Credentials - grahampugh/jamf-upload GitHub Wiki

JamfUploader processors can use either Jamf Pro user accounts or API Clients, and can read the credentials from various sources:

  • Keychain
  • AutoPkg preferences file
  • Command line options

If you haven't done so already, you'll need to create a service account with which the processors can interact with the API. It is recommended to create a user named something like AutoPkg, which you can do in the Jamf Pro admin interface in Management Settings > Jamf Pro User Accounts and Groups.

Keychain

It is recommended to use the Keychain to store your API credentials, as this provides the most secure method of authenticating to the API, and also provides the means to store the credentials of multiple Jamf Pro instances without having to supply the credentials each time you switch instances.

To import credentials into your Keychain, run the script in this repo named set-credentials.sh. This will ask you to enter the Jamf Pro URL (you can omit https://, but please include .jamfcloud.com or whatever your domain is, including any port and subdomain if you use these). Then it will ask you for the account name and password (or Client ID and Client Secret - it doesn't care which), store them in the keychain, and verify that they can connect to the Jamf Pro instance.

You still need to provide the URL in your AutoPkg workflow, either in the preferences or via command line, as described below.

Note for users of the Multitenant-Jamf-Tools - the set-credentials.sh script in the Multitenant-Jamf-Tools is compatible with this Keychain feature, so you can use either script.

Required variables

The following variable is used to identify the Jamf Pro URL:

  • JSS_URL

To add this to your AutoPkg preferences, run the following command:

defaults write com.github.autopkg JSS_URL "https://my.jamfcloud.com"

Alternatively, you can provide the URL as part of your autopkg command with the following flag:

autopkg run SomeRecipe.jamf --key JSS_URL="https://my.jamfcloud.com"

If you have added the credentials for that URL, you don't need to provide the credentials in your preferences file or via the command. However, if you wish to do so, the following variables are used to identify the account credentials"

  • API_USERNAME
  • API_PASSWORD

To add these to your AutoPkg preferences, run the following commands:

defaults write com.github.autopkg API_USERNAME myusername
defaults write com.github.autopkg API_PASSWORD "myVerySecretSecret"

Alternatively, you can provide the credentials as part of your autopkg command with the following flags:

autopkg run SomeRecipe.jamf --key JSS_URL="https://my.jamfcloud.com" --key API_USERNAME=myusername --key API_PASSWORD="myVerySecretSecret"

If using API Roles and Clients, the following variables are used to identify the API Client credentials:

  • CLIENT_ID
  • CLIENT_SECRET

To add these to your AutoPkg preferences, run the following commands:

defaults write com.github.autopkg CLIENT_ID SomeVeryLongStringThatRepresentsThisClientID
defaults write com.github.autopkg CLIENT_SECRET SomeVeryLongStringThatRepresentsThisClientIDsSecret

Alternatively, you can provide the credentials as part of your autopkg command with the following flag:

autopkg run SomeRecipe.jamf --key JSS_URL="https://my.jamfcloud.com" --key CLIENT_ID=SomeVeryLongStringThatRepresentsThisClientID --key CLIENT_SECRET=SomeVeryLongStringThatRepresentsThisClientIDsSecret

Note: JamfUploader determines whether the credential supplied is an account name or an API Client ID by checking if it is in the form of a version 4 UUID. So do not use version 4 UUIDs as account names for your API credentials!

Additional credentials for uploading packages to FileShare Distribution Points

If you are using an SMB Fileshare Distribution Point, you should additionally provide the following keys:

  • SMB_URL - this must be the full URL including share name, e.g. smb://my.dp.server.com/JPShare.
  • SMB_USERNAME
  • SMB_PASSWORD

For example:

defaults write com.github.autopkg SMB_URL "smb://myjamfdp.com/JPShare"
defaults write com.github.autopkg SMB_USERNAME jamfuser
defaults write com.github.autopkg SMB_PASSWORD AVerySecretThing456

These can alternatively be provided via command line arguments.