just use a shell script to push the JSON changes and use variables so that you can use pseudo random strings and also send an email to the network team so they can still access the radios.
Better yet, just use freeradius, mysql and daloradius and set up radius based authentication, then set the admin username to something long and complicated using cnmaestro to set it for the entire network. Once set, this will allow an offline access if needed but as soon as it connects to the network a VSA can be set to kick out any logged in users and then they must have valid credentials on the network or just disable local access once installed.
We did this via cnMaestro prior to upgrading to 4.7 a few months ago, but on many devices, it also changed device names somehow.
On the infrastructure devices (point to point and APs) it was easy enough to figure out which ones had been renamed by cnMaestro, but on the SMs it was (and it’s) a nightmare and we have no real idea of we’ve found and corrected every one or not.