Jamf Pro API Basic Authentication is Deprecated

[cconard96]

Using basic username/password authentication with the Jamf Pro API is deprecated and expected to be removed around August-December this year.

Currently, this plugin only supports basic authentication.

Support for Bearer tokens will need added before Jamf Pro stops supporting the basic authentication. After basic authentication support is dropped by Jamf, a warning should be added to the plugin's configuration page stating that versions over X.Y doesn't support basic authentication. The option for basic authentication will be removed completely from the plugin in a future major version (probably version 4 which would align with GLPI 10.1).

[cconard96]

Also of note, bearer tokens were only added to Jamf Pro in 10.35 which is relatively recent. On-premises servers may not be updated to this version or later yet. A message would need added to the plugin config page.

There may also need to be documentation for how to generate these tokens.

[cconard96]

Re-read the documentation for the new authentication process and confirmed with contact at Jamf that basic authentication is used on an authentication endpoint and then that provides a short-lived token that is used for the other endpoints.

Since there are no changes needed as far as the GLPI admin is concerned, this is going to be pushed back to 3.1.0 just so 3.0.0 can be released in time for GLPI 10.

[bpenglase]

I'm on (Hosted) Jamf Pro, Version 10.39.1-t1656084637, and I think I'm running into this. In the server log, I'm getting the following when I try to use the plugin: 2022-07-22 14:21:31,158 [ERROR] [duledPool-8] [ntInstanceSyncCommService] - DeviceEnrollmentProgramException[responseCode=400, responseBody='oauth_problem_adviceBad Request', message='An error occurred during oauth token refresh'] Nothing loads when doing a discover on GLPI's side. Am I missing something, or running into this issue?

[cconard96]

Basic authentication should still be working unless your Jamf has the option deselected.

Basic authentication—Jamf will discontinue support for Basic authentication in the Classic API in a future release of Jamf Pro (estimated removal date: August-December 2022) for enhanced security. Jamf will provide additional information at a later date. To disable Basic authentication before support is removed, navigate to Settings > Jamf Pro User Accounts & Groups > Password Policy and deselect the Allow Basic authentication in addition to Bearer Token authentication checkbox.

[Coros]

Jamf has posted a depreciation timeline of March 2024 for basic authentication.

[cconard96]

I think more importantly, they've finally decided their "Pro" API should probably be stabilized at some point within the next decade and actually have a complete set of endpoints, and made the "Classic" API disabled by default starting in 10.42 (October 2022). When this plugin was started, their "Pro" API offered no useful endpoints for getting information about devices so this plugin still uses the Classic API for everything except getting the Jamf Pro version.

So, this plugin needs to have all API calls changed to use the newer API and that would probably mean rewriting a lot of the import/sync code because of changes to property names.

For me, my focus is on the development of GLPI itself and I am still looking for people to contribute to this plugin to keep it compatible with the latest Jamf and GLPI versions. I no longer work for a business that uses Jamf.

[cconard96]

Bearer token authentication will be used starting with version 3.1.0 (done in #128). I don't have an ETA yet for the beta or stable release for the next version yet.