Jamf Connect - Azure Password Expiration Notification
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 10-26-2021 09:01 AM
We are using Jamf Connect and Azure to sync accounts/passwords with MacOS. The computers are not AD bound. Is it possible to get Jamf to warn users when their password is set to expire (we have a company policy to reset every 90 days)?
If not, what are other fellow admins doing in this case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-20-2022 07:38 PM
Below command will give you the password expiration date, you can create a script to give a popup or notification to the users nearing password expiry by creating smart group and a script.
defaults read com.jamf.connect.state | grep ComputedPasswordExpireDate | awk {'print $3'} | sed 's/"//'
(run the command on logged in users session)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-12-2022 04:05 AM
I'm in the same situation, but com.jamf.connect.state doesn't contain ComputedPasswordExpireDate.
I only get DisplayName, LastSignIn and PasswordCurrent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2022 11:16 AM
Did you ever find a solution as I'm seeing the same thing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2022 01:07 PM
We pretty much solved this, but it does require an on-prem AD still (which we have in our hybrid environment).
- You need to set a default realm in you jamf connect configuration profile. This will allow Jamf Connect to retrieve AD tickets for the user when they can reach a domain controller (either when on-prem or connected to a VPN).
- Then you can set the password expiration settings in the jamf connect profile (exact keys and values can be found on Jamf documentations). The keys are "ExpirationCountdownStartDay" and "ExpirationNotificationStartDay"
- Finally to actually get the notification to work, you need to enable a setting in the Jamf global settings. Under computer management > Security, you must enable Jamf Connect to install a notification profile.
With these 3 steps, your users will get password expiration details to show up on the jamf connect menu bar icon. And the Jamf application will push notifications to MacOS when the ExpirationNotificationStartDay time hits. A countdown number will also start to appear on the menu bar icon when the ExpirationCountdownStartDay time hits.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 09-14-2022 01:09 PM
I should have noted that even though this solution needs an on-prem AD, it does NOT need the Mac to be AD bound. It just needs a network communication to a domain controller that stores the AD user account info. This is how Jamf can read the expiration details. I have not found a way to get these details using only Azure.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-16-2022 12:21 AM
We enabled EnforceCloudPasswordPolicyForPasswordSyncedUsers in Azure in hopes to get the expiration details to Jamf Connect via Azure, but to no avail.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-13-2022 05:44 AM
How do you set a "default realm" in the Jamf Connect Config Profile?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-16-2022 12:18 AM
Hello, I'm struggling getting notifications to work. I've set both ExpirationCountdownStartDay and ExpirationNotificationStartDay to 90, which should trigger notifications immediately. The countdown (89d) displays in the menubar, but I get no notification. (I have done step 3)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 11-13-2022 10:27 AM
Ahh found it. Had to add the following into the Jamf Connect (Menu) Configuration Profile. This allowed this to work in a hybrid config (without a kerberos ticket via AD Join).
<key>PasswordPolicies</key>
<dict> <key>NetworkCheck</key>
<integer>15</integer>
<key>SyncPasswordsMessage</key>
<string>Your local and network passwords do not match. Enter your current local password to sync it with your network password </string>
<string>passwordexpiration</string>
<key>ExpirationCountdownStartDay</key>
<integer>30</integer>
<key>ExpirationNotificationStartDay</key>
<integer>14</integer> </dict>
<key>Kerberos</key> <dict>
<key>Realm</key>
<string>DOMAINGOESHERE.NET</string>
</dict>
Hope this helps others struggling with Password Expiration Notifications in Hybrid Environments (or those who have local AD but don't use it for their macs because of kerberos). #Hybrid #PasswordExpiration #Notifications #JamfConnect
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-28-2023 04:51 PM
You can use the Jamf Connect Configuration application - which is included in the .dmg - to easy generate the appropriate configuration to not only display the number of days to expiry, but also to use a native notification - as shown below - to prompt the user to change.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 08-19-2024 06:36 AM
Which settings did you configure to show this?
