#!/bin/bash
#Determine PSSO status of current console user logged in at time of recon
#Get current user logged in to device
currentUser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
#Read local user directory record to see if AltSecurityIdentities attribute has been added by macOS
pssoe_status=$(dscl . read /Users/$currentUser dsAttrTypeStandard:AltSecurityIdentities | awk -F'SSO:' '/PlatformSSO/ {print $2}')
if [[ -z $pssoe_status ]]; then
echo "<result>No PSSOe registration found</result>"
else
echo "<result>Yes Entra ID account $pssoe_status registered to $currentUser</result>"
fi
Question
Extension Attribute to determine user PSSO status
+17
+3Thanks, it is very helpful. result is when i check PSSOe status is console,
for PSSOe registered mac, PSSOe status= <<empty>>
For PSSOe not registered mac, we get, PSSOe Status = No PSSOe registration found
above both are Extension attribute value under "inventory" tab
+3How to tackle this,
we registered PSSOe on mac and using EA we see in console result as per above script, we removed PSSOe config profile from the same mac and recon done, but still it shows, PSSOe status = Yes Entra ID account x@abc.com registered to x
+2How to tackle this,
we registered PSSOe on mac and using EA we see in console result as per above script, we removed PSSOe config profile from the same mac and recon done, but still it shows, PSSOe status = Yes Entra ID account x@abc.com registered to x
I have the same question - basically is there an automated way to remove all traces of Platform SSO enrollment after removing the profile? I tried deleting the platform SSO entry from Directory Utility, but that didn't change anything. I wonder if there's a command line solution to delete token from Secure Enclave and mark user as fully local again.
+17I have the same question - basically is there an automated way to remove all traces of Platform SSO enrollment after removing the profile? I tried deleting the platform SSO entry from Directory Utility, but that didn't change anything. I wonder if there's a command line solution to delete token from Secure Enclave and mark user as fully local again.
You could, if you wanted to tempt fate, remove the attribute manually via dscl . delete /Users/$USERNAME and the attributes. Personally, I'm not sure of the utility of that. If you remove the PSSO config profile from the device, the key is effectively destroyed and unusable. At that point, though, you would want to make an extension attribute reporting on the state of the machine registration and user enrollment. That's gonna be the "app-sso platform -s" command which does barf out a LOT of information you'll need to munge through. Think of awk sed grep as your friends here.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.