I've a complex problem to handle with Apple School Manager and JSS integration.
JSS use AD as source of user with following mapping settings:
— JSS:User ID --> AD:uSNCreated
— JSS:User Name --> AD:samAccountName
— JSS:Real Name --> AD:displayName
— JSS:Email --> AD:mail
— JSS:UUID --> AD:ObjectGUID
Apple School Manager use AD via custom script (https://gist.github.com/ygini/d8b7be9b7badd8042efef0df827b46fe) with following mapping settings:
— ASM:person_id --> AD:ObjectGUID
— ASM:first_name --> AD:GivenName
— ASM:last_name --> AD:Surname
— ASM:email_address --> AD:EmailAddress
— ASM:sis_username --> AD:UserPrincipalName
— ADM:managed_apple_id --> user part of the e-mail address with appleid prefix on the domain part
My main problem is: current version of JSS is too restrictive in filed available for match.
I need a way to:
Construct a dynamic field on JSS to match ASM way to create MAI
Match ASM and JSS based on e-mail address (you've e-mail for JSS side but not ASM)
Match ASM and JSS based on the UUID (ASM allow me to access to sis_id but JSS don't allow me access to imported UUID field)
I've a small workaround working only for already imported user: I've made a custom software using JSS API to fill a user extended attribut with Managed Apple ID built with the same rules as ASM, but it work only for existing user since JSS don't allow me to pre import all my LDAP users… So I can't use this workaround for new students.
If someone has an idea…
@ygini Does AD:mail = AD:EmailAddress ? Have you tried:
'Managed Apple ID' STARTS WITH 'Email (JSS)'
But I suspect the Email would need to be entirely in the Managed Apple ID. Or if the JSS username is the base of their email address:
'Managed Apple ID' STARTS WITH 'Username (JSS)'
but it work only for existing user since JSS don't allow me to pre import all my LDAP users… So I can't use this workaround for new students.
Also I would double check the users being created by the ASM import and subsequent syncing. In my testing they were JSS user objects and not LDAP so they won't be updated by LDAP during Update Inventory (if you have that setting on). I've decided to pre-create the users with the API.
'Managed Apple ID' STARTS WITH 'Email (JSS)' don't fit in my case because Managed Apple ID look like firstname.lastname@example.org and e-mail are email@example.com
I've turn the problem all the way I can, I've been forced to change my Apple School sync script to use JSS username as student primary ID (against Apple recommandation and all database good practices)
And regarding 'Managed Apple ID' STARTS WITH 'Username (JSS)' it was a problem too due to the difference between e-mail address and samAccountName.
I didn't do the JSS setup, it was an other consultant without any skills or experience who did it. If you read this post and setup a brand new JSS, please, use UserPrincipalName as username.
The good idea IMHO is to use a Managed Apple ID who look like your User Principal Name.
From my experience, the best setup for all those things is:
- Local domain like edu.myschool.net
- User Principal Name like firstname.lastname@example.org
- Email like email@example.com
JSS username linked to User Principal Name (and not useless and too limited samAccountName)
And for now due to JSS limitations, person_id in ASM import must be User Principal Name
Regarding current experience I have I think this would be the most appropriate solution.