Classic API Authentication Changes
Learn about changes to the supported authentication mechanisms for the Classic API.
Overview
This article describes the changes to the authentication mechanisms supported by the Classic API, beginning in version 10.35.0 of Jamf Pro, as well as recommendations on how to update your tools or applications to support these changes.
Client Credentials
Beginning in version 10.49.0 of Jamf Pro, support for client credentials based authentication was added to the Classic API. For more details see Client Credentials.
Bearer Token Authentication
Beginning in version 10.35.0 of Jamf Pro, the Classic API now accepts Bearer Token authentication. Tokens can be obtained from the Jamf Pro API using the /v1/auth/tokens endpoint. Please refer to the Jamf Pro API Overview documentation for more details on interacting with the Jamf Pro API.
Notice
As of version 10.35.0, multiple versions of authentication endpoints are supported by Jamf Pro, some of which have been deprecated and will be removed at a future date. When updating applications to support Bearer Token authentication, ensure that you use the latest version of the authentication endpoints. More information about endpoint deprecations can be found here.
Basic Authentication
Beginning in version 10.42.0, basic authentication in the Classic API will no longer be enabled by default for new Jamf Pro instances for enhanced security. Basic authentication in the Classic API is no longer supported and will be turned off for all 11.5.0 instances to provide enhanced security. To disable Basic authentication before support is removed, navigate to Settings > Jamf Pro User Accounts & Groups > Password Policy and deselect the Allow Basic authentication in addition to Bearer Token authentication checkbox.
Notice
The ability to obtain bearer tokens from the /v1/auth/tokens endpoint in the the Jamf Pro API is not impacted by the removal or disablement of basic authentication in the Classic API.
Attempting to interact with a Jamf Pro environment that has disabled support for Basic authentication will result in a 401 Unauthorized response. It is worth noting that this response is no different than the response received when using invalid credentials to interact with the Classic API via Basic authentication.
Resources and Best Practices
Jamf recommends providing backwards compatibility for your applications that interface with the Classic API. By implementing a version check of Jamf Pro, your application can determine whether Bearer Token authentication is supported (v10.35.0 or later) or if use of Basic authentication is required (v10.34.0 and earlier). The jamf-pro-version endpoint within the Jamf Pro API returns the version of the Jamf Pro Server, to help your application determine authentication compatibility with a given Jamf Pro Server. Jamf recommends including a preference to allow users to select the authentication schema based on their environment configuration or dynamically determining which authentication mechanism to use based on the Jamf Pro Server version.
In addition to the recommendations provided above, Jamf has updated the Postman Collection to now default to the use of Client Credentials authentication.
Updated 8 months ago