Skip to main content

Search

Mass token deployment using Jamf

How to deploy Canarytokens at scale on macOS using Jamf, automating token placement across multiple devices for efficient monitoring and alerting.

In this article, we'll be dropping Canarytokens on macOS endpoints, a bash script will be deployed and executed using Jamf PRO.
The bash script is available on our github and should be downloaded then configured to be executed as a Jamf policy which drops the tokens on the selected endpoints.

The Bash Script

The bash script contains multiple variables that need to set according to your deployment requirements. In this example we'll deploy an AWS API Key to the home (~) directory on multiple targets. The memo/reminder field will include the hostname of the device so thats it's possible to determine where tokens have been deployed when responding to an incident.

The following variables need to be set within the script:

console: Your Console domain hash, e.g xxxxyyyy.canary.tools

token: The type of token to be created, e.g AWS API Key

tokenmemo : The reminder you'll see when investigating an alert. Environment variables such as $Hostname can be used to programmatically add the device's hostname to memo fields.

filepath: The directory you'd like the token to be downloaded to.

Jamf PRO Policy

Using the bash script and policy, Jamf PRO administrators can create a policy that deploys the Canarytokens and applies it to the target assets.

Deployment Steps

Create the script

  1. Go to Computer Management, then click Scripts.

    computer_management.png

  2. Click + New.

    script.png

  3. Give the script a descriptive name.

    create_new_script.png

  4. Go to the Script tab, paste the bash script content provided by Thinkst Canary Support into this window and hit Save.

    script_v2.png

Create the policy

  1. Click on Computer > Policies and then on + New.

    policy.png

  2. Give the policy a descriptive name, then scroll down and:
    • Check Recurring Check-in.
    • Check Automatically re-run policy on failure.
    • Make sure Execution Frequency is Once per computer.

      policy_2.png
  3. Assign the script to the policy, clicking on Scripts, then Configure.

    pol_script_1.png

  4. Locate the previously configured script, then Add.

    pol_script_2.png

  5. Click on Scope, then select your preference All Computers or Specific.
    1. If Specific has been selected, Filter for computers you would like to drop tokens to.
    2. Click + Add.

      pol_script_3.png

And that’s it … next time the devices check in, they will have Canarytokens automatically deployed as per the configured settings.

Was this article helpful?
4 out of 6 found this helpful
Return to top