Configuring the Session Token Expiration for Account-Driven User Enrollment

You can configure when users are prompted to re-authenticate on devices enrolled using Account-Driven User Enrollment using the Jamf Pro API. This enforces device security in your organization by ensuring users must log in to devices after a certain number of days.

You can include the following keys when configuring the session token for Account-Driven User Enrollment:
  • expirationIntervalDaysThis key is required to configure the number of days, as an integer, after which users must re-authenticate.
  • enabledThis boolean key is required to enable re-authentication on devices enrolled using Account-Driven User Enrollment.
To configure the session token duration for all devices enrolled using Account-Driven User Enrollment, you can execute a command in Terminal similar to the following example:
curl -X PUT "<http://JAMF_PRO_URL/api/v1/adue-session-token-settings"> \
    -H  "accept: application/json" -H  "Authorization: Bearer <TOKEN HERE>" \
    -H  "Content-Type: application/json" \
    -d "{"expirationIntervalDays":1,"enabled":"true"}"

This example configures the Account-Driven User Enrollment session to expire after one day. You should configure the session token duration based on the security standards for your organization.

For more information about how to generate a Bearer Token, see the Jamf Pro API Overview.

Important:

After the session token expires, users must re-authenticate on the device after it checks in to Jamf Pro. When the session token expires, Jamf Pro can only send the Unmanage Device remote command to the device until the user re-authenticates or you unenroll and re-enroll the device.

To view the current session token expiration configuration, you can execute a command in Terminal similar to the following example:
curl -X GET "http://<JAMF_PRO_HOST"PORT>/api/v1/adue-session-token-settings" -H  "accept: application/json" -H  "Authorization: Bearer <TOKEN HERE>"
You can also see if a device's session token is expired by viewing the Enrollment Session Token inventory information for the device.