Posted on 07-03-2019 10:15 AM
To scripters out there, I'm trying to write an extension attribute that will tell me whether or not the local user matches the AD username. The macs are not AD bound, but JAMF Pro is, and the AD usernames are assigned in JAMF. My thinking is to grab the username via api, then compare and see if it matches one of the local users (most will have an additional 1 or 2 local users). I've done the API part, and I figure I'll use dscl command to get the local users. Can anyone fill in the details please? I would greatly appreciate any help.
Posted on 07-05-2019 05:27 AM
Here's how I solved it:
Create a configuration profile and include in the display name $USERNAME (I guess when you move to in production you could just edit an existing one to accomplish this) for my example I did "OA $USERNAME". This passes the Jamf Pro username assigned to it from AD to the name of the profile.
Create the following extension attribute and adjust where needed:
#!/bin/bash WHO="$(who | awk /console/{'print $1'} | head -1)" JAMFWHO="$(profiles show | grep OA | awk {'print $5'})" if [ $WHO == $JAMFWHO ] then echo "<result>yes</result>" else echo "<result>no</result>" fi
Adjust grep OA to whatever you named your profile (just don't include the $USERNAME variable as that changes), and adjust the second awk to wherever this pushes your users name to in the profile. A good way to check would be to type the following in terminal once the profile is correctly installed:
sudo profiles show | grep OAthen just count the number of words including the username.
Anyway, I'm sure there are more elegant ways of solving this problem... I also don't bind our devices to AD so I've been looking for a solution on passing AD details through and I stumbled upon these payload variables.
Posted on 07-08-2019 12:12 PM
Thanks for the reply. I went ahead and used the 1st part of your script. I was hesitant to use this because this only gives you info on the current user, whereas, using dscl would have given you a list of the local users. But then, I realized that we don't have multi-user macs and the chances that it gives me bad info would be very slim. About the username though - probably, the recommended way to do this is via an API call to the JAMF server itself. If you haven't tried it, here's a quick guide:
setup an API username and password, then go to yourhostaddress/api to lookup the information that you need, then plugin the url into the curl command below. I grab the serial number of the local machine first, then use that to look up the record. You end up with an xml file so you pipe it to xmllint to grab/clean the info you want.
jssUser=apiuser jssPass=apipassword jssHost=https://yourhost.jamfcloud.com serial=$(ioreg -rd1 -c IOPlatformExpertDevice | awk -F'"' '/IOPlatformSerialNumber/{print $4}') username=$(/usr/bin/curl -H "Accept: text/xml" -sfku "${jssUser}:${jssPass}" "${jssHost}/JSSResource/computers/serialnumber/${serial}/subset/location" | xmllint --format - 2>/dev/null | awk -F'>|<' '/<username>/{print $3}') localuser=$(who | awk /console/{'print $1'} | head -1) if [ $localuser == $username ] then echo "<result>yes</result>" else echo "<result>no</result>" fi
Posted on 07-08-2019 12:29 PM
xpath seems a little easier to use:
username=$(/usr/bin/curl -H "Accept: text/xml" -sfku "${jssUser}:${jssPass}" "${jssHost}/JSSResource/computers/serialnumber/${serial}" | xmllint --xpath '/computer/location/username/text()' -)