Home > Jamf Pro, Mac administration, macOS > Preventing user and location inventory information from being changed by the jamf binary’s recon verb

Preventing user and location inventory information from being changed by the jamf binary’s recon verb

You can allow or prevent local administrators on the computer from changing User and Location inventory information in Jamf Pro with the jamf binary by using the Allow local administrators to use the jamf binary recon verb to change User and Location inventory information in Jamf Pro checkbox. This is a feature which first appeared in Jamf Pro 10.20.x, but may not be well known.

Screen Shot 2020 03 17 at 10 54 47 AM

This setting is enabled by default and can be configured by navigating to Settings > Computer Management > Inventory Collection in Jamf Pro.

Screen Shot 2021 12 27 at 11 42 08 AM

Screen Shot 2021 12 27 at 11 43 13 AM

What this setting affects are the following options associated with the jamf binary’s recon verb:


-endUsername
-realname
-email
-position
-building
-department
-phone
-room

view raw

gistfile1.txt

hosted with ❤ by GitHub

Screen Shot 2021 12 27 at 12 10 53 PM

Why disable this setting? If you have workflows which leverage the user and location information stored in Jamf Pro, being able to change this setting from a managed Mac using the jamf binary’s recon verb may have security implications. In particular, PKI certificate authorities set up in Jamf Pro may use the user and location information stored in Jamf Pro to issue certificates to managed Macs.

Screen Shot 2021 12 27 at 11 39 03 AM

In the context of certificates used for authentication, being able to change the user and location stored in Jamf Pro from the managed Mac’s end may mean that an enduser with the ability to run the jamf binary’s recon verb may be able to get authentication certificates for someone other than themselves assigned to their Mac.

Screen Shot 2021 12 27 at 12 12 47 PM

If you do not have any workflows that use the recon verb’s options specified above, my advice is that you disable this setting and remove the ability of managed Macs to change the user and location information stored in Jamf Pro using the jamf binary’s recon verb.

Screen Shot 2021 12 27 at 12 02 48 PM

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: