Find out who is signed in to iCloud and with what account they are signed in with!

sdamiano
Contributor II

I don't know how to upload an extension attribute, but, I wrote this as it came out of a need.

The mere presence of MobileMeAccounts.plist doesn't tell you if someone is actively signed in to iCloud or not. However, the contents of that plist file will tell you if someone is or is not signed in to iCloud.

This EA was tested in Catalina, and other versions may vary milage. This EA will print the email address used to sign in to iCloud.

#!/bin/sh
## Get logged in user
loggedInUser=$(stat -f%Su /dev/console)
icloudaccount=$( defaults read /Users/$loggedInUser/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)

if [ -z "$icloudaccount" ] 
then
    echo "<result>Null</result>"
else
    echo "<result>$icloudaccount</result>"
fi
12 REPLIES 12

shaquir
Contributor III

Nice Script! You could probably build that email call into this EA for even more info iCloud Services Enabled.zsh.

We're about to restrict what services our users are using with iCloud. I don't want to prohibit iCloud altogether. I just want to deny the use of Find my Mac and iCloud Drive. Both of these cause problems. Find my Mac being turned on causes problems with getting Macs repaired by Apple, and iCloud Drive is a HUGE security issue. The script you linked to delivers results that show what services the users are using, but I'm trying to figure out how to build a smart group from this EA. The results if a user is logged into iCloud is a list of all of the services that they're connected to. The EA does not provide a simple yes or no answer if a user is logged in. That said, if there are results posted in the Mac's inventory for this EA it means that the user is logged in. That's helpful even if creating a smart group is a pain.

tlarkin
Honored Contributor

Python example if anyone uses that here

kwoodard
Contributor III

Is the logged in user just whomever is signed in to iCloud in system preferences, or does it only check if the current user is signed into iCloud?

GabeShack
Valued Contributor III

This is great. Now to make