Jamf Pro API – Get Bearer Token

, ,

The Jamf Pro API can be utilized to perform actions on your Jamf Pro server in mass without having to log into the GUI to get it done. These actions can be deleting objects in Jamf Pro, reading inventory information, updating policies, etc… The possibilities are endless.

Each action performed with the Jamf Pro API requires an authorized user to carry out that action. Now, how do we authorize the action we want to perform? With the Classic API, we can simply pass our username and password in our curl command. Our Jamf API supports Bearer Token authorization. This means that Jamf Pro API leverages the same User Accounts and Groups functionality of Jamf Pro as the Classic API, but uses a token-based authentication scheme.

By default this generated token will remain valid for 30 minutes. A POST command to the /v1/auth/keep-alive endpoint will use a valid token to generate a new token with a new 30 minute validity period and will invalidate the previous token.

The steps to generate a token and use it are as follows:

  1. Request Token by sending a POST to /v1/auth/token.
  2. You should receive a response that includes a token and an expiration date similar to the following example:
{
    "token": "eyJhbGciOiJIUzUxMiJ9...",
    "expires": "2022-01-24T21:35:20.373Z"
}
  1. You can use the previously generated token to make calls to any other Jamf Pro API endpoint by including it in a header using the format Authorization: Bearer TOKEN_VALUE

We will now look at what this looks like in script form…

#!/bin/sh

# Get Bearer Token for Jamf Pro API

# Jamf User Credentials
jamfUser="api"
jamfPassword="P@ssw0rd"
jssURL="https://techitout.jamfcloud.com"

# Encode credentials
encodedCredentials=$( printf "${jamfUser}:${jamfPassword}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

# Generate an auth token
authToken=$( /usr/bin/curl "${jssURL}/uapi/auth/tokens" \
--silent \
--request POST \
--header "Authorization: Basic ${encodedCredentials}"
)

# Parse authToken for bearer token, omit expiration
token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "${authToken}" | /usr/bin/xargs )

And that’s it, we have generated a bearer token for use with the Jamf Pro API. We can now add an API call to the end of this and take a look at our results. In this example we will be looking at an overview of our Jamf Pro server status. 

#!/bin/sh

# Get Bearer Token for Jamf Pro API
# Get Jamf Pro Status (/api/v1/jamf-pro-information)

# Jamf User Credentials
jamfUser="api"
jamfPassword="P@ssw0rd"
jssURL="https://techitout.jamfcloud.com"

# Encode credentials
encodedCredentials=$( printf "${jamfUser}:${jamfPassword}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )

# Generate an auth token
authToken=$( /usr/bin/curl "${jssURL}/uapi/auth/tokens" \
--silent \
--request POST \
--header "Authorization: Basic ${encodedCredentials}"
)

# Parse authToken for bearer token, omit expiration
token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "${authToken}" | /usr/bin/xargs )

# Get Jamf Pro Information
/usr/bin/curl --request GET \
--url ${jssURL}/api/v1/jamf-pro-information \
--header "Accept: application/json" \
--header "Authorization: Bearer ${token}

exit 0

Depending on your Jamf Pro server setup, your results may look like:

{
  "isVppTokenEnabled" : true,
  "isDepAccountEnabled" : true,
  "isUserMigrationEnabled" : true,
  "isCloudDeploymentsEnabled" : true,
  "isByodEnabled" : false,
  "isPatchEnabled" : true,
  "isSsoSamlEnabled" : true,
  "isSmtpEnabled" : true
}

Thanks for checking it out!

Leave a Reply

Blog at WordPress.com.

%d bloggers like this: