JSS Hardcoded account information is bad

Jamf Admins, lets take a minute to talk about hardcoded values in scripts.

It’s great that we’re a social community that publishes shares and modifies each other’s work on GitHub, but please sanitize that information.

Take this as an example:

For privacy to the original poster i’ve removed identifying information.
Note: Even though mm2270 is listed as the author of this script, the above was reposted under another GitHub account.

In plain text, this GitHub repo had the jss url,  username, and password readily available… Slight problem… Anyone with the know how can access that JSS.

One way to mitigate part of the problem is use a local account with your JSS, and enable SSO. That way they only have access to your JSS via the api, it’s a bit more work todo damage but it still could be done. NEVER use a Directory account for scripts.

Better yet, is NEVER hardcode your scripts with passwords.

You can do this in a few following ways.

Hardcode them in a plist

*This should never be done on a client machine


First, create a plist with your values.

Then you can load them as part of your script.

If you’ve got python-jss, or autopkgr already installed you can use those values in your script instead.

Prompt for the values when you run your script


Using osascript

Using shell


Passed as arguments through command line


Passed through the JSS


You can also use the above while executing locally, keeping mind $1, $2 and $3 are automatically assigned by the JSS

sh pass_args_from_jss.sh a s d rderewianko.jamfcloud.com rderewianko mysecurepassword


Again if you do decide to hardcode the value into your script please don’t publish that to GitHub sanitize your work before publishing.

If you do, people like myself will find it. Some of these people aren’t as nice about it, and could use it for malicious purposes.

If you happen to find credentials on GitHub, macadmin slack’s a great place to start by getting ahold of the offender.


We’re here working together, lets help each other keep each other secure.