Jamf Nation Community

we do, our KSSO was built with help from apple and it creates a log file.

Maybe it would help instead of focusing on the log file present or not....

how does one make a EA to scan a file and report back if a word is present. and if that word is present that makes the answer for the result.

We use Apple's Kerberos/SSO plug-in also. I also have this Kerberos_SSO.log file in ~/Library/Logs/ root but it's empty. I used FSMonitor to watch my file system as I signed into the SSO plugin and found that it's writing domain data to

~/Library/Group Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist

The ~/Library/Preferences/Kerberos_SSO.log file is also being touched but it remains empty (or seemingly so; cat-ing it in Terminal just shows nothing). Maybe you can grep the .plist in GroupContainers?

i think you might be onto something

better then the log file idea.

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

KSSOUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Group Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist | grep acme.ORG:userName | cut -d '=' -f2 | xargs)"

if [[ "${KSSOUSERID}" == "" ]] ;

then

/bin/echo "<result>None</result>"

else

/bin/echo "<result>${KSSOUSERID}</result>"

fi

exit 0

I use something like with intune EA

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

but it doesnt work

Im not sure if its because the grep key has a : in it

acme.ORG:userName

There's also the /usr/bin/app-sso binary, which can output information about who is logged in. But I think it has to be run as the logged in user to get the proper information.

If you want to use that plist though, nothing wrong with that. However, you shouldn't need to use PlistBuddy for reading it, defaults should work fine as it's a pretty flat plist structure. If you know that the REALM details are always going to be the same, something like this should work

/usr/bin/defaults read /Users/$loggedInUser/Library/Group\ Containers/group.com.apple.KerberosExtension/Library/Preferences/group.com.apple.KerberosExtension.plist ACME.ORG:userPrincipalName

In terms of your previous EA script attempts not working, are you sure you're allowing the Macs to submit inventory to see the results? This is a commonly overlooked step when creating EAs. They are only going to show results after an inventory submission.