Help

Jamf Connect - Azure Password Expiration Notification

Scott_Conway
New Contributor III

Posted on ‎10-26-2021 09:01 AM

We are using Jamf Connect and Azure to sync accounts/passwords with MacOS.  The computers are not AD bound.  Is it possible to get Jamf to warn users when their password is set to expire (we have a company policy to reset every 90 days)?

 

If not, what are other fellow admins doing in this case?

Reply
11 REPLIES 11

mubeer_CTS
New Contributor

Posted on ‎02-20-2022 07:38 PM

Below command will give you the password expiration date, you can create a script to give a popup or notification to the users nearing password expiry by creating smart group and a script.  

defaults read com.jamf.connect.state | grep ComputedPasswordExpireDate | awk {'print $3'} | sed 's/"//'

(run the command on logged in users session)

0 Kudos
Reply

sjlo
New Contributor III
In response to mubeer_CTS

Posted on ‎05-12-2022 04:05 AM

I'm in the same situation, but com.jamf.connect.state doesn't contain ComputedPasswordExpireDate.
I only get DisplayName, LastSignIn and PasswordCurrent.

0 Kudos
Reply

spotterman
New Contributor
In response to sjlo

Posted on ‎09-14-2022 11:16 AM

Did you ever find a solution as I'm seeing the same thing.

0 Kudos
Reply

Scott_Conway
New Contributor III

Posted on ‎09-14-2022 01:07 PM

We pretty much solved this, but it does require an on-prem AD still (which we have in our hybrid environment).

  1. You need to set a default realm in you jamf connect configuration profile. This will allow Jamf Connect to retrieve AD tickets for the user when they can reach a domain controller (either when on-prem or connected to a VPN).
  2. Then you can set the password expiration settings in the jamf connect profile (exact keys and values can be found on Jamf documentations). The keys are "ExpirationCountdownStartDay" and "ExpirationNotificationStartDay"
  3. Finally to actually get the notification to work, you need to enable a setting in the Jamf global settings. Under computer management > Security, you must enable Jamf Connect to install a notification profile.

With these 3 steps, your users will get password expiration details to show up on the jamf connect menu bar icon. And the Jamf application will push notifications to MacOS when the ExpirationNotificationStartDay time hits. A countdown number will also start to appear on the menu bar icon when the ExpirationCountdownStartDay time hits.

 

0 Kudos
Reply

Scott_Conway
New Contributor III
In response to Scott_Conway

Posted on ‎09-14-2022 01:09 PM

I should have noted that even though this solution needs an on-prem AD, it does NOT need the Mac to be AD bound. It just needs a network communication to a domain controller that stores the AD user account info. This is how Jamf can read the expiration details. I have not found a way to get these details using only Azure.

0 Kudos
Reply

sjlo
New Contributor III
In response to Scott_Conway

Posted on ‎11-16-2022 12:21 AM

We enabled EnforceCloudPasswordPolicyForPasswordSyncedUsers in Azure in hopes to get the expiration details to Jamf Connect via Azure, but to no avail.

0 Kudos
Reply

Justin13579
New Contributor III
In response to Scott_Conway

Posted on ‎11-13-2022 05:44 AM

How do you set a "default realm" in the Jamf Connect Config Profile?

0 Kudos
Reply

sjlo
New Contributor III
In response to Scott_Conway

Posted on ‎11-16-2022 12:18 AM

Hello, I'm struggling getting notifications to work. I've set both ExpirationCountdownStartDay and ExpirationNotificationStartDay to 90, which should trigger notifications immediately. The countdown (89d) displays in the menubar, but I get no notification. (I have done step 3)

0 Kudos
Reply

Justin13579
New Contributor III

Posted on ‎11-13-2022 10:27 AM

Ahh found it. Had to add the following into the Jamf Connect (Menu) Configuration Profile. This allowed this to work in a hybrid config (without a kerberos ticket via AD Join). 

<key>PasswordPolicies</key>

<dict> <key>NetworkCheck</key>

<integer>15</integer>

<key>SyncPasswordsMessage</key>

<string>Your local and network passwords do not match. Enter your current local password to sync it with your network password </string>

<string>passwordexpiration</string>

<key>ExpirationCountdownStartDay</key>

<integer>30</integer>

<key>ExpirationNotificationStartDay</key>

<integer>14</integer> </dict>

<key>Kerberos</key> <dict>

<key>Realm</key>

<string>DOMAINGOESHERE.NET</string>

</dict>

Hope this helps others struggling with Password Expiration Notifications in Hybrid Environments (or those who have local AD but don't use it for their macs because of kerberos). #Hybrid #PasswordExpiration #Notifications #JamfConnect

0 Kudos
Reply

jimmy-swings
Contributor II

Posted on ‎07-28-2023 04:51 PM

You can use the Jamf Connect Configuration application - which is included in the .dmg - to easy generate the appropriate configuration to not only display the number of days to expiry, but also to use a native notification - as shown below - to prompt the user to change.

Screenshot 2023-07-29 at 9.40.15 am.png

0 Kudos
Reply

dubel
New Contributor III
In response to jimmy-swings

Posted on ‎08-19-2024 06:36 AM

Which settings did you configure to show this?

0 Kudos
Reply