to work, response code from API when working is 201.
# Jamf Pro Server Objects > Computers Create, Read and Update
# Jamf Pro Server Actions > Send Computer Unmanage Command

Sending the MDM Command to "Unmanage" a device requires the device to be active to receive it -- in other words, the device is not marked as "unmanaged" until it receives the command and responds back to the Jamf Pro Server.

The other method you used, sending the remote_management > managed > false payload does not rely on the device being active, however, it does not remove anything from the device (e.g. the Jamf Management Framework, aka the jamf binary, MDM Profile, etc.); in this scenario the device does not know it has been unmanaged and will continue to attempt to check-in, as well as apply any and all configurations that it has "cached" on the device.

As noted, to perform this operation, the account will need Update privileges to Computers (at minimum), but it's not uncommon that additional privileges, that seem excessive given the task, are required (such as Create and Read) in Jamf's implementation of numerous API endpoints.  There's even been occurrences where permissions for completely separate objects are required to perform operations on another object.

@rcoleman 
Just looking at this myself but still not getting the Mac to move into the umanaged devices in Jamf, the tick box is still ticked.

Any chance you can post your full updated script as the first script posted does a full unenrol unmanage which removes all jamf framework which is not what I think we are both trying to achieve and I can't seem to get the syntax right when adding in your updated curl setting this

<remote_management><managed>false</managed></remote_management>

I worked it out  😀

 @MatG - Sure no problem. I've removed the "Unmanage" command and you'll need to replace the server name but this works for myself for unticking:

EDIT - Ah, I just see you got it working - good stuff  😀

Guys, 

Help me out here.. I'm in testing mode of Jamf API. So did sample test to get activation code. I do have all permission to run the API as I created a local user account in Jamf with the privilege as 'Administrator'. However, I'm getting the same below error message when I 'Try it out' as well as through 'shell script'.

Error message:

<html>

<head>

<title>Status page</title>

</head>

<body style="font-family: sans-serif;">

<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Unauthorized</p>

<p>The request requires user authentication</p>

<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.2">here</a>.<br>

Please continue your visit at our <a href="/">home page</a>.

</p>

</body>

</html>% 

Kindly advice. Thanks.

@sk25 Do you have the bearer token then? As the API page says:

@sk25 Without knowing how you constructed the command in the script....But using the API documentation page's "Try it out" feature and still having issues...

Do you use Sites?  The Site you have selected in the GUI affects API usage.  If you're not at the "Full Jamf Pro" level, you will be limited when using the API.

I've unchecked the 'Allow Basic Authentication in addition to Bearer Token Authentication" and ran the Bearer Token authorization from open recipe and getting the below error message. Kindly advice. Thanks.

"No valid token available, getting new token
Failed conversion of ``<stdin>: Could not extract value, error: No value at that key path or invalid key path: expires'' using format ``%Y-%m-%dT%T''
date: illegal time format
usage: date [-jnRu] [-r seconds|file] [-v[+|-]val[ymwdHMS]]
[-I[date | hours | minutes | seconds]]
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format]
{
"httpStatus" : 401,
"errors" : [ ]
}No valid token available, getting new token
Failed conversion of ``<stdin>: Could not extract value, error: No value at that key path or invalid key path: expires'' using format ``%Y-%m-%dT%T''
date: illegal time format
usage: date [-jnRu] [-r seconds|file] [-v[+|-]val[ymwdHMS]]
[-I[date | hours | minutes | seconds]]
[-f fmt date | [[[mm]dd]HH]MM[[cc]yy][.ss]] [+format]
Token already invalid
{
"httpStatus" : 401,
"errors" : [ ]"

As said the local user created in Jamf Pro is as an 'Administrator' privilege which means having create, read,update and delete of Jamf pro server objects, jamf pro server settings,Jamf Pro server actions

Maybe start look here on how to get bearer token: https://derflounder.wordpress.com/2021/12/10/obtaining-checking-and-renewing-bearer-tokens-for-the-jamf-pro-api/

That doesn't matter if you use and have a Site selected.  If you use Sites and are viewing a Site in the GUI, it affects what you can do/see in the API.

Trust me, we use Sites here and I have to account for it in all of the scripts I write for usage by our Site Admins.

Without seeing the constructed command, it's hard to troubleshoot errors.  But....it looks like you may have ran the code from the Bearer Token Authorization Recipe example.  Did you simply copy and paste the code?  If so, you could have invalid character (e.g. ASCII vs Unicode) encoding in your script.  (This is a common issue when copying code from a website into a shell script and it's commonly due to the quotation marks used; e.g.  " and ' ).

For more information on review these pages:

• SC1015 – ShellCheck Wiki 
• What makes the bash interpreter utility interpret differently standard and smart double quotes, present in a shell script, created in TextEdit?
• ASCII and Unicode quotation marks 

Also, I'd recommend reviewing (if you haven't already) for working with Bearer Tokens:

• Jamf Pro API Overview 
• Bearer Token Authorization Recipe

All,

I'm not getting anymore error on date format on the above mentioned API. However, if I give SSO enabled Jamf username and password, getting "Http code as 401". If I give Jamf local account username and password, I'm able to see the token, token expiration information, epoch etc.,
Question here:
SSO enabled Jamf username and password won't work on API's?
Any simple code for renewal of Token as Jamf token is valid for 30 mins or so. 
Kindly advice guys. Thanks.

We haven't got any SSO accounts to work with the API, we use local accounts for different API/scripts. Strange thing when re-tested is that API call to return the servern version seems to work (jamf-pro-version)

I can't speak for the API usage with SSO enabled, but wouldn't be surprised...

For expiration tracking/checking, you can utilize the function sample in the Bearer Token Authorization Recipe page I referenced before.  Or, more correctly, you could use the Keep Alive endpoint to invalidate the current and create a new Bearer Token in one step.

@Mikael_lofgren @MLBZ521 For Jamf API SSO is not supporting. We have to use local Jamf account with necessary API permission.