This script automates the process of setting a Recovery Lock on a macOS device via Jamf Pro, leveraging API calls to authenticate, retrieve device information, and issue a lock command. It ensures security by invalidating the API token after execution and provides detailed output at each step for easy monitoring and troubleshooting. Generate the…

jamfSetRecoveryLock.sh

#!/bin/bash

# Step 1: Get the Jamf Pro URL
jssurl=$( /usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url )
echo "JSS URL: $jssurl"

# Step 2: API credentials (base64 encoded) are passed as parameter $4
apib64="$4"

# Recovery Lock Password is passed as parameter $5
recpass="$5"

# Function to generate an API token
get_token() {
    echo "Getting Jamf Pro API token..."
    jsonresponse=$( /usr/bin/curl -s "${jssurl}api/v1/auth/token" \
    -H "authorization: Basic ${apib64}" \
    -H "Content-Type: application/json" \
    -X POST )

    # Extract the token
    token=$( echo "$jsonresponse" | /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$jsonresponse\`).token" )
    if [[ -z "$token" ]]; then
        echo "Failed to retrieve token. Exiting."
        exit 1
    fi
    echo "Received API token."
}

# Function to invalidate the API token after execution
invalidate_token() {
    echo "Invalidating API token..."
    /usr/bin/curl -s "${jssurl}api/v1/auth/invalidate-token" \
    -H "Authorization: Bearer ${token}" \
    -H "Accept: application/json" \
    -X POST
    echo "Token invalidated."
}

# Step 3: Get the UDID of the current computer
udid=$( /usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }' )
echo "Computer UDID: $udid"

# Get the token
get_token

# Step 4: Get the device's Jamf computer ID based on the UDID
echo "Fetching computer ID from Jamf Pro..."
computerrecord=$( /usr/bin/curl -s "${jssurl}api/v1/computers-inventory?section=GENERAL&filter=udid%3D%3D%22${udid}%22" \
    -H "Authorization: Bearer ${token}" \
    -H "Accept: application/json" )

# Extract the computer ID
id=$( echo "$computerrecord" | /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$computerrecord\`).results[0].id" )
if [[ -z "$id" ]]; then
    echo "Failed to retrieve computer ID. Exiting."
    invalidate_token
    exit 1
fi
echo "Jamf Computer ID: $id"

# Step 5: Fetch the management ID for the device
inventoryrecords=$( /usr/bin/curl -s "${jssurl}api/preview/computers?page-size=2000" \
    -H "Authorization: Bearer ${token}" \
    -H "Accept: application/json" )

# Find the management ID
managementID=$(echo "$inventoryrecords" | /usr/bin/osascript -l 'JavaScript' -e "JSON.parse(\`$inventoryrecords\`).results.find(m => m.id == $id).managementId")
if [[ -z "$managementID" ]]; then
    echo "Failed to retrieve management ID. Exiting."
    invalidate_token
    exit 1
fi
echo "Jamf Management ID: $managementID"

# Step 6: Set Recovery Lock using the SetRecoveryLockCommand
echo "Setting Recovery Lock on the device..."
JSONDATA=$(cat <<EOF
{
    "clientData": [
        {
            "managementId": "${managementID}",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": "${recpass}"
    }
}
EOF
)

/usr/bin/curl --location --request POST "${jssurl}api/preview/mdm/commands" \
--header "Authorization: Bearer ${token}" \
--header "Content-Type: application/json" \
--data-raw "$JSONDATA"

# Step 7: Invalidate the API token after execution
invalidate_token

echo "SetRecoveryLockCommand has been sent. Exiting script."
exit 0