Jamf Nation Community

Scotty · ‎01-04-2019

Right now our workflow is a technician sets up the mac, when they unbox the machine DEP enrolls it, they finish the setup and give it to the user. Were working towards "direct to user" setups, but things like data migrations and various peripheral setups (mainly docks/monitors) keeps us on the tech setup model.

My question is, does anyone have a method of getting these tech setup machines assigned to the user? Right now they go into JSS with no user assigned, fix that manually in the JSS but if I can automate it that would be good.

Is there a jamf command that will assign it? I might be able to link it to out "Make Mobile Admin account" in self service.

Scotty · ‎01-04-2019

err found this, I might be able to work with that. let me know if anyone has this integrated into their deployment already, im interested to learn how others are doing it.

jamf recon -endUsername $lastUser

analog_kid · ‎01-04-2019

We just have a regular policy that triggers once a week which executes a script to inventory the currently logged-in user (using the command you found). There's logic in the script to inventory the last user to login if the machine is sitting at the Login Window. Since we are an Active Directory shop, Jamf Pro queries the user record and syncs all the other fields (email address, phone number, department, etc.) into the User and Location section of the computer record.

I'm sure somebody has a fancier way of doing it but this works well for us and it will update the data in Jamf Pro if somebody besides the originally assigned owner starts using the machine consistently.

Scotty · ‎01-07-2019

So @analog_kid I noticed when I use that command it does NOT populate the request of the field. So when I used the command to change the owner of my own machine, it changed the name, but left the rest of the information (email, full name, ect...) as me. If I assigned a machine with no current owner, it only does the user name. Weird... any thoughts on that?

If I go into the JSS and assign a user to a machine it pulls all the info over from AD correctly.

hkabik · ‎01-07-2019

When a tech used to re-assigns a machine to a new user I'd have them do so via a self service policy that is scoped only to techs. It prompts them for the user name then assigns it in the JSS.

Pretty simple script, I'm sure it could be altered for your needs:

(mind you this is fairly legacy and uses cocoaDialog. also uses AD to verify the user via a bind which we no longer do.)

#!/bin/bash

check4AD=$(/usr/bin/dscl localhost -list . | grep "Active Directory")
lookupAccount=testuser

# If the machine is not bound to AD, then there's no purpose going any further.
if [[ "${check4AD}" != "Active Directory" ]]; then
    /Library/Application Support/JAMF/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog ok-msgbox --no-cancel --informative-text "Your Mac does not appear to be correctly bound to AD, please rebind." --float --title "Verify Username" --icon-file /Applications/Self Service.app/Contents/Resources/Self Service.icns 
    exit 1
fi

# Lookup a domain account and check exit code for error
/usr/bin/id -u "${lookupAccount}"
if [[ $? -ne 0 ]]; then
    /Library/Application Support/JAMF/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog ok-msgbox --no-cancel --informative-text "Your Mac does not appear to be correctly bound to AD, please rebind." --float --title "Verify Username" --icon-file /Applications/Self Service.app/Contents/Resources/Self Service.icns 
    exit 1
fi


#set username
username="$(osascript -e 'Tell application "SystemUIServer" to display dialog "Enter the username you are assigning this Mac too:" default answer "" buttons {"OK"} default button "OK"' -e 'text returned of result' 2>/dev/null)"
if [ $? -ne 0 ]; then
    # The user pressed Cancel
    exit 1 # exit with an error status
elif [ -z "$username" ]; then
    # The user left the username blank
    osascript -e 'Tell application "SystemUIServer" to display alert "You must enter a username; cancelling..." as warning'
    exit 1 # exit with an error status
fi

# Lookup a domain account and check exit code for error
/usr/bin/id -u "${username}"
if [[ $? -ne 0 ]]; then
    /Library/Application Support/JAMF/bin/cocoaDialog.app/Contents/MacOS/cocoaDialog ok-msgbox --no-cancel --informative-text "This User cannot be found in AD, please re-run this process." --float --title "Verify  Username" --icon-file /Applications/Self Service.app/Contents/Resources/Self Service.icns 
    exit 1
fi

/usr/local/jamf/bin/jamf recon -endUsername $username

exit 0

cliftoja · ‎01-07-2019

I run this out of Self Service, scoped to DEP enrollment complete:

osascript -e 'tell application "System Events" to set visible of process "Self Service" to false'

UN=$(/usr/bin/osascript <<-'EOF'
tell application "System Events" activate set input to display dialog "Enter User Name: " default answer "" buttons {"OK"} default button 1 return text returned of input as string
end tell
EOF
)

jamf recon -endUsername $UN

JH=/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper
TITLE="GROUP NAME"
ICON="ICON Location"
ADESC="Natural"

"$JH" -windowType utility -title "$TITLE" -heading "User Name" -description "The User Name has been successfully added to the JSS computer record." -button1 "Proceed" -icon "$ICON" -alignDescription natural -alignHeading natural

exit

cliftoja · ‎01-07-2019

Pretty simple. Nice if it would reference LDAP, no checking to see if it's in there.

analog_kid · ‎01-07-2019

@ScottSimmons Yeah, that's a "feature" you've run into. I set this all up in 2012 so I've had to shake the rust off my brain to remember the details. I think all the fields have to be empty for it to pull the entire record over. In my script have had to do the following hokey thing to overcome it:

jamf recon -endUsername "$UserToLog" -realname " " -email " " -position "UNKNOWN" -building " " -department "UNKNOWN" -phone "------" -room " " > /dev/null

Or else I see that same thing you did where the previous field info is commingled with the new user.

The grain of salt is I haven't retested any of this since the Casper 8/9 days. All I can tell you is my policy along with the aforementioned script still works (Currently running Jamf Pro 10.8) for both initially setting the user info in the computer record and also for updating it if the user changes.

analog_kid · ‎01-07-2019

@ScottSimmons Also, do you have the "Collect user and location information from LDAP" setting enabled in Settings > Computer Management > Inventory Collection? I recall this was part of making it work.

RJH · ‎04-14-2019

@cliftoja great script. When you mentioned "scoped to DEP enrollment complete:" is this a custom event you have defined within your enrollment workflow if DEP enrolled, or is this policy scoped to a Group named "DEP enrolled" with criteria set to "Enrolled via DEP" perhaps? We are running JamfPro on prem, version 10.6.0 and for triggers, there is only "Enrollment Complete", which as far as I can determine, does not allow differentiation between a user-initiated enrollment and DEP enrollment. For browser based User-initiated enrollment, the user info is captured, so this additional user-details entry would not be required. We are looking to move to DEP enrollment as primary/sole enrollment method, so plan to remove the need for user-initiated enrollments, but for now need to have both workflows in parallel, with logic to separate each. thanks

cliftoja · ‎04-15-2019

Smart Group using the "Enrolled via DEP" and Trigger on Enrollment complete.

boberito · ‎04-15-2019

Force a login to DEP. In my experience the user that logs in to DEP, the computer gets assigned to them.

Jamf Nation Community

Assign machine to user during DEP enrollment