A way to assign computers to LDAP user on first login

pcamdm1
New Contributor II

We are a 1:1 school in grades 7-12 that has all of our students in Open Directory. We bind their computers to the directory due to the mobile Internet filter and user agent which are both installed on the machine. We also have our JSS tied to Open Directory.

Does anyone here have a way to assign a computer to an LDAP user on first login? I'm sure this is possible with a script combined with an attribute, but if someone already has this, that would be a time saver for us.

1 ACCEPTED SOLUTION

jarednichols
Honored Contributor

Been awhile since I've done it, but if the jamf binary still has the -endUsername flag you can do something like this:

#!/bin/sh

lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`
jamf recon -endUsername $lastUser

That will grab the short name of the user logged in and then the jamf binary will do a recon and flow that up to the computer record in the JSS.

View solution in original post

19 REPLIES 19

bpavlov
Honored Contributor

You'd definitely would have to script that and use the API. I'm working on something similar will share it with you in a few weeks when it's ready.

Also, please up vote this feature request which I think would fulfill what you're looking to do:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=3511

jarednichols
Honored Contributor

Been awhile since I've done it, but if the jamf binary still has the -endUsername flag you can do something like this:

#!/bin/sh

lastUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName`
jamf recon -endUsername $lastUser

That will grab the short name of the user logged in and then the jamf binary will do a recon and flow that up to the computer record in the JSS.

pcamdm1
New Contributor II

BOOM Jared! Perfect. Execute it only once and it permanently assigns the device on first login.

Thank you!

smamdani
New Contributor II

Interesting. defaults read /Library/Preferences/com.apple.loginwindow lastUserName returns a value of _mbsetupuser for me when run by a AD user from a Mac bound to AD.

jarednichols
Honored Contributor

Like I said, been awhile since I've done it. There's a zillion ways to determine logged in user so use the method that's preferred for you and returns a reliable result. A lot of folks grab the owner of /dev/console (myself included) and use that.

The big missing piece was getting it to flow up to the JSS and that's where -endUsername comes in.

scottb
Honored Contributor

We've been using this (from 9.32 to 9.65 currently) and it works great.
Set to run at login, once per week. I got this from another thread on this and we have mostly AD users, FWIW.
Also need to make sure that "Collect user and location information from LDAP" is on under:
Computer Management/Computer Inventory Collection/General.

#!/bin/sh

/usr/sbin/jamf recon -endUsername $3

bpavlov
Honored Contributor

The only problem I can see with that running at login is if you login as the admin account or some other account that doesn't really belong to the person. Obviously every environment is different, but if either of those are possibilities then that's something to consider.

scottb
Honored Contributor

@bpavlov - yes, that happens on occasion. But for the majority of the time, we get the user. Only time someone is logged in locally is when a tech is working on the Mac, so as an example, my last report of 858 Macs, there were a handful of those.
It's better than what we had which was nothing. If there's a better option, I'm open to it.

brandonusher
Contributor II

@scottb @bpavlov Why not limit it to a specific LDAP group, or exclude a group that contains your admins as well as a local user, ex: exclude Techs, localadmin and caspermanage

bpavlov
Honored Contributor

@usher.br Using that script by @scottb you could certainly hardcode and leave out certain usernames in the script using an if statement to exit if the blacklisted user logs in. But you still may have situations where maybe another user logs into someone else's account (shouldn't be too common but it can happen). Doesn't necessarily have to be a tech. Either way, it's just something to be aware of.

jwzg
New Contributor

Right now it's pulling "root" as the user unless I sign in right after the initial profile pushes down.

Kennedy
New Contributor II

We run the following script at login with a policy. The script creates a breadcrumb (file) on the machine which contains the username. We then have an extension attribute that picks up the username out of the breadcrumb file and we exclude the policy from running on computers that already have this breadcrumb, and also exclude admin users etc. What ends up happening is the second time the script is run the username is set in the JSS. This works perfectly for our needs.

