Help

Extension Attribute to determine user PSSO status

rabbitt
Contributor II
Contributor II

Posted on ‎09-23-2024 10:56 AM 

#!/bin/bash
#Determine PSSO status of current console user logged in at time of recon

#Get current user logged in to device
currentUser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk -F': ' '/[[:space:]]+Name[[:space:]]:/ { if ( $2 != "loginwindow" ) { print $2 }}' )

#Read local user directory record to see if AltSecurityIdentities attribute has been added by macOS
pssoe_status=$(dscl . read /Users/$currentUser dsAttrTypeStandard:AltSecurityIdentities | awk -F'SSO:' '/PlatformSSO/ {print $2}')

if [[ -z $pssoe_status ]]; then
     echo "<result>No PSSOe registration found</result>"
else
     echo "<result>Yes Entra ID account $pssoe_status registered to $currentUser</result>"
fi

Reply
6 REPLIES 6

user-zwVXoRajVX
New Contributor II

Posted on ‎09-25-2024 05:20 AM

Thanks, it is very helpful. result is when i check PSSOe status is console,

for PSSOe registered mac, PSSOe status= <<empty>>

For PSSOe not registered mac, we get, PSSOe Status = No PSSOe registration found

above both are Extension attribute value under "inventory" tab 

0 Kudos
Reply

user-zwVXoRajVX
New Contributor II

Posted on ‎09-25-2024 05:21 AM

Question is, in Extension Attribute,  why PSSO status is empty for for PSSOe registered mac

0 Kudos
Reply

user-zwVXoRajVX
New Contributor II

Posted on ‎09-25-2024 05:29 AM

After recon all good now

Yes Entra ID account x@abc.comregistered to x

0 Kudos
Reply

user-zwVXoRajVX
New Contributor II

Posted on ‎09-26-2024 05:25 AM

How to tackle this,

we registered PSSOe on mac and using EA we see in console result as per above script, we removed PSSOe config profile from the same mac and recon done, but still it shows, PSSOe status = Yes Entra ID account x@abc.com registered to x 

0 Kudos
Reply

lee_stanford
New Contributor II
In response to user-zwVXoRajVX

2 weeks ago

I have the same question - basically is there an automated way to remove all traces of Platform SSO enrollment after removing the profile? I tried deleting the platform SSO entry from Directory Utility, but that didn't change anything. I wonder if there's a command line solution to delete token from Secure Enclave and mark user as fully local again.

0 Kudos
Reply

rabbitt
Contributor II
Contributor II
In response to lee_stanford

2 weeks ago

You could, if you wanted to tempt fate, remove the attribute manually via dscl . delete /Users/$USERNAME and the attributes.  Personally, I'm not sure of the utility of that.  If you remove the PSSO config profile from the device, the key is effectively destroyed and unusable.  At that point, though, you would want to make an extension attribute reporting on the state of the machine registration and user enrollment.  That's gonna be the "app-sso platform -s" command which does barf out a LOT of information you'll need to munge through.  Think of awk sed grep as your friends here.

0 Kudos
Reply