Jamf Connect Menu Bar Password Expiration and Azure AD

davidmundt
New Contributor III

I haven't seen any documentation so I'm not sure if this is possible but I'd like to show days until password expiration on Jamf Connect Menu Bar. Does anyone have any info on how to do this if it is possible?

14 REPLIES 14

mikevandelinder
Contributor
Contributor

@davidmundt it's not currently possible if relying exclusively on Azure AD. When AD is involved, Connect requires being able to connect back to AD on-premise to get information about password expiration. 

Scott_Conway
New Contributor III

I just found this:

Password Syncing with Jamf Connect - Jamf Connect Administrator's Guide | Jamf

Is there a reason why an Azure only setup wouldn't work? According to the Jamf documentation, it should, but I have not been able to test it yet.

We are currently using Azure AD only on our Macs. but the JCL menu bar app doesnt show the password expiration like Nomad did. My users are relying on Azure AD to popup in a browser to alert them to the need for a password change.

Have you already set in the configuration profile these two values?

<key>ExpirationCountdownStartDay</key>

<integer>14</integer>

<key>ExpirationNotificationStartDay</key>

<integer>7</integer>

I have not tried those keys. I was under the impression they were for AD not Azure AD but I will give them a try. Thanks!!!

I do have those keys set and I still don't get the password expiration date listed in the Menu Bar app.

In our environment we also had to set the Kerberos realm so tickets were pushed to our Mac's from the local AD. Now the countdown shows up in the menu bar.

I still have not gotten the expiration notification to work though.

We are all remote and relying on Azure AD for the IDP. I'd love to get it to show days till expiration but it still doesnt.

Do you have an example of this? 

I have Kerberos tickets getting pushed and I still do not see the countdown

Here is our Jamf Connect keys regarding the countdown and notification popup:

<key>PasswordPolicies</key>

<dict>

<key>ExpirationCountdownStartDay</key>

<integer>14</integer>

<key>ExpirationNotificationStartDay</key>

<integer>7</integer>

</dict>

Thanks!

I took over our Jamf Management on the computer side, and a lot of things weren't configured correctly, in this case (i hadn't thought to check this) our kerberos realm was wrong.

dvasquez
Valued Contributor

We are seeing the expiration password counter. But some of our end-users see a -22 (for example) counter in the menu bar or after a successful password change there is the wrong number of days. Does anyone see this and have success correcting it?  

We have a K-Realm and the configuration is set correctly.  it is more annoying than anything. 

Being on a VPN sometimes fixes this and sometimes it does not. 


kinit and reentering the K-Realm password for the end user and restarting Jamf Connect do not correct the counter.

cwaldrip
Valued Contributor

We're Okta with OIDC and AD... (not an identity protect specialist, hacking away as best I can without access to the big boy tools). With Enterprise Connect and Kerberos SSO our clients can see how many days remain until their password expires (immediately the same day they change their password). But JamfConnect only shows the options to warning X days before? Nothing to show how many days remain if outside the short time warnings?

Joostvantwout
New Contributor III

Anyone got this working?
I'm using Jamf Connect with Azure AD only and do not get any password notifications or see anything like days to expire or so.

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "> <plist version="1.0"> <dict> <key>Appearance</key> <dict> <key>ShowWelcomeWindow</key> <false/> </dict> <key>HiddenMenuItems</key> <array> <string>about</string> <string>preferences</string> <string>quit</string> <string>resetpassword</string> </array> <key>IdPSettings</key> <dict> <key>Provider</key> <string>EntraID</string> <key>ROPGID</key> <string></string> <key>TenantID</key> <string></string> </dict> <key>PasswordPolicies</key> <dict> <key>ExpirationCountdownStartDay</key> <integer>15</integer> <key>ExpirationNotificationStartDay</key> <integer>15</integer> <key>NetworkCheck</key> <integer>30</integer> <key>PasswordChangeWorkflow</key> <string>Web</string> </dict> <key>SignIn</key> <dict> <key>AutoAuthenticate</key> <true/> <key>AutoOpenAppAtLogin</key> <true/> <key>PasswordLabel</key> <string>Password</string> <key>RequireSignIn</key> <true/> <key>UsernameLabel</key> <string>Email</string> </dict> <key>UserHelp</key> <dict> <key>HelpOptions</key> <string>website</string> <key>HelpType</key> <string>URL</string> </dict> <key>ChangePasswordURL</key> <string></string> </dict> </plist>
 
Anyone who has this working and can share his thoughts/plist file would be highly appreciated!