I recently introduced a solution that monitors the new macOS “Erase All Content and Settings” feature. I showed an example of how the resulting data is passed to Jamf. In my case I used a script that contains the login data of the API user. Finally, I just wanted to give you a way to see that it works.
Now this topic has led to many discussions and new posts on this topic, so I thought of a new idea.
In my example I already have a web server with PHP module so the decision of the programming language was easy. For a productive operation, however, I recommend even more precautions, such as a function that monitors the number of accesses per client, so that your webserver is also protected from DDOS attacks.
The idea is to send the data over a proxy/webserver to the Jamf Pro API. Only the webserver know the authentication information from Jamf Pro.
On the client side the script provide only the system uuid:
UDID=$(ioreg -d2 -c IOPlatformExpertDevice | awk -F\" '/IOPlatformUUID/{print $(NF-1)}')
With this information we call our webserver script and pass also a secret useragent string.
/usr/bin/curl -sk --user-agent "${USERAGENT}" ${WEBSERVERURL} -X POST -F "UDID=${UDID}"
On the server side we check multiple parameters like:
- Allow only POST requests
- Allow only if POST Data provided
- Allow only if POST Data contain a valid UUID
- Allow only if useragent match
- Allow only if UUID is in Jamf Pro Database
- Allow only if UUID return a valid computerid from Jamf
Only if all requirements are met, the EA is updated by the server script. I have deliberately dispensed with a success output.
I hope I was able to give you a little impetus with my idea and would also be pleased to receive other ideas.
As always, you can find all the information about it on Github.
Have you considered utilizing the certificate issued by Jamf Pro as part of the auth?
I love the idea to use the jamf pro certificate from keychain.
Its easy to create a certificate based authentication for my server but the problems come with the security restrictions from keychain.
The Jamf Pro Client Certificate and key are stored in the System Keychain, by default my script has no access.
I am able to export the Certificate but not the key and for my curl connection to my secured Webserver i need booth.
Of course, you could say then at least send the certificat to your script, but I don’t gain any security by doing so. Since this information can be extracted by any user. Let me know if you have a better idea! Thanks
Michael