In this article, we'll be dropping Canaytokens on macOS endpoints, a bash script will be deployed and executed using Jamf PRO.
The bash script is available on our github and should be downloaded then configured to be executed as a Jamf policy which drops the tokens on the selected endpoints.
The Bash Script
The bash script contains multiple variables that need to set according to your deployment requirements. In this example we'll deploy an AWS API Key to the home (~) directory on multiple targets. The memo/reminder field will include the hostname of the device so thats it's possible to determine where tokens have been deployed when responding to an incident.
The following variables need to be set within the script:
- Your Console domain hash, e.g xxxxyyyy.canary.tools
- The type of token to be created, e.g AWS API Key
- The reminder you'll see when investigating an alert. Environment variables such as $Hostname can be used to programatically add the devices hostname to memo fields.
- The directory you'd like the token to be downloaded too.
Jamf PRO Policy
Using the bash script and policy, Jamf PRO administrators will be able to create a policy that will deploy the Canarytokens and apply it to the target assets.
Create the script
- Go to “Computer Management”, then click “Scripts”
- Click “(+) New”
- Give the script a descriptive name.
- Go to the “Script” tab, paste the bash script content provided by Thinkst Canary Support into this window and hit “save”
Create the policy
- Click on “Computers”, “Policies” and then on “(+) New”
- Give the policy a descriptive name then scroll down and:
- Check “Recurring Check-in”
- Check “Automatically re-run policy on failure”
- Make sure “Execution Frequency” is “Once per computer”
- Assign the script to the policy, clicking on “Scripts” then “Configure”
- Locate the previously configured script, then “Add”
- Click on “Scope”, then select your preference “All Computers” or “Specific”
- If “Specific” has been selected, Filter for computers you would like to drop tokens to.
- Click “(+) Add”
And that’s it … next time the devices check in, they will have Canarytokens automatically deployed as per the configured settings.