Recovery Lock Enablement in macOS Using the Jamf Pro API

Updated: 18 February 2022
Product: Jamf Pro

You can use the Jamf Pro API 10.32.x or later to execute the Set Recovery Lock MDM command to enable Recovery Lock. The process involves the following steps using the Jamf Pro API:

  1. Obtaining the management ID of target computers

  2. Sending the Set Recovery Lock MDM command to target computers

You can also include the newPassword key to set or clear the Recovery Lock password that is used to unlock the computer. The Recovery Lock password is stored in Jamf Pro. For more information about Recovery Lock, see "recoveryOS password" in Startup security in macOS in Apple Platform Deployment.

Obtaining the Management ID

You can access the management ID of target computers only in the Jamf Pro API by executing a command in Terminal similar to the following:
curl --location --request GET 'https://YOUR_JAMF_PRO_URL/api/preview/computers' --header 'Authorization: Bearer YOUR_BEARER_TOKEN'

The response contains information about the computer, including the management ID.

The default response contains information for 100 computers. If you have more than 100 computers in your environment, you can add the following to the endpoint URL to expand the response:

?page=#

Retrieves a specified page in the response

?page-size=###

Increases the number of computers contained in each page of the response. The maximum number is 2000.
To expand the response, execute a command in Terminal similar to the following example:
curl --location --request GET 'https://YOUR_JAMF_PRO_URL/api/preview/computers?page=2&page-size=2000' --header 'Authorization: Bearer YOUR_BEARER_TOKEN'

This response will return the second page of computers. Each page lists 2,000 computers.

Sending the Set Recovery Lock MDM command

You can enter the management ID of the target computer into a command to set the Recovery Lock on the computer via MDM.
Important:

For security reasons, Jamf does not recommend running scripts that contain user or API credentials from managed computers.

Requirements

A management ID for target computers

The following code sample demonstrates how to set Recovery Lock with a password:

curl --location --request POST 'https://JAMF_PRO_URL/api/preview/mdm/commands' \
--header 'Authorization: Bearer JAMF_PRO_AUTH_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
    "clientData": [
        {
            "managementId": "A9C3D1F0-DCB2-4D52-84C6-D5AD60140B04",
            "clientType": "COMPUTER"
        }
    ],
    "commandData": {
        "commandType": "SET_RECOVERY_LOCK",
        "newPassword": "password",
    }
}'
Note:

To clear the password instead of set the password, set the newPassword key to an empty string.

The Recovery Lock is immediately set on target computers and the password is stored in Jamf Pro.