Posted on 10-27-2020 11:49 AM
we have tested Jamf Connect with Okta for password sync in Mac with network password. its goes well except password expires count. its not refresh immediately after changed password. it took some time(nearly 45 minutes) or we need to logout from Mac then login back (if in company network) or reconnect VPN (if outside of company network).
any command to for update count after password change. we are using Kerberos here.
Posted on 02-02-2021 01:05 PM
I have the same issue, did you find a command that works?
Posted on 02-16-2021 10:23 AM
not yet, i believe it designed in that way. to update it we need to reconnect VPN or wait till kerberos ticket update
Posted on 02-16-2021 10:59 AM
@kyle.wickert @shrisivakumaran By design the countdown comes from Kerberos. So after a password change, you'll need to connect on-prem or VPN to get a new kerberos ticket. But what should work and I've seen issues with is after getting an initial Kerberos ticket, and then not connecting to VPN or on-prem, the countdown should still work. But I've seen where it will only update if you do one of the following:
1) Kill the Jamf Connect Process and relaunch the App
2) Open the Preferences window and close it
3) Reboot your computer (works sometimes)
Posted on 03-03-2021 12:58 PM
@DBrowning Thanks for your response. I have tried all those steps and I am aware of the need to be connected to the VPN. What seems to be the issue with the growing amount of systems in my environment is that even if I am connected to the VPN and execute the password change it will not default to Kerberos because it will not acquire the tickets. Which also means when they change the password using okta connector it will not update the counter. I have tried to use the command "open jamfconnect://gettickets" and that also does not help to get the ticket either or update the counter. I've killed the process, rebooted and reconnected to the VPN with no luck. At this point the kerberos ticket is not working at all and it is random for whats system it does work for.
Posted on 03-04-2021 05:25 AM
@kyle.wickert take a look at your com.apple.Kerberos file as well. We were having an issue where that file was pointing to a DC that no longer existed. You can read the file using
defaults read com.apple.Kerberos
Posted on 03-05-2021 01:06 PM
@DBrowning I finally found out what was blocking the connection. When running the cmd you provide there were no realms defined. However in the Jamf Connect config I was defining it. I also deployed a fix for that a while ago which was to deploy a script with the code like:
sudo cat > /etc/krb5.conf <<- "EOF"
This fixed the file to have the domain but it still wouldn't get tickets. I then just figured out that there were a bunch of stale ticket blocking new request. To fix that I Opened Finder -> go -> go to folder and navigated to /System/Library/CoreServices/ and open the application Ticket Viewer. I removed a bunch of stale identities and made a new ticket request. Once I did that I was able to see the password expiration count and even retrieve certs.
Thanks - Kyle