Jamf Connect Login with Okta Local Password Issues

Carpenter8763
New Contributor

A couple of my users have had an issue where they go to login with their Okta credentials in Jamf Connect login and they are then prompted for their local password to migrate the accounts. The problem is that the local password is always registered as incorrect. This happens even when I reset their local password and then try to sync again. The only work around I have found is to disable Jamf Connect Login on their machines and have them continue to use their local account for now. Reinstalling Jamf Connect Login has not fixed the issue nor has rebuilding my plists.
Any thoughts?

6 REPLIES 6

erichughes
Contributor II

Did you find any resolution for your issues? We are having the same thing basically. When Jamf Connect Login or Sync tries to update the local password it isn't correct. This doesn't happen for every user but probably 50%. Using Jamf Connect Login v. 1.11.4 and Sync 1.4.3 We end up logging in to the computer as a local admin and changing the local password of the user to something simple then it works, but always breaks the keychain so we have to delete that too.

itthings
New Contributor II

No resolution. We're having to change the filevault password manually in the Terminal with diskutil apfs changePassphrase command.

erichughes
Contributor II

I created a ticket with Jamf and they assisted with some Extension Attributes that would then be used to initiate a password sync in Jamf Connect Sync. Works much better now. However we are not using FileVault or the most current version of Jamf Connect still on JCS 1.4.3. If you haven't reached out to them yet, it might be worth it. It took about 2 weeks to get to the bottom of it but we finally did.

DBrowning
Valued Contributor II

@erichughes can you share the EAs?

erichughes
Contributor II

I am uncertain if this will work with Jamf Connect 2.x since the name and domain of the plist has changed. Recommend testing and editing to suit your environment. We have three smart groups based on this, one for Synced, one for Not Synced, and one for if the EA reports nothing. The Not Synced group is scoped to a script for launching Jamf Connect Sync and initiating a password sync to bring the local and Okta password in line. This was all setup with the help of Jamf support the EA and Script were provided by them and not at all written by me.

#!/bin/bash

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
isCurrent=$(defaults read /Users/"$loggedInUser"/Library/Preferences/com.jamf.connect.sync PasswordCurrent)

if [ "$isCurrent" != "" ];then

        if [ "$isCurrent" == 1 ];then
                echo "<result>Password Synced</result>"
        elif [ "$isCurrent" == 0 ];then
                echo "<result>Password Not Synced</result>"
        fi

else

alias=$(dscl . -read /Users/$loggedInUser | grep "RecordName" | awk '{print $2}')
isCurrent=$(defaults read /Users/"$alias"/Library/Preferences/com.jamf.connect.sync PasswordCurrent)

        if [ "$isCurrent" == 1 ];then
                echo "<result>Password Synced</result>"
        elif [ "$isCurrent" == 0 ];then
                echo "<result>Password Not Synced</result>"
        fi

fi
#!/bin/bash
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
# Get Help = /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -help
# Variables below can also be set to use script parameters: https://www.jamf.com/jamf-nation/articles/146/script-parameters
# Path to jamfHelper
jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
# window position (ul | ur | ll | lr)
windowPosition="ll"
# Title text for the notification, example would be Company Name
titleText="Password out of sync"
# Custom heading text to display
headingText=""
# Description that will appear to the end user
descriptionText="Your local Mac password does not match Okta. Please click OK to sign into Jamf Connect Sync."
# Enter a path to an icon to display. Example below will display the App Store icon
iconLocation="/Applications/Jamf Connect Sync.app/Contents/Resources/AppIcon.icns"
# Timeout in seconds
timeout=""

# Check to see if variables were passed in Jamf Pro
if [ "$4" != "" ] && [ "$windowPosition" == "" ]; then
    windowPosition=$4
fi

if [ "$5" != "" ] && [ "$titleText" == "" ]; then
    titleText=$5
fi

if [ "$6" != "" ] && [ "$headingText" == "" ]; then
    headingText=$6
fi

if [ "$7" != "" ] && [ "$descriptionText" == "" ]; then
    descriptionText=$7
fi

if [ "$8" != "" ] && [ "$iconLocation" == "" ]; then
    iconLocation=$8
fi

if [ "$9" != "" ] && [ "$timeout" == "" ]; then
    timeout=$9
fi


buttonClicked=$( "$jamfHelper" -windowType hud -defaultButton "1" -button1 "Ok" -title "$titleText" -description "$descriptionText" -icon "$iconLocation" -heading "$headingText")

if [[ "$buttonClicked" = "0" ]];then
    su "$loggedInUser" -c "open jamfconnectsync://signin"
fi
sleep 600
jamf recon
exit 0

dmote
New Contributor III

Found this old thread searching for an issue. I tried @erichughes EA and found the "com.jamf.connect.sync" part needs to be changed in both locations to "com.jamf.connect.state" for latest version of Jamf Connect (currently 2.23).

Hope this helps someone.