Jamf Connect - Azure Password Expiration Notification

Scott_Conway
New Contributor III

We are using Jamf Connect and Azure to sync accounts/passwords with MacOS.  The computers are not AD bound.  Is it possible to get Jamf to warn users when their password is set to expire (we have a company policy to reset every 90 days)?

 

If not, what are other fellow admins doing in this case?

10 REPLIES 10

mubeer_CTS
New Contributor

Below command will give you the password expiration date, you can create a script to give a popup or notification to the users nearing password expiry by creating smart group and a script.  

defaults read com.jamf.connect.state | grep ComputedPasswordExpireDate | awk {'print $3'} | sed 's/"//'

(run the command on logged in users session)

sjlo
New Contributor III

I'm in the same situation, but com.jamf.connect.state doesn't contain ComputedPasswordExpireDate.
I only get DisplayName, LastSignIn and PasswordCurrent.

Did you ever find a solution as I'm seeing the same thing.

Scott_Conway
New Contributor III

We pretty much solved this, but it does require an on-prem AD still (which we have in our hybrid environment).

  1. You need to set a default realm in you jamf connect configuration profile. This will allow Jamf Connect to retrieve AD tickets for the user when they can reach a domain controller (either when on-prem or connected to a VPN).
  2. Then you can set the password expiration settings in the jamf connect profile (exact keys and values can be found on Jamf documentations). The keys are "ExpirationCountdownStartDay" and "ExpirationNotificationStartDay"
  3. Finally to actually get the notification to work, you need to enable a setting in the Jamf global settings. Under computer management > Security, you must enable Jamf Connect to install a notification profile.

With these 3 steps, your users will get password expiration details to show up on the jamf connect menu bar icon. And the Jamf application will push notifications to MacOS when the ExpirationNotificationStartDay time hits. A countdown number will also start to appear on the menu bar icon when the ExpirationCountdownStartDay time hits.

 

I should have noted that even though this solution needs an on-prem AD, it does NOT need the Mac to be AD bound. It just needs a network communication to a domain controller that stores the AD user account info. This is how Jamf can read the expiration details. I have not found a way to get these details using only Azure.

sjlo
New Contributor III

We enabled EnforceCloudPasswordPolicyForPasswordSyncedUsers in Azure in hopes to get the expiration details to Jamf Connect via Azure, but to no avail.

How do you set a "default realm" in the Jamf Connect Config Profile?

sjlo
New Contributor III

Hello, I'm struggling getting notifications to work. I've set both ExpirationCountdownStartDay and ExpirationNotificationStartDay to 90, which should trigger notifications immediately. The countdown (89d) displays in the menubar, but I get no notification. (I have done step 3)

Justin13579
New Contributor III

Ahh found it. Had to add the following into the Jamf Connect (Menu) Configuration Profile. This allowed this to work in a hybrid config (without a kerberos ticket via AD Join). 

<key>PasswordPolicies</key>

<dict> <key>NetworkCheck</key>

<integer>15</integer>

<key>SyncPasswordsMessage</key>

<string>Your local and network passwords do not match. Enter your current local password to sync it with your network password </string>

<string>passwordexpiration</string>

<key>ExpirationCountdownStartDay</key>

<integer>30</integer>

<key>ExpirationNotificationStartDay</key>

<integer>14</integer> </dict>

<key>Kerberos</key> <dict>

<key>Realm</key>

<string>DOMAINGOESHERE.NET</string>

</dict>

Hope this helps others struggling with Password Expiration Notifications in Hybrid Environments (or those who have local AD but don't use it for their macs because of kerberos). #Hybrid #PasswordExpiration #Notifications #JamfConnect

jimmy-swings
Contributor II

You can use the Jamf Connect Configuration application - which is included in the .dmg - to easy generate the appropriate configuration to not only display the number of days to expiry, but also to use a native notification - as shown below - to prompt the user to change.

Screenshot 2023-07-29 at 9.40.15 am.png