Jamf Connect Sync - PW Expiration Update without Kerberos

Rhio
New Contributor III

Why this is important:
Our Macs use Jamf Connect Sync & sync Kerberos tickets to obtain the expiration date of their password. Now that everyone is perma. working from home, the computers are never touching the network and not updating their Kerb tickets and therefore not updating the expiration of the password resulting in poor behavior such as continuing on the current countdown of days left till expiration even after a PW is changed or worse, after it expires, it starts to count up in negative days (i.e. -10 days) since their previous password expired. We do not want to remove this functionality all together as there is about half the workforce who will still VPN into our CORP domain and are correctly retrieving tickets and we want that functionality to exist either way as it's a vital piece of information with as short as our PW policy is.

What I wanted to accomplish
Have a script that runs on password change that sets the key ADExpiration that Jamf Connect Sync honors, so even if Kerberos isn't available for a lengthy period (i.e. Stay at Home orders) then end-users will still have an idea how long they have left till they need to change their passwords once more.

Here's the script I wrote thus far, just set the PW_DURATION number and it should function correctly for you. Depending on how you're executing the script, change "sudo -u" for "-su" Anyone else come up with a different solution of how to this for a purely Okta using organization?

#!/bin/bash
################################
#
# Created by: Rhio
# Created on: May 7th, 2020
# Revision: v2
# Usage: Free to use
#
#################################

##Define the current user to be later used for finding their home directory as the Password Change script runs as root with Jamf Connect Sync - You may need to redefine this if your user directories do not match the user shortname

CURRENT_USER=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");' | tr '[:upper:]' '[:lower:]')


##How long is your Password Duration policy in days?

PW_DURATION=7


##Defining the syntax for the new expiration date - Current date/time + the PW Duration length - This is formatted to match the syntax used in the Jamf Connect Sync plist of YYYY-MM-DDTHH:MM:SSZ (Not sure what the T and Z are for, assuming Time and Zone)

EXPIRATION_DATE=$(date -v +"$PW_DURATION"d "+%Y-%m-%dT%H:%M:%SZ")


##Using defaults command to write to the plist with a fully quantified path and being run as the user otherwise JCS does not pick up the change - changing the ADExpiration key with the new EXPIRATION_DATE

sudo -u $CURRENT_USER defaults write /Users/$CURRENT_USER/Library/Preferences/com.jamf.connect.sync ADExpiration -date $EXPIRATION_DATE


exit 0
1 REPLY 1

dvasquez
Valued Contributor

You are using this script for Okta, is that correct?  Any tips for Azure?

Thank you.