Skip to main content
Question

Scripting password change with JamfConnect


Forum|alt.badge.img+21

I've used the script found here: https://github.com/HiveMindAutomation/PasswordChecker previously in an AD-bound environment and it worked WONDERFULLY! I am now in an environment where the Macs are not bound to AD, but they do use JamfConnect to handle passwords.  I am trying to get the aforementioned script to work with JamfConnect. I have modified it quite a bit to fit my needs, and all works as designed EXCEPT for the "Change Now" button. It does launch System Preferences as it was originally designed, but I'd like for it to use the Jamf Connect mechanism to handle the password change. My questions are 1) is JamfConnect scriptable at all? and 2) if so, how would I make that Change Now button use JamfConnect instead of System Preferences?  Here's the script in its current form:

 

#!/bin/bash # Modified from original script found at https://github.com/HiveMindAutomation/PasswordChecker # The primary modifications are to make the script work in JamfConnect setups where # the Macs are not bound to AD. ###################### Get current user ######################## CurrentUser=`ls -l /dev/console | cut -d " " -f4` IDNum=`id -u $CurrentUser` #Gracefully exit if User is not itsupport if [[ $CurrentUser = "macadmin" ]]; then echo "The macadmin account does not expire. Exiting." exit 0 fi ############# Password Policy and Domain Settings ############## #set Password Policy PWPolicy=90 #set Password Notification period PWNotify=14 ###################### Get Password Expiry ######################## ################## AVOID MODIFYING THIS SECTION ################### pwlastset=`defaults read /Users/$CurrentUser/Library/Preferences/com.jamf.connect.state.plist UserPasswordSet` echo "Password last set = $pwlastset" #get today's date in Unix time todayUnix=`echo $(($(date -u +%s)/86400))` echo "today's unix date = $todayUnix" #Convert Last Password Change date into Unix Time lastPWDUnix=$((`echo $(($(date -j -f "%Y-%m-%d %H:%M:%S" "$pwlastset" +%s)/86400))`)) echo "Unix time = $lastPWDUnix" #Calculate Difference between Today's Date and Last Changed Date diffUnix=$((todayUnix - lastPWDUnix)) echo "days since PW change = $diffUnix" #calculate Number of days until password Expiry expireDays=$((PWPolicy - diffUnix )) echo $expireDays ############################################################## ###################### User Interface ######################## ############## Modify this section as needed ################# #Path on local machine where the logo is stored logoPath="/Library/Company/Company_icon.png" #Title of the Window windowTitle="Company End User Computing" #Heading of the Window windowHeading="Your Password is due to expire in $expireDays Days" #Text to display in the Window windowText="Your password is due to expire in $expireDays Days. Please Change your password now to avoid account access problems. If you aren't sure how to change your password, please contact the Service Desk for assistance." #If user Ignores initial Prompt, they will get a second prompt asking to confirm they wish to ignore it #Heading of the "Confirmation" Window sureHeading="Are you sure?" #Text of the "Confirmation" Window sureText="You have chosen to Ignore this warning. You will continue to be prompted until your password is changed." #Label for "Cancel" Button Button1Label="Ignore" #Label for "Password Change" Button Button2Label="Change Now" #Default Button. 0 is "Ignore", 2 is "Change Now" DefaultButton=0 ADErrorHeading="Something went wrong with Active Directory" ADErrorText="IT Services have detected a configuration problem on your computer. Please contact IT Services ASAP to arrange a fix for this issue [for IT Services: Check AD Bind $Domain]" ADErrorButton="Oh no!" ############################################################## ############################################################## #Avoid Modifying the script below this line ############################################################## #Bomb out if AD Bind is busted if [[ $pwlastset == "" ]]; then windowHeading=$ADErrorHeading windowText=$ADErrorText Button1Label=$ADErrorButton "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD exit 1 fi #Determine if Days until Expiry is less than the Notification period if [[ $expireDays -le $PWNotify ]]; then #Prompt User that their password is due to expire soon RESULT=`"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -button2 "$Button2Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD` fi #Take result from prompt to update password and determine next action. Result 0 is "Ignore" and Result 2 is "Change Now" if [[ $RESULT = 0 ]]; then #On Ignore, provide user an opportunity to change their mind windowHeading=$sureHeading windowText=$sureText RESULT2=`"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -button2 "$Button2Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD` elif [[ $RESULT = 2 ]]; then #open System Preferences -> Accounts preference pane sudo -u $CurrentUser open /System/Library/PreferencePanes/Accounts.prefPane fi #Determine Action for Second Prompt. if [[ $RESULT2 = 2 ]]; then #open System Preferences -> Accounts preference pane sudo -u $CurrentUser open /System/Library/PreferencePanes/Accounts.prefPane #elif [[ $RESULT2 = 0 ]]; then #If user ignores a second time #TODO - Log ignored prompts somewhere for records. fi exit 0

