I'm wondering, is it possible to use hashes, preferably SHA-512, instead of plain text with the "sysadminctl" command . I really dislike the thought of a script containing my admin account password in plain text. I'm also creating a new admin account with the script so it would be a bad idea to have that account's password in the plain text.
I must be missing something. The script contains all the information needed to decrypt the encrypted string. So anybody with access to the script still gets the admin password. The only place where protection is added is in the JSS, where the policy now contains the encrypted string instead of the plain text password. So this scheme only protects the password inside the JSS - whose access is anyhow very restricted.
just a fair bit of caution, every script jamf runs still hits disk in clear text, in the temp folder that jamf downloads to. So, even if you pass an encrypted string, with parameters to decrypt it, it all hits disk in clear text. Meaning a simple tool like
pstree for example can just scrape all that data. Tools like hunters.ai will easily pick this up, or any threat hunting tool should. So, do not assume encrypted strings in jamf scripts is secure, it is simply an extra layer an attacker would have to get through. Which, if said attacker knows how jamf works, it would not be too difficult to get to.
So, really if you want to put security first, don't pass any creds in scripts to client endpoints.