Is there any way to get the password sync status from the new Self Service+ as Extension Attribute?
Would be really nice to see if Google and the local user are in sync. Other ways to archive it are welcome 😀
Solved
Self Service+ get password sync status as EA
Best answer by h1431532403240
Hi Pascal57854254,
Great question! Yes, you can absolutely get the password sync status from Self Service+ (which embeds Jamf Connect Menu Bar functionality) as an Extension Attribute. The key data is stored in the same plist location as traditional Jamf Connect.
Understanding the Password Sync Status
Self Service+ stores Jamf Connect state information in:
~/Library/Preferences/com.jamf.connect.state.plistThe key value for password sync status is:
- PasswordCurrent = 1 → Passwords ARE in sync (local = cloud)
- PasswordCurrent = 0 → Passwords are OUT OF sync
Extension Attribute Script for Password Sync Status
Create a new Extension Attribute in Jamf Pro with the following script:
#!/bin/bash
# Extension Attribute: Jamf Connect / Self Service+ Password Sync Status
# Returns whether local password is in sync with cloud IdP (Google, Entra ID, etc.)
# Get current logged-in user
currentUser=$(/usr/bin/stat -f "%Su" /dev/console)
# Skip if no user logged in or if loginwindow
if [[ "$currentUser" == "root" ]] || [[ "$currentUser" == "loginwindow" ]] || [[ -z "$currentUser" ]]; then
echo "<result>No user logged in</result>"
exit 0
fi
# Path to the Jamf Connect state plist
jamfConnectStatePlist="/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist"
# Check if the plist exists
if [[ ! -f "$jamfConnectStatePlist" ]]; then
echo "<result>Jamf Connect not configured</result>"
exit 0
fi
# Read the PasswordCurrent value
passwordCurrent=$(defaults read "$jamfConnectStatePlist" PasswordCurrent 2>/dev/null)
# Determine sync status
if [[ "$passwordCurrent" == "1" ]]; then
RESULT="In Sync"
elif [[ "$passwordCurrent" == "0" ]]; then
RESULT="Out of Sync"
else
RESULT="Unknown"
fi
echo "<result>$RESULT</result>"To Create the Extension Attribute in Jamf Pro:
- Go to Settings > Computer Management > Extension Attributes
- Click + New
- Configure:
- Display Name:
Password Sync Status - Data Type:
String - Inventory Display:
Extension Attributes(or your preferred section) - Input Type:
Script
- Display Name:
- Paste the script above
- Click Save
Additional Extension Attribute: Last Successful Sign-In
You might also want to track when the user last successfully signed in to their cloud IdP:
#!/bin/bash
# Extension Attribute: Last Jamf Connect Sign-In
# Returns the date of last successful sign-in to cloud IdP
currentUser=$(/usr/bin/stat -f "%Su" /dev/console)
if [[ "$currentUser" == "root" ]] || [[ "$currentUser" == "loginwindow" ]] || [[ -z "$currentUser" ]]; then
echo "<result>No user logged in</result>"
exit 0
fi
jamfConnectStatePlist="/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist"
if [[ ! -f "$jamfConnectStatePlist" ]]; then
echo "<result>Not configured</result>"
exit 0
fi
lastSignIn=$(defaults read "$jamfConnectStatePlist" LastSignIn 2>/dev/null)
if [[ -n "$lastSignIn" ]]; then
echo "<result>$lastSignIn</result>"
else
echo "<result>Never signed in</result>"
fiCreating Smart Groups
Once deployed, create Smart Groups for remediation:
- Passwords Out of Sync:
Password Sync StatusisOut of Sync - Passwords In Sync:
Password Sync StatusisIn Sync
Other Useful Keys in com.jamf.connect.state.plist
| Key | Description |
|---|---|
PasswordCurrent | 1 = synced, 0 = not synced |
LastSignIn | Timestamp of last successful sign-in |
UserPasswordSet | When password was last changed |
UserEmail | User's email from IdP |
UserDisplayName | User's display name from IdP |
Important Note for Google Workspace
If you're using Google Workspace without Secure LDAP (requires Business Plus or higher), true password sync isn't fully supported since Google ID doesn't support ROPG. In this case, PasswordCurrent may not accurately reflect actual sync status.
