Jamf Nation Community

healthcareaa · ‎06-16-2023

Hello,

One of our users is requesting that we change their Name, Email, Username in all of our systems for their legal name change.

I am wondering how that will work with Jamf Connect. The Jamf Connect login screen should authenticate to Okta and allow them in but I am curious if there are other steps we would need to do like changing the Record Name value or disconnecting/reconnecting the local account with the IDP account.

Anyone have experience with this?

Cmolina001 · ‎11-30-2023

I have this question too!

healthcareaa · ‎12-19-2023

Check my response below

kevinv · ‎12-18-2023

Bump!

healthcareaa · ‎12-19-2023

You have to unbind the network account from the local account using this process:

https://learn.jamf.com/bundle/jamf-connect-documentation-2.18.0/page/Unmigrating_a_Local_Account.htm...

Once the unbind is complete, you will want to have the user log out of the computer, then log back in using the Jamf Connect login. Once authenticated, it will prompt for the user to connect to a new account on the computer. We had an issue initially where the Jamf Connect login would not ask to connect to any of the accounts, but would just continue to login to the new account it had created (with no data.) I had to delete this newer account as Jamf Connect will default to that account if the names are the same. Once I deleted that newer account, we could do the login and account-connection process correctly.

kevinv · ‎12-19-2023

Sounds like a lot of manual labor. Going to submit a feature request for something more..scalable and/or automated. Probably won't gain a lot of traction - but worth a shot.

kevinv · ‎12-19-2023

Upvote please - https://ideas.jamf.com/ideas/JN-I-26583

highroller152 · 4 weeks ago

If you're using Okta and JAMF Connect, here's a script that I use. You won't be able to just copy/paste. You'll have to make necessary changes since I sanitized our company info... o.O
I have an updated script that I'm working on that includes better logging, error handling, and a method to revert changes should anything go awry. Feel free to offer me a job if you want that one ;)

#!/bin/bash
###########################################################################################
#		Script to Modify the username on the macOS. 																																			
###########################################################################################
actionLabel="Continue"
# pick a corporate icon
icon="/usr/local/JamfConnect/xxxx.png"
Success="Username on MacBook and OKTA match. The Setup will now continue"
# Logging file created in same directory as this script
d=$(date +%Y-%m-%d--%I:%M:%S)
log="${d} Account_RENAME:"
logfile="/Library/xx/logs/Account_RENAME.log"
mkdir -p /Library/xx/logs
# Create the log file
touch $logfile
# Open permissions to account for all error catching
chmod 777 $logfile

StartRenameScript(){
# Begin Logging
echo "${log} ## Rename Script Begin ##" 2>&1 | tee -a $logfile

# Ensures that script is run as ROOT
if [[ "${UID}" != 0 ]]; then
	echo "${log} Error: $0 script must be run as root" 2>&1 | tee -a $logfile
	exit 1
fi


oldUser=$loggedInUser
newUser=$OKTACheck

# Test to ensure account update is needed
if [[ "${oldUser}" == "${newUser}" ]]; then
	echo "${log} Error: Account ${oldUser}" is the same name "${newUser}" 2>&1 | tee -a $logfile
	exit 0
fi

# Query existing user accounts
readonly existingUsers=($(dscl . -list /Users | grep -Ev "^_|com.*|root|nobody|daemon|\/" | cut -d, -f1 | sed 's|CN=||g'))

# Ensure old user account is correct and account exists on system
if [[ ! " ${existingUsers[@]} " =~ " ${oldUser} " ]]; then
	echo "${log} Error: ${oldUser} account not present on system to update" 2>&1 | tee -a JC_RENAME.log
	exit 1
fi

# Ensure new user account is not already in use
if [[ " ${existingUsers[@]} " =~ " ${newUser} " ]]; then
	echo "${log} Error: ${newUser} account already present on system. Cannot add duplicate" 2>&1 | tee -a $logfile
	exit 1
fi

# Query existing home folders
readonly existingHomeFolders=($(ls /Users))

# Ensure existing home folder is not in use
if [[ " ${existingHomeFolders[@]} " =~ " ${newUser} " ]]; then
	echo "${log} Error: ${newUser} home folder already in use on system. Cannot add duplicate" 2>&1 | tee -a $logfile
	exit 1
fi

# Check if username differs from home directory name
actual=$(eval echo "~${oldUser}")
if [[ "/Users/${oldUser}" != "$actual" ]]; then
	echo "${log} Error: Username differs from home directory name!" 2>&1 | tee -a $logfile
	echo "${log} Error: home directory: ${actual} should be: /Users/${oldUser}." 2>&1 | tee -a $logfile
fi