#!/bin/bash

#log the output of the script to the jamf.log for easy viewing
logfile=/var/log/jamf.log;
exec >> $logfile 2>&1;




#------------------------------     
#-------BEGIN VARIABLES--------
#------------------------------ 

scriptname="populate_username.sh";
breadcrumb="/Library/BCGS/breadcrumb_username_populated.txt";
currentUser=`defaults read /Library/Preferences/com.apple.loginwindow lastUserName` >/dev/null 2>/dev/null

#set LoggedInUser as the current user
if [ `ls -l /dev/console | cut -d " " -f 4` == "root" ]
then
    #script is run at login, so the user is the $3 variable
    LoggedInUser=$3
else
    #script is run as self service, so the user is not sent to the script
    LoggedInUser=`ls -l /dev/console | cut -d " " -f 4`
fi

#------------------------------     
#-------END VARIABLES----------
#------------------------------



echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:   "
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: ------------------------------------------------------"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: --- Starting $scriptname"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:   "
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Script variables:" 
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:    $LoggedInUser =  $LoggedInUser"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:    $currentUser =  $currentUser"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:"

if [ -f "$breadcrumb" ]
then
    # We should skip running this script, as it looks like it has already run at a previous reboot.
    # In theory this should never occur, as it should be exlcuded in the policy, so this is a second
    # measure.
    echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Skipped populating the username as we have already done this."
else
    # Grab the username of the user that last logged in (current user).
    # This will only return an accurate username the second time the user logs in.
    echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Username is '$currentUser'."

    if [ $LoggedInUser == $currentUser ]
    then
        # Usernames are the same, so lets proceed.
        # Submit an inventory report and include the current user to be written to the
        echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Usernames are the same ($LoggedInUser, $currentUser)"
        echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Running 'jamf recon -endUsername $LoggedInUser."
        jamf recon -endUsername $currentUser >/dev/null 2>/dev/null

        # Create the breadcrumb so we know not to run the script again
        echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Creating the breadcrumb."
        echo $LoggedInUser >> $breadcrumb 

        # Run recon again to pick up the breadcrumb extension attribute
        echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Running jamf recon for a second time."
        jamf recon >/dev/null 2>/dev/null
    else
        # Do not write the breadcrumb, then the script will run next time
        echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: Usernames are not the same ($LoggedInUser, $currentUser)"
    fi
fi


echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:   "
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: --- Finished $scriptname -----------------------------"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]: ------------------------------------------------------"
echo "`date +"%a %b %d %X"` `hostname` jamf[script-$scriptname]:   "

exit 0

jclements
New Contributor III

I'm trying to accomplish nearly the same thing as the original poster. The difference is that I'd like to have my users do it in one-time computer distribution sessions via Self Service - and thereafter the policy will be unavailable.

However, I can't seem to get the $3 variable to work. If I enter 'jamf recon -endUsername testuser' via a policy and script or type it into the terminal with sudo, then it works fine. Once I try to use 'jamf recon -endUsername $3' the policy runs without error but nothing is changed in the inventory.

Anyone have any suggestions as to what I'm doing wrong? I'm using JSS 9.73 and testing on 10.10.3 and 10.10.4 clients. Our macs are AD-bound and I'm testing with AD users, both local admins and standard accounts. I copied the script straight out of scottb's comment:

#!/bin/sh /usr/sbin/jamf recon -endUsername $3

brandonusher
Contributor II

Do you have it being run on login? Not sure if that would fix it.

See https://jamfnation.jamfsoftware.com/article.html?id=146 on how $3 is added. You may be able to test it with self service too just to make sure it works without having to login and out all the time. Just make sure to login to self service as the account you want to test with

jclements
New Contributor III

Thanks for the link, @brandonusher. It seems that the $3 variable requires the policy to be run at login or logout. I'll have to come up with another way to do it. Thanks.

brandonusher
Contributor II

You could try something like this:

#!/bin/sh
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");'`
/usr/sbin/jamf recon -endUsername $loggedInUser

Don't forget, if the script isn't being run by the JSS you'll have to sudo the jamf command

brandonusher
Contributor II

jclements
New Contributor III

@brandonusher, that works perfectly! Thanks for your help.

GabeShack
Valued Contributor III

Question,
Is there a way to make the JSS lookup the ldap info for that user? I love that this puts the username in the correct field in the inventory however unless I click the magnify glass icon in the JSS UI it won't lookup the ldap info. Would love to have this scripted as well.

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools