![]() ![]() ![]() That means they’d never put production secrets on a user device… definitely never on any end-user devices, but also not even on an admin’s. Just to get it out of the way, the “correct” answer is of course “none of the above.” In enterprise-grade environments, sensitive services are run on hosts that are the least likely to be compromised and have managed security/audit controls. He’s not proposing obfuscations as a substitute for real security. Maybe that would only thwart a really novice attacker, but the main thing is that he’s thinking about security and adapting. says he likes to store his api credentials in base64, though he acknowledges that it’s just obfuscation. In the comments on derflounder’s post, Richard P. Prompt the admin to enter the secrets interactively.URL/User/Password variables at the top of the script.Recognizing that there is no “one-size-fits-all” approach, Rich demonstrates several methods for obtaining the api credentials in his script. Now, how about keeping the API credentials safe on the admin machines where api scripts are usually written and executed? That not as slick and easy as having a device set its own site, but it’s a lot safer. Of course, then you’d need an administrator-run script that goes through all the devices not in a site and re-assigns them based on the information in the site extension attribute. Is there any way to avoid that for your application? Maybe your script could just prompt the user to pick a site, write their answer to a text file, and then call jamf recon? You could have a script extension attribute that reads the value from that file. ![]() If you supply them to client machines in any form, they’re vulnerable. Ideally, API commands are for scripts running on administrator workstations or IT automations. But a user can absolutely get that information even though you’ve done some things to make it a little less obvious. If you really, really have to run an API command from a user’s workstation, and you understand the risks, you’ve got the right idea. However trying to avoid static accounts and passwords in the script and/or on the mac, would it make sense to pre base64 the account and password and put them in the script parameters so its already there and not need to do the convert, pass it strait on to the token command?” “For someone only just staring to use the API to make site changes in JAMF for computers with a script deployed, it makes sense to start using barer tokens out of the gate for future. Rich’s examples tend to become the canonical way of doing a thing, and for good reason - they’re clear and he explains things in a way people can understand. It features some ways to load the credentials needed to run the script. DerFlounder posted Updated script for obtaining, checking and renewing Bearer Tokens for the Classic and Jamf Pro APIs recently. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |