Skip to main content

Hello,

One of our users is requesting that we change their Name, Email, Username in all of our systems for their legal name change. 

 

I am wondering how that will work with Jamf Connect. The Jamf Connect login screen should authenticate to Okta and allow them in but I am curious if there are other steps we would need to do like changing the Record Name value or disconnecting/reconnecting the local account with the IDP account. 

Anyone have experience with this?

I have this question too!

 


Bump!


Bump!


You have to unbind the network account from the local account using this process:

https://learn.jamf.com/bundle/jamf-connect-documentation-2.18.0/page/Unmigrating_a_Local_Account.html

Once the unbind is complete, you will want to have the user log out of the computer, then log back in using the Jamf Connect login. Once authenticated, it will prompt for the user to connect to a new account on the computer. We had an issue initially where the Jamf Connect login would not ask to connect to any of the accounts, but would just continue to login to the new account it had created (with no data.) I had to delete this newer account as Jamf Connect will default to that account if the names are the same. Once I deleted that newer account, we could do the login and account-connection process correctly. 


I have this question too!

 


Check my response below


You have to unbind the network account from the local account using this process:

https://learn.jamf.com/bundle/jamf-connect-documentation-2.18.0/page/Unmigrating_a_Local_Account.html

Once the unbind is complete, you will want to have the user log out of the computer, then log back in using the Jamf Connect login. Once authenticated, it will prompt for the user to connect to a new account on the computer. We had an issue initially where the Jamf Connect login would not ask to connect to any of the accounts, but would just continue to login to the new account it had created (with no data.) I had to delete this newer account as Jamf Connect will default to that account if the names are the same. Once I deleted that newer account, we could do the login and account-connection process correctly. 


Sounds like a lot of manual labor. Going to submit a feature request for something more..scalable and/or automated. Probably won't gain a lot of traction - but worth a shot.


Upvote please - https://ideas.jamf.com/ideas/JN-I-26583


If you're using Okta and JAMF Connect, here's a script that I use. You won't be able to just copy/paste. You'll have to make necessary changes since I sanitized our company info... o.O 
I have an updated script that I'm working on that includes better logging, error handling, and a method to revert changes should anything go awry. Feel free to offer me a job if you want that one ;)

