Jamf Pro API – Creating Accounts & Groups

To continue on my series of building a populated Jamf Pro server utilizing as much of the Jamf Pro API as possible, we will be building out our Jamf Pro Users & Groups. I have a folder in a Github repo with examples of how each option for the /JSSResource/accounts/ endpoint can be used, the link is: Here

Since the same baseline group of accounts will be created for each Jamf Pro server that is spun up, we can keep these users in an array for our script to read through and build into our server.

As with all our Jamf Pro API scripts, we will start out with setting our variables.

#!/bin/bash

# Jamf Pro API script to build categories
# Created: 5.23.2022 @robjschroeder

################################
# Variables - edit as needed

# Jamf Pro API Credentials
jamfProAPIUsername="apiUsername"
jamfProAPIPassword="apiPassword"
jamfProURL="https://server.jamfcloud.com"

# Create additional Jamf Pro administrators, these accounts will be created with a temporary password and forced to change upon first login
jamfProUsers="username1, First Last, First.Last@org.com
username2, First Last, First.Last@org.com
username3, First Last, First.Last@org.com
username4, First Last, First.Last@org.com"

# Temporary Password
tempPassword="T3mpP@ssw0rd"

Now that we’ve built our variables, we need to get our bearer token for authentication, we need to use the API to create our accounts, then we can invalidate our token when we are done. This can all be done with some simple functions. Using functions is a great idea because once you have built a function to do a certain task, like get a bearer token from our Jamf Pro server, you can take that function and apply it to any other script that will be doing the same step so you don’t have to re-write it each time you need to use it. In other cases it helps if you have to call the same function multiple times in the same script. Let’s build our functions for this script.

#
##################################################
# Functions -- no need to edit below

# Get a bearer token for Jamf Pro API Authentication
getBearerToken(){
	# Encode credentials
	encodedCredentials=$( printf "${jamfProAPIUsername}:${jamfProAPIPassword}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )
	
	# Generate an auth token
	authToken=$( /usr/bin/curl "${jamfProURL}/uapi/auth/tokens" \
		--silent \
		--request POST \
		--header "Authorization: Basic ${encodedCredentials}" 
)
	
	# Parse authToken for token, omit expiration
	token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "${authToken}" | /usr/bin/xargs )
}

# Invalidate the token when done
invalidateToken(){
	curl --request POST \
	--url ${jamfProURL}/api/v1/auth/invalidate-token \
	--header 'Accept: application/json' \
	--header "Authorization: Bearer ${token}"
}

# Create additional Jamf Pro Administrators
createJamfAdmins(){
	echo "$(date '+%A %W %Y %X'): Creating Jamf Pro Administrator accounts..."
	# Create local CSV of the defined Jamf Pro Users
	echo "$jamfProUsers" > /tmp/jamfProUsers.csv
	
	INPUT="/tmp/jamfProUsers.csv"
	OLDIFS=$IFS
	IFS=','
	[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
	while read username displayname email
	do
		curl --request POST \
		--url ${jamfProURL}/JSSResource/accounts/userid/0 \
		--header 'Accept: application/xml' \
		--header 'Content-Type: application/xml' \
		--header "Authorization: Bearer ${token}" \
		--data "<account><name>${username}</name><full_name>${displayname}</full_name><email>${email}</email><email_address>${email}</email_address><enabled>Enabled</enabled><privilege_set>Administrator</privilege_set><password>${tempPassword}</password><force_password_change>true</force_password_change></account>"
	done < $INPUT
	IFS=$OLDIFS
	sleep 1
	echo ""
}

We have our variables, we have our functions, now we just need our script to perform our steps. This is the simplest portion of the script.

#
##################################################
# Script Work
#

getBearerToken
createJamfAdmins
invalidateToken

exit 0

Putting it all together our script will look like:

#!/bin/bash

# Jamf Pro API script to build categories
# Created: 5.23.2022 @robjschroeder

################################
# Variables - edit as needed

# Jamf Pro API Credentials
jamfProAPIUsername="apiUsername"
jamfProAPIPassword="apiPassword"
jamfProURL="https://server.jamfcloud.com"

# Create additional Jamf Pro administrators, these accounts will be created with a temporary password and forced to change upon first login
jamfProUsers="username1, First Last, First.Last@org.com
username2, First Last, First.Last@org.com
username3, First Last, First.Last@org.com
username4, First Last, First.Last@org.com"

# Temporary Password
tempPassword="T3mpP@ssw0rd"

#
##################################################
# Functions -- no need to edit below

# Get a bearer token for Jamf Pro API Authentication
getBearerToken(){
	# Encode credentials
	encodedCredentials=$( printf "${jamfProAPIUsername}:${jamfProAPIPassword}" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )
	
	# Generate an auth token
	authToken=$( /usr/bin/curl "${jamfProURL}/uapi/auth/tokens" \
		--silent \
		--request POST \
		--header "Authorization: Basic ${encodedCredentials}" 
)
	
	# Parse authToken for token, omit expiration
	token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "${authToken}" | /usr/bin/xargs )
}

# Invalidate the token when done
invalidateToken(){
	curl --request POST \
	--url ${jamfProURL}/api/v1/auth/invalidate-token \
	--header 'Accept: application/json' \
	--header "Authorization: Bearer ${token}"
}

# Create additional Jamf Pro Administrators
createJamfAdmins(){
	echo "$(date '+%A %W %Y %X'): Creating Jamf Pro Administrator accounts..."
	# Create local CSV of the defined Jamf Pro Users
	echo "$jamfProUsers" > /tmp/jamfProUsers.csv
	
	INPUT="/tmp/jamfProUsers.csv"
	OLDIFS=$IFS
	IFS=','
	[ ! -f $INPUT ] && { echo "$INPUT file not found"; exit 99; }
	while read username displayname email
	do
		curl --request POST \
		--url ${jamfProURL}/JSSResource/accounts/userid/0 \
		--header 'Accept: application/xml' \
		--header 'Content-Type: application/xml' \
		--header "Authorization: Bearer ${token}" \
		--data "<account><name>${username}</name><full_name>${displayname}</full_name><email>${email}</email><email_address>${email}</email_address><enabled>Enabled</enabled><privilege_set>Administrator</privilege_set><password>${tempPassword}</password><force_password_change>true</force_password_change></account>"
	done < $INPUT
	IFS=$OLDIFS
	sleep 1
	echo ""
}

#
##################################################
# Script Work
#

getBearerToken
createJamfAdmins
invalidateToken

exit 0

https://github.com/robjschroeder/Jamf-API-Scripts/blob/main/api-CreateUserAccounts.sh

Thanks for checking it out!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: