Posted on 09-23-2024 10:56 AM
#!/bin/bash
#Determine PSSO status of current console user logged in at time of recon
#Get current user logged in to device
currentUser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )
#Read local user directory record to see if AltSecurityIdentities attribute has been added by macOS
pssoe_status=$(dscl . read /Users/$currentUser dsAttrTypeStandard:AltSecurityIdentities | awk -F'SSO:' '/PlatformSSO/ {print $2}')
if [[ -z $pssoe_status ]]; then
echo "<result>No PSSOe registration found</result>"
else
echo "<result>Yes Entra ID account $pssoe_status registered to $currentUser</result>"
fi
Posted on 09-25-2024 05:20 AM
Thanks, it is very helpful. result is when i check PSSOe status is console,
for PSSOe registered mac, PSSOe status= <<empty>>
For PSSOe not registered mac, we get, PSSOe Status = No PSSOe registration found
above both are Extension attribute value under "inventory" tab
Posted on 09-25-2024 05:21 AM
Question is, in Extension Attribute, why PSSO status is empty for for PSSOe registered mac
Posted on 09-25-2024 05:29 AM
After recon all good now
Yes Entra ID account x@abc.comregistered to x
Posted on 09-26-2024 05:25 AM
How to tackle this,
we registered PSSOe on mac and using EA we see in console result as per above script, we removed PSSOe config profile from the same mac and recon done, but still it shows, PSSOe status = Yes Entra ID account x@abc.com registered to x
Posted on 10-22-2024 05:30 AM
I have the same question - basically is there an automated way to remove all traces of Platform SSO enrollment after removing the profile? I tried deleting the platform SSO entry from Directory Utility, but that didn't change anything. I wonder if there's a command line solution to delete token from Secure Enclave and mark user as fully local again.
Posted on 10-22-2024 08:40 AM
You could, if you wanted to tempt fate, remove the attribute manually via dscl . delete /Users/$USERNAME and the attributes. Personally, I'm not sure of the utility of that. If you remove the PSSO config profile from the device, the key is effectively destroyed and unusable. At that point, though, you would want to make an extension attribute reporting on the state of the machine registration and user enrollment. That's gonna be the "app-sso platform -s" command which does barf out a LOT of information you'll need to munge through. Think of awk sed grep as your friends here.