Jamf Self Service Credential Helper

Secure, battle-tested patterns for user detection and credential prompting in Jamf and Kandji scripts

Install
cmdop skills install agensi-jamf-self-service-credential-helper

Jamf Self Service Credential Helper is a skill that provides scripting patterns for systems engineers who write Jamf Self Service or Kandji scripts on macOS. The core problem it addresses is that Jamf scripts run as the root user while user interaction happens in the logged-in user context, making it easy to inadvertently capture ‘root’ instead of the actual human user.

For user detection, the skill implements four distinct methods: stat, scutil, the $3 parameter, and console. Using multiple methods guards against edge cases such as fast user switching and macOS version differences that can cause any single approach to return incorrect results.

For credential prompting, the skill supplies production-ready script templates that use AppleScript and JamfHelper dialogs to collect passwords, then validate them against dscl or the macOS keychain. The templates are written to avoid logging sensitive data, following macOS security practices to prevent credential leakage in system logs.

The skill also includes adaptations for Kandji custom commands and Iru equivalents, making it usable beyond pure Jamf environments. Intended use cases include FileVault re-enforcement scripts, privilege elevation tools, and custom MDM workflows that require authenticated user interaction. It is not a general macOS scripting library and does not cover MDM enrollment, device inventory, or policy management outside of credential-related scripting patterns.

Use cases

  • Build a FileVault re-enforcement script that correctly identifies the logged-in user without returning root
  • Create a privilege elevation tool in Jamf Self Service that securely prompts for and validates a user password
  • Write a Kandji custom command that needs to authenticate the human user at runtime
  • Implement a credential prompt that validates against the macOS keychain without leaking secrets to logs
  • Handle fast-user-switching edge cases when detecting the active console user in a Jamf script
  • Port a Jamf Self Service credential workflow to a Kandji or Iru equivalent using the included adaptations

When to use it

  • Writing Jamf Self Service scripts that run as root but need to act on behalf of the logged-in user
  • Building MDM scripts for Kandji that require secure credential collection from the end user
  • Implementing FileVault key escrow or re-enforcement workflows that require user authentication
  • Constructing privilege elevation scripts where password validation against dscl or keychain is required
  • Avoiding common security mistakes around credential handling in macOS shell scripts

When not to use it

  • Managing MDM enrollment, device inventory, or policy configuration — this skill covers only credential scripting patterns
  • Non-Apple platforms; the patterns are specific to macOS and its tooling (scutil, dscl, JamfHelper, AppleScript)
  • Environments that do not use Jamf or Kandji as their MDM platform
  • General-purpose shell scripting assistance unrelated to user detection or credential prompting