Enforce Okta Password reset.

erichughes
Contributor II

We have recently moved to Jamf and Jamf Connect - Okta integration. Seems to work great for authentication so far. However we have a 60 day password update policy and that does not seem to enforce via the Jamf Connect mechanism. If the user exists on the computer the old / expired password is still accepted to log into the computer. If the User does not exist on the system the user is prompted to reset the password before the local account is created. So I know the mechanism is there for the reset, just not enforced for the existing user account. Being new to this integration I'm likely missing something.

4 REPLIES 4

banksjamf
New Contributor

We use OKTA and have a similar 90 day password expiry. You can use the chrome extension to push the okta login to the app which will check if it is the same as the laptop.

selleos
New Contributor II

We have the same Okta+90policy, wish Jamf Connect would show the timer in the dropdown window. The only way to see this is when you login which is somewhat helpful not ideal for a password sync solution in my mind.

paula_mendez
New Contributor II

Hi @erichughes - I use JC Sync only (no login) and this is what I came up with
Extension Attribute that checks whether password syncs:

 #!/bin/bash
 jamf_connect="/Applications/Jamf Connect Sync.app"
 loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
 isCurrent=$(defaults read /Users/"$loggedInUser"/Library/Preferences/com.jamf.connect.sync PasswordCurrent)

 if [ $isCurrent == 0 ]; then
     echo "<result>No</result>"
 elif [ $isCurrent == 1 ]; then
     echo "<result>Yes</result>"
 else
     echo "<result>Jamf Connect Not Installed</result>"
 fi

Then I have a script that runs at every check in to pull up open jamfconnectsync://signin if the answer to the EA above is No

Hi Paula,

Did you create a smart group for it after adding this to the EA? if so, what were your Criteria for the smart group?