# Updates NFS home directory
ORGhomeFolder=$(dscl . read "/Users/$oldUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\n")
sudo dscl . -change "/Users/$oldUser" NFSHomeDirectory "${ORGhomeFolder}" "/Users/$newUser"
if [[ $? -ne 0 ]]; then
	echo "${log} Could not rename the user's home directory pointer, aborting further changes! - err=$?" 2>&1 | tee -a $logfile
	echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
	echo "${log} Reverting RealName changes" 2>&1 | tee -a $logfile
	exit 1
else
	echo "${log} NFSHomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile
fi
# Actual username change
sudo dscl . -change "/Users/$oldUser" RecordName "$oldUser" "$newUser"
if [[ $? -ne 0 ]]; then
	echo "${log} Could not rename the user's RecordName in dscl - the user should still be able to login, but with user name ${oldUser}" 2>&1 | tee -a $logfile
	echo "${log} Reverting username change" 2>&1 | tee -a $logfile
	sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}"
	echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
	mv "/Users/${newUser}" "${ORGhomeFolder}"
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
	exit 1
else
	echo "${log} RecordName successfully changed to "${newUser}""
fi
# Updates name of home directory to new usernam
sudo mv "$ORGhomeFolder" "/Users/$newUser"
if [[ $? -ne 0 ]]; then
	echo "${log} Could not rename the user's home directory in /Users" 2>&1 | tee -a $logfile
	echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
	mv "/Users/${newUser}" "${ORGhomeFolder}"
	sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
	echo "${log} Reverting username change" 2>&1 | tee -a $logfile 2>&1 | tee -a $logfile
	sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}"
	exit 1
else
	echo "${log} HomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile
fi
# Links old home directory to new. Fixes dock mapping issue
sudo ln -s "/Users/$newUser" "$homeFolder"
# Fixing the permissions on the Home Directory
sudo chown -R "$newUser:staff /Users/$newUser"
#Updating all other entires of Directory Utility
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_AvatarRepresentation "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_hint "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_jpegphoto "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_passwd "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_picture "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_unlockOptions "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_UserCertificate "$oldUser" "$newUser" 2>&1 | tee -a $logfile

# Success message
read -r -d '' successOutput <<EOM
Success ${oldUser} username has been updated to ${newUser}
Folder "${origHomeDir}" has been renamed to "/Users/${newUser}"
RecordName: ${newUser}
NFSHomeDirectory: "/Users/${newUser}"
SYSTEM RESTARTING in 2 minutes to complete username update.
EOM

echo "${log} ${successOutput}" 2>&1 | tee -a $logfile

# System restart
Sleep 10
sudo jamf policy -event RestartMyMacbook
}

FetchOKTAID(){
  OKTACheck=$(osascript -e 'display dialog "Please Enter your OKTA ID. default answer "" buttons {"Continue"} default button 1' | tr [A-Z] [a-z] | awk -F ':' '{print $3}')
  echo $OKTACheck
  callButton=$(osascript -e 'display dialog "The OKTA ID entered is '$OKTACheck'

  If it is correct, please click Confirm.

  Else, Click on Re-Enter." buttons {"Confirm", "Re-Enter"} default button "Confirm"')
  if [[ $callButton == "button returned:Confirm" ]]; then
  if [ "$loggedInUser" == "$OKTACheck" ]; then
  echo "Usernames Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser"
"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$Success" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center -timeout 5 	
  else
  echo "Usernames Don't Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser"
  StartRenameScript
  fi
else
FetchOKTAID
fi
}
AlertUser(){
	loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
	loggedInUID=$(id -u "$loggedInUser")
	homeFolder=$(dscl . read "/Users/$loggedInUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\n")
  title="Annoying IT Alert"
  message="
We will check the username used to setup this device. If it is not as per IT Standards. This tool will modify username as per the policy and automatically restart the device.

The device setup will continue post restart"
  # Call window with appropriate messaging
	userClick=$( "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$message" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center )
	# Call function to capture user input
	jamfHelperClick
}
jamfHelperClick() {
if [[ $userClick == 0 ]]; then
	echo "$currentUser chose to proceed..."
  FetchOKTAID
elif [[ $userClick == 2 ]]; then
	echo "$currentUser Aborted Tool"
	exit 0
fi
}
AlertUser
exit 0

Jamf Nation Community

IDP Username Change for Jamf Connect