#!/bin/bash ########################################################################################### # Script to Modify the username on the macOS. ########################################################################################### actionLabel="Continue" # pick a corporate icon icon="/usr/local/JamfConnect/xxxx.png" Success="Username on MacBook and OKTA match. The Setup will now continue" # Logging file created in same directory as this script d=$(date +%Y-%m-%d--%I:%M:%S) log="${d} Account_RENAME:" logfile="/Library/xx/logs/Account_RENAME.log" mkdir -p /Library/xx/logs # Create the log file touch $logfile # Open permissions to account for all error catching chmod 777 $logfile StartRenameScript(){ # Begin Logging echo "${log} ## Rename Script Begin ##" 2>&1 | tee -a $logfile # Ensures that script is run as ROOT if [[ "${UID}" != 0 ]]; then echo "${log} Error: $0 script must be run as root" 2>&1 | tee -a $logfile exit 1 fi oldUser=$loggedInUser newUser=$OKTACheck # Test to ensure account update is needed if [[ "${oldUser}" == "${newUser}" ]]; then echo "${log} Error: Account ${oldUser}" is the same name "${newUser}" 2>&1 | tee -a $logfile exit 0 fi # Query existing user accounts readonly existingUsers=($(dscl . -list /Users | grep -Ev "^_|com.*|root|nobody|daemon|\\/" | cut -d, -f1 | sed 's|CN=||g')) # Ensure old user account is correct and account exists on system if [[ ! " ${existingUsers[@]} " =~ " ${oldUser} " ]]; then echo "${log} Error: ${oldUser} account not present on system to update" 2>&1 | tee -a JC_RENAME.log exit 1 fi # Ensure new user account is not already in use if [[ " ${existingUsers[@]} " =~ " ${newUser} " ]]; then echo "${log} Error: ${newUser} account already present on system. Cannot add duplicate" 2>&1 | tee -a $logfile exit 1 fi # Query existing home folders readonly existingHomeFolders=($(ls /Users)) # Ensure existing home folder is not in use if [[ " ${existingHomeFolders[@]} " =~ " ${newUser} " ]]; then echo "${log} Error: ${newUser} home folder already in use on system. Cannot add duplicate" 2>&1 | tee -a $logfile exit 1 fi # Check if username differs from home directory name actual=$(eval echo "~${oldUser}") if [[ "/Users/${oldUser}" != "$actual" ]]; then echo "${log} Error: Username differs from home directory name!" 2>&1 | tee -a $logfile echo "${log} Error: home directory: ${actual} should be: /Users/${oldUser}." 2>&1 | tee -a $logfile fi # Updates NFS home directory ORGhomeFolder=$(dscl . read "/Users/$oldUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\\n") sudo dscl . -change "/Users/$oldUser" NFSHomeDirectory "${ORGhomeFolder}" "/Users/$newUser" if [[ $? -ne 0 ]]; then echo "${log} Could not rename the user's home directory pointer, aborting further changes! - err=$?" 2>&1 | tee -a $logfile echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}" echo "${log} Reverting RealName changes" 2>&1 | tee -a $logfile exit 1 else echo "${log} NFSHomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile fi # Actual username change sudo dscl . -change "/Users/$oldUser" RecordName "$oldUser" "$newUser" if [[ $? -ne 0 ]]; then echo "${log} Could not rename the user's RecordName in dscl - the user should still be able to login, but with user name ${oldUser}" 2>&1 | tee -a $logfile echo "${log} Reverting username change" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}" echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile mv "/Users/${newUser}" "${ORGhomeFolder}" sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}" exit 1 else echo "${log} RecordName successfully changed to "${newUser}"" fi # Updates name of home directory to new usernam sudo mv "$ORGhomeFolder" "/Users/$newUser" if [[ $? -ne 0 ]]; then echo "${log} Could not rename the user's home directory in /Users" 2>&1 | tee -a $logfile echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile mv "/Users/${newUser}" "${ORGhomeFolder}" sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}" echo "${log} Reverting username change" 2>&1 | tee -a $logfile 2>&1 | tee -a $logfile sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}" exit 1 else echo "${log} HomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile fi # Links old home directory to new. Fixes dock mapping issue sudo ln -s "/Users/$newUser" "$homeFolder" # Fixing the permissions on the Home Directory sudo chown -R "$newUser:staff /Users/$newUser" #Updating all other entires of Directory Utility sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_AvatarRepresentation "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_hint "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_jpegphoto "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_passwd "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_picture "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_unlockOptions "$oldUser" "$newUser" 2>&1 | tee -a $logfile sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_UserCertificate "$oldUser" "$newUser" 2>&1 | tee -a $logfile # Success message read -r -d '' successOutput <<EOM Success ${oldUser} username has been updated to ${newUser} Folder "${origHomeDir}" has been renamed to "/Users/${newUser}" RecordName: ${newUser} NFSHomeDirectory: "/Users/${newUser}" SYSTEM RESTARTING in 2 minutes to complete username update. EOM echo "${log} ${successOutput}" 2>&1 | tee -a $logfile # System restart Sleep 10 sudo jamf policy -event RestartMyMacbook } FetchOKTAID(){ OKTACheck=$(osascript -e 'display dialog "Please Enter your OKTA ID. default answer "" buttons {"Continue"} default button 1' | tr [A-Z] [a-z] | awk -F ':' '{print $3}') echo $OKTACheck callButton=$(osascript -e 'display dialog "The OKTA ID entered is '$OKTACheck' If it is correct, please click Confirm. Else, Click on Re-Enter." buttons {"Confirm", "Re-Enter"} default button "Confirm"') if [[ $callButton == "button returned:Confirm" ]]; then if [ "$loggedInUser" == "$OKTACheck" ]; then echo "Usernames Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser" "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$Success" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center -timeout 5 else echo "Usernames Don't Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser" StartRenameScript fi else FetchOKTAID fi } AlertUser(){ loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\\n");'` loggedInUID=$(id -u "$loggedInUser") homeFolder=$(dscl . read "/Users/$loggedInUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\\n") title="Annoying IT Alert" message=" We will check the username used to setup this device. If it is not as per IT Standards. This tool will modify username as per the policy and automatically restart the device. The device setup will continue post restart" # Call window with appropriate messaging userClick=$( "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$message" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center ) # Call function to capture user input jamfHelperClick } jamfHelperClick() { if [[ $userClick == 0 ]]; then echo "$currentUser chose to proceed..." FetchOKTAID elif [[ $userClick == 2 ]]; then echo "$currentUser Aborted Tool" exit 0 fi } AlertUser exit 0