References:
- Jamf Developer - Jamf Connect State Information
- Have the Jamf Connect Menubar "Sign In" Window Appear when Password is Out of Sync
Hope this helps! 😄
+6Hi Pascal57854254,
Great question! Yes, you can absolutely get the password sync status from Self Service+ (which embeds Jamf Connect Menu Bar functionality) as an Extension Attribute. The key data is stored in the same plist location as traditional Jamf Connect.
Understanding the Password Sync Status
Self Service+ stores Jamf Connect state information in:
~/Library/Preferences/com.jamf.connect.state.plistThe key value for password sync status is:
- PasswordCurrent = 1 → Passwords ARE in sync (local = cloud)
- PasswordCurrent = 0 → Passwords are OUT OF sync
Extension Attribute Script for Password Sync Status
Create a new Extension Attribute in Jamf Pro with the following script:
#!/bin/bash
# Extension Attribute: Jamf Connect / Self Service+ Password Sync Status
# Returns whether local password is in sync with cloud IdP (Google, Entra ID, etc.)
# Get current logged-in user
currentUser=$(/usr/bin/stat -f "%Su" /dev/console)
# Skip if no user logged in or if loginwindow
if [[ "$currentUser" == "root" ]] || [[ "$currentUser" == "loginwindow" ]] || [[ -z "$currentUser" ]]; then
echo "<result>No user logged in</result>"
exit 0
fi
# Path to the Jamf Connect state plist
jamfConnectStatePlist="/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist"
# Check if the plist exists
if [[ ! -f "$jamfConnectStatePlist" ]]; then
echo "<result>Jamf Connect not configured</result>"
exit 0
fi
# Read the PasswordCurrent value
passwordCurrent=$(defaults read "$jamfConnectStatePlist" PasswordCurrent 2>/dev/null)
# Determine sync status
if [[ "$passwordCurrent" == "1" ]]; then
RESULT="In Sync"
elif [[ "$passwordCurrent" == "0" ]]; then
RESULT="Out of Sync"
else
RESULT="Unknown"
fi
echo "<result>$RESULT</result>"To Create the Extension Attribute in Jamf Pro:
- Go to Settings > Computer Management > Extension Attributes
- Click + New
- Configure:
- Display Name:
Password Sync Status - Data Type:
String - Inventory Display:
Extension Attributes(or your preferred section) - Input Type:
Script
- Display Name:
- Paste the script above
- Click Save
Additional Extension Attribute: Last Successful Sign-In
You might also want to track when the user last successfully signed in to their cloud IdP:
#!/bin/bash
# Extension Attribute: Last Jamf Connect Sign-In
# Returns the date of last successful sign-in to cloud IdP
currentUser=$(/usr/bin/stat -f "%Su" /dev/console)
if [[ "$currentUser" == "root" ]] || [[ "$currentUser" == "loginwindow" ]] || [[ -z "$currentUser" ]]; then
echo "<result>No user logged in</result>"
exit 0
fi
jamfConnectStatePlist="/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist"
if [[ ! -f "$jamfConnectStatePlist" ]]; then
echo "<result>Not configured</result>"
exit 0
fi
lastSignIn=$(defaults read "$jamfConnectStatePlist" LastSignIn 2>/dev/null)
if [[ -n "$lastSignIn" ]]; then
echo "<result>$lastSignIn</result>"
else
echo "<result>Never signed in</result>"
fiCreating Smart Groups
Once deployed, create Smart Groups for remediation:
- Passwords Out of Sync:
Password Sync StatusisOut of Sync - Passwords In Sync:
Password Sync StatusisIn Sync
Other Useful Keys in com.jamf.connect.state.plist
| Key | Description |
|---|---|
PasswordCurrent | 1 = synced, 0 = not synced |
LastSignIn | Timestamp of last successful sign-in |
UserPasswordSet | When password was last changed |
UserEmail | User's email from IdP |
UserDisplayName | User's display name from IdP |
Important Note for Google Workspace
If you're using Google Workspace without Secure LDAP (requires Business Plus or higher), true password sync isn't fully supported since Google ID doesn't support ROPG. In this case, PasswordCurrent may not accurately reflect actual sync status.
References:
- Jamf Developer - Jamf Connect State Information
- Have the Jamf Connect Menubar "Sign In" Window Appear when Password is Out of Sync
Hope this helps! 😄
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.