Just wondering if anyone has come up with an extension attribute for Intune integration. Looking to use a smart group to keep track of devices (or users) not yet enrolled in intune.
Solved
Intune Extension Attribute
+8Best answer by ThijsX
Hi,
See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered
#!/bin/bash
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
+9What version of Jamf Pro are you running? Recent versions have added a couple InTune/AAD related things that can be used to report. I haven't found a need to use an EA anymore like I used to.
+18I'm also looking for this. At least in 10.12, while there is an Azure AD ID you can pull as a data point for a registered Mac, you cannot use that as a criteria for group membership.
+20Hi,
See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered
#!/bin/bash
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
+4Hi @txhaflaire , sounds like it doesn't work with recent version of Intune Client, could you assist please ? Thank you in advance,
+20@JamelB Please explain? it still works in our env. Jamf Pro collects this value out of the box at the moment though!
+4Thank you @txhaflaire When I run the command locally, you can see the behaviour in the screenshot attached. The AADUNIQUEID is empty even if it exists in the xml file.
https://ibb.co/mDfbQtD
This stopped working for me as well. I was able to modify the EA to use PlistBuddy instead of grep.
#!/bin/bash
loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
AADUNIQUEID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | grep aadUniqueId | cut -d '=' -f2 | xargs)"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
+8Daniel's EA worked for me. The built-in Azure AD values don't seem consistent, especially between the different views inside Jamf Pro.
This is consistent enough for a Smart Group
+8If anyone's looking at this in 2021; the name of the Company Portal .info file has changed to
com.microsoft.CompanyPortalMac.usercontext.infoNote the additional "Mac" in the filename.
Modify that in Daniel's script and you are good to go !
+3Wondering if this is still working for everyone? I just tried in Jamf 10.29.2 with Intune Company Portal 2.14 installed and it does not appear to be working.
+4@matt.vin I just set this up today. This grep script worked for me when I changed the name of the file as mentioned above. The other script I found out there using awk didn't work for me today. I had never used either prior.
+7Hey everyone. Thank you all for keeping this thread going it's been a great help to me. I, unfortunately, didn't have much luck with the first script, and had some success with Daniel's script after updating the .plist name with the 'Mac' value. When I ran Daniel's script with the updated 'Mac' name value it would return a UUID-looking string.
I inspected the com.microsoft.CompanyPortalMac.usercontext.info file and observed the 'aadUniqueID' is a UUID value while the 'aadUserID' value is the UPN of the account signed in with Intune. I just modified Daniel's script replacing the 'aadUniqueID' entries with 'aadUserID' and it spits out the UPN just fine.
I hope this helps.
Company Portal 2.16.210501
#!/bin/sh
loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
+8Hey everyone. Thank you all for keeping this thread going it's been a great help to me. I, unfortunately, didn't have much luck with the first script, and had some success with Daniel's script after updating the .plist name with the 'Mac' value. When I ran Daniel's script with the updated 'Mac' name value it would return a UUID-looking string.
I inspected the com.microsoft.CompanyPortalMac.usercontext.info file and observed the 'aadUniqueID' is a UUID value while the 'aadUserID' value is the UPN of the account signed in with Intune. I just modified Daniel's script replacing the 'aadUniqueID' entries with 'aadUserID' and it spits out the UPN just fine.
I hope this helps.
Company Portal 2.16.210501
#!/bin/sh
loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0I tried your script as well and the result is none even though I enrolled it in intune
any idea?
+8I tried your script as well and the result is none even though I enrolled it in intune
any idea?
Can you manually check that the devices has a AAUserID exists ? Does Jamf list it in "Local Accounts" on a device inventory ?
+8Can you manually check that the devices has a AAUserID exists ? Does Jamf list it in "Local Accounts" on a device inventory ?
HI
I checked and yes it does list a AADUserID
+7HI
I checked and yes it does list a AADUserID
Hey Harrie,
I apologize for replying so late. Is your script now returning the enrolled AADUSERID user? If you go to the .info file does it show a user enrolled? -
/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info
+4HI
I checked and yes it does list a AADUserID
hey,
try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as the command above also showed other users logged in.
#!/bin/sh
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
+8hey,
try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as the command above also showed other users logged in.
#!/bin/sh
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
This seems to work
thnx
+4hey,
try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as the command above also showed other users logged in.
#!/bin/sh
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
Thanks for the tip! The quotes did the trick!
hey,
try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as the command above also showed other users logged in.
#!/bin/sh
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
You can also get PlistBiddy to print the value directly instead of parsing it out:
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c 'Print:aadUserId' /Users/$loggedInUser/Library/Application\\ Support/com.microsoft.CompanyPortalMac.usercontext.info)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.