Error occurred: 401 Client Error

[mks-007]

After our Jamf Pro instance was updated to 10.47, I started to see these errors, I am running in docker and have tried rebuilding it with he same results.

running /usr/bin/curl -s -X POST "https://xx.jamfcloud.com/api/v1/auth/token" -H "Authorization: Basic base64" in the console I get the token.

/usr/local/jawa/app.py:35: DeprecationWarning: 'flask.escape' is deprecated and will be removed in Flask 2.4. Import 'markupsafe.escape' instead. from flask import (Flask, request, render_template, INFO:jawa.views.home_view:[https://XX.jamfcloud.com] Attempting login for: jamfapi-account INFO:jawa.views.home_view:Error occurred: 401 Client Error: for url: https://XX.jamfcloud.com/JSSResource/activationcode INFO:jawa.bin.tokens:[https://XX.jamfcloud.com] Successfully invalidated token for logout. INFO:jawa.views.home_view:Logging Out: jamfapi-account INFO:jawa.views.home_view:[https://XX.jamfcloud.com] Attempting login for: jamfapi-rw INFO:jawa.views.home_view:Error occurred: 401 Client Error: for url: https://XX.jamfcloud.com/JSSResource/activationcode INFO:jawa.bin.tokens:[https://XX.jamfcloud.com] Successfully invalidated token for logout. INFO:jawa.views.home_view:Logging Out: jamfapi-account

[ball42]

Thanks for reporting this @mks-007, although it was not the meat of the issue, we are now making adjustments to import escape from markupsafe instead of flask.

The issue you're experiencing typically is a Jamf Pro privileges issue with the accounts. Can you verify that the accounts have access to the following items with the appropriate operations:

• Jamf Pro Server Objects
  • Webhooks: CREATE, READ, UPDATE
• Jamf Pro Server Settings
  • Activation Code: READ

These base privileges are working in my testing (tested just now against Jamf Pro 10.47.0 and 10.48.0), so there doesn't appear to have been a breaking change with 10.47. Please review the privileges for the accounts you tried to make sure they are still set appropriately - if they are correct and you're still having issues, could you please try an admin account (purely for testing) and/or a brand new service account with the required privileges?

Additionally, it's worth pointing out that there are plans to decouple JAWA's auth/login from Jamf Pro user accounts in the future to eliminate these kinds of dependencies during login and to provide better gatekeeping (primary JAWA admin will control what other users can login) than the current method provides. There's currently no timeline for this change, and there will still be a need for a Jamf Pro service account to perform API operations (Webhooks: CREATE, READ, UPDATE), but when this change does occur the requirement for the account to READ the Activation Code will be removed.

[mks-007]

Hey @ball42

Thanks for the heads up, you was correct, the account looks like it reset after the upgrade. The Activation Code Read was not ticked and after setting this started to work as expected. We have the upgrade scheduled this weekend, I check the account after the upgrade.

Cheers Mark

[ball42]

Copy that, glad you got it working @mks-007!