 Do a search for "change now" to find the relevant sections I'm stuck on. 

5 replies

Forum|alt.badge.img+19
  • Honored Contributor
  • 582 replies
  • December 9, 2021

Jamf Connect does have URL schemes that you can use, but it appears that "Change Password" is not one of the URL schemes:

https://docs.jamf.com/jamf-connect/2.7.0/documentation/Jamf_Connect_URL_Scheme.html

If this is important to you, consider an FR. 

That being said, have you looked at just using Jamf Connects built in notification options? Assuming you are still using Kerberos tickets, you can have Jamf Connect notify the user when their password is about to expire. You can nudge them by showing the days to expiry in the Menubar (default is 14 days) and then start sending notifications (default at 7 days). Check these list of preferences. 

Password Policy Settings


Forum|alt.badge.img+21
  • Author
  • Esteemed Contributor
  • 1043 replies
  • December 9, 2021
Tribruin wrote:

Jamf Connect does have URL schemes that you can use, but it appears that "Change Password" is not one of the URL schemes:

https://docs.jamf.com/jamf-connect/2.7.0/documentation/Jamf_Connect_URL_Scheme.html

If this is important to you, consider an FR. 

That being said, have you looked at just using Jamf Connects built in notification options? Assuming you are still using Kerberos tickets, you can have Jamf Connect notify the user when their password is about to expire. You can nudge them by showing the days to expiry in the Menubar (default is 14 days) and then start sending notifications (default at 7 days). Check these list of preferences. 

Password Policy Settings


In my experience going way back to ADPassMon and Nomad, users ignore the tiny little numbers in the menu bar. Even if the text turns red, they still find ways to ignore it. It’s too passive for my tastes. Mac notifications are a step in the right direction, but I would describe them as “too timid”. That’s where that script comes into play. It gets in the user’s face and forces them to play an active role in their password expiration. When I implemented that in my previous AD environment, calls from Mac users letting their passwords expire went from several a week to only 1 user in 6 months (and he had an excuse… he was on vacation during the 14 day warning timeframe).  


Forum|alt.badge.img+19
  • Honored Contributor
  • 582 replies
  • December 9, 2021

Very fair. 

I remembered looking for the URL a while back and just remembered why. We send emails when the user's password is close to expiration. It would be nice to include a URL that takes them right the change password option. 

Anyway, I went ahead and created an FR. Please upvote:

https://ideas.jamf.com/ideas/JN-I-25611

 


Forum|alt.badge.img+21
  • Author
  • Esteemed Contributor
  • 1043 replies
  • December 10, 2021

Out of curiosity, what would happen if a user changed their password via System Preferences instead of Jamf Connect? 


Forum|alt.badge.img+19
  • Honored Contributor
  • 582 replies
  • December 10, 2021

Assuming user is a local use, I think the following would happen:

Jamf Connect would recognize that the local password does not match the last password it saved, so it would do the following:

Ask for the current local password and then attempt to reset the local password back to the known iDP password (assuming it hadn't been change via some other method.) 

It would just be confusing for the user. I would encourage users to NOT change their password via System Preferences.


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings