- Jamf Nation Community
- Products
- Jamf Connect
- Scripting password change with JamfConnect
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Scripting password change with JamfConnect
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-09-2021 12:03 PM
I've used the script found here: https://github.com/HiveMindAutomation/PasswordChecker previously in an AD-bound environment and it worked WONDERFULLY! I am now in an environment where the Macs are not bound to AD, but they do use JamfConnect to handle passwords. I am trying to get the aforementioned script to work with JamfConnect. I have modified it quite a bit to fit my needs, and all works as designed EXCEPT for the "Change Now" button. It does launch System Preferences as it was originally designed, but I'd like for it to use the Jamf Connect mechanism to handle the password change. My questions are 1) is JamfConnect scriptable at all? and 2) if so, how would I make that Change Now button use JamfConnect instead of System Preferences? Here's the script in its current form:
#!/bin/bash
# Modified from original script found at https://github.com/HiveMindAutomation/PasswordChecker
# The primary modifications are to make the script work in JamfConnect setups where
# the Macs are not bound to AD.
###################### Get current user ########################
CurrentUser=`ls -l /dev/console | cut -d " " -f4`
IDNum=`id -u $CurrentUser`
#Gracefully exit if User is not itsupport
if [[ $CurrentUser = "macadmin" ]]; then
echo "The macadmin account does not expire. Exiting."
exit 0
fi
############# Password Policy and Domain Settings ##############
#set Password Policy
PWPolicy=90
#set Password Notification period
PWNotify=14
###################### Get Password Expiry ########################
################## AVOID MODIFYING THIS SECTION ###################
pwlastset=`defaults read /Users/$CurrentUser/Library/Preferences/com.jamf.connect.state.plist UserPasswordSet`
echo "Password last set = $pwlastset"
#get today's date in Unix time
todayUnix=`echo $(($(date -u +%s)/86400))`
echo "today's unix date = $todayUnix"
#Convert Last Password Change date into Unix Time
lastPWDUnix=$((`echo $(($(date -j -f "%Y-%m-%d %H:%M:%S" "$pwlastset" +%s)/86400))`))
echo "Unix time = $lastPWDUnix"
#Calculate Difference between Today's Date and Last Changed Date
diffUnix=$((todayUnix - lastPWDUnix))
echo "days since PW change = $diffUnix"
#calculate Number of days until password Expiry
expireDays=$((PWPolicy - diffUnix ))
echo $expireDays
##############################################################
###################### User Interface ########################
############## Modify this section as needed #################
#Path on local machine where the logo is stored
logoPath="/Library/Company/Company_icon.png"
#Title of the Window
windowTitle="Company End User Computing"
#Heading of the Window
windowHeading="Your Password is due to expire in $expireDays Days"
#Text to display in the Window
windowText="Your password is due to expire in $expireDays Days. Please Change your password now to avoid account access problems. If you aren't sure how to change your password, please contact the Service Desk for assistance."
#If user Ignores initial Prompt, they will get a second prompt asking to confirm they wish to ignore it
#Heading of the "Confirmation" Window
sureHeading="Are you sure?"
#Text of the "Confirmation" Window
sureText="You have chosen to Ignore this warning. You will continue to be prompted until your password is changed."
#Label for "Cancel" Button
Button1Label="Ignore"
#Label for "Password Change" Button
Button2Label="Change Now"
#Default Button. 0 is "Ignore", 2 is "Change Now"
DefaultButton=0
ADErrorHeading="Something went wrong with Active Directory"
ADErrorText="IT Services have detected a configuration problem on your computer.
Please contact IT Services ASAP to arrange a fix for this issue
[for IT Services: Check AD Bind $Domain]"
ADErrorButton="Oh no!"
##############################################################
##############################################################
#Avoid Modifying the script below this line
##############################################################
#Bomb out if AD Bind is busted
if [[ $pwlastset == "" ]]; then
windowHeading=$ADErrorHeading
windowText=$ADErrorText
Button1Label=$ADErrorButton
"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD
exit 1
fi
#Determine if Days until Expiry is less than the Notification period
if [[ $expireDays -le $PWNotify ]]; then
#Prompt User that their password is due to expire soon
RESULT=`"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -button2 "$Button2Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD`
fi
#Take result from prompt to update password and determine next action. Result 0 is "Ignore" and Result 2 is "Change Now"
if [[ $RESULT = 0 ]]; then
#On Ignore, provide user an opportunity to change their mind
windowHeading=$sureHeading
windowText=$sureText
RESULT2=`"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -title "$windowTitle" -heading "$windowHeading" -alignHeading center -description "$windowText" -alignDescription center -icon "$logoPath" -button1 "$Button1Label" -button2 "$Button2Label" -defaultButton $DefaultButton -cancelButton 0 -lockHUD`
elif [[ $RESULT = 2 ]]; then
#open System Preferences -> Accounts preference pane
sudo -u $CurrentUser open /System/Library/PreferencePanes/Accounts.prefPane
fi
#Determine Action for Second Prompt.
if [[ $RESULT2 = 2 ]]; then
#open System Preferences -> Accounts preference pane
sudo -u $CurrentUser open /System/Library/PreferencePanes/Accounts.prefPane
#elif [[ $RESULT2 = 0 ]]; then
#If user ignores a second time
#TODO - Log ignored prompts somewhere for records.
fi
exit 0Do a search for "change now" to find the relevant sections I'm stuck on.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-09-2021 01:36 PM
Jamf Connect does have URL schemes that you can use, but it appears that "Change Password" is not one of the URL schemes:
https://docs.jamf.com/jamf-connect/2.7.0/documentation/Jamf_Connect_URL_Scheme.html
If this is important to you, consider an FR.
That being said, have you looked at just using Jamf Connects built in notification options? Assuming you are still using Kerberos tickets, you can have Jamf Connect notify the user when their password is about to expire. You can nudge them by showing the days to expiry in the Menubar (default is 14 days) and then start sending notifications (default at 7 days). Check these list of preferences.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-09-2021 01:48 PM
In my experience going way back to ADPassMon and Nomad, users ignore the tiny little numbers in the menu bar. Even if the text turns red, they still find ways to ignore it. It’s too passive for my tastes. Mac notifications are a step in the right direction, but I would describe them as “too timid”. That’s where that script comes into play. It gets in the user’s face and forces them to play an active role in their password expiration. When I implemented that in my previous AD environment, calls from Mac users letting their passwords expire went from several a week to only 1 user in 6 months (and he had an excuse… he was on vacation during the 14 day warning timeframe).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-09-2021 01:57 PM
Very fair.
I remembered looking for the URL a while back and just remembered why. We send emails when the user's password is close to expiration. It would be nice to include a URL that takes them right the change password option.
Anyway, I went ahead and created an FR. Please upvote:
https://ideas.jamf.com/ideas/JN-I-25611
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-10-2021 04:25 AM
Out of curiosity, what would happen if a user changed their password via System Preferences instead of Jamf Connect?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-10-2021 05:50 AM
Assuming user is a local use, I think the following would happen:
Jamf Connect would recognize that the local password does not match the last password it saved, so it would do the following:
Ask for the current local password and then attempt to reset the local password back to the known iDP password (assuming it hadn't been change via some other method.)
It would just be confusing for the user. I would encourage users to NOT change their password via System Preferences.
