-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System Context Authorization on Windows not working - Unauthorized error #320
Comments
Hi @avivek. If the system you have tested this script on has installed JumpCloud using the user portal installation, the system would be unable to use system context API. In those cases that system has what's called a provisionerID - the JumpCloud UserID of the person who installed the agent on the system. Using the JumpCloud powershell module I can see all the systems installed in this way. If the system was enrolled in JumpCloud in this way it would make sense that the system context API is not available for this system. If that's the case, a read-only API key may be of interest. |
Thanks for the quick response @jworkmanjc . I have some questions:
|
Hi @avivek, There are some changes to our API documentation in flight, docs.jumpcloud.com should see a refresh soon. I also just placed a request to update the KB article to address this documentation debt. I agree that this is a drawback for some workflows. Most importantly if you need to use the system context API to write changes to a system (group membership) then they system must be enrolled with an Administrators connect key (not user portal installed). The advantage to using the system context API is that the systems themselves can move between system groups for automation workflows. If you need to move a system to another group without the system context API you'd need to use an API key with write access. The design decision behind preventing systems from using system context API through the user portal was in short made to prevent unauthorized access to resources. If for example, an employee installed JumpCloud on their personal computer and managed to use the system context API to move their system into a group which provided access to software, this would be an example of unintended resource granting. As such those systems enrolled through user portal installation are ineligible to use the system context API. Long story short the alternative scenario where a user gained access to resources they were not explicitly granted was a less desirable outcome. It would be nice if there was a switch or flag you could set on systems after enrollment which would enable use of the System Context API even after user portal install. This could exist as a feature request. Lastly did you find out if the system in question was enrolled with user portal installation or DEP? |
Thanks a lot for a detail explanation @jworkmanjc .
Again thanks for the clarifications. |
We are using the sample script from this repo.
A sample one which we tried was from the below url:
https://github.com/TheJumpCloud/support/blob/master/scripts/api/system_context/windows_examples/system_get_self.ps1
No changes made just the entire script used as is but still we get an Unauthorized error.
Can you please help??
The text was updated successfully, but these errors were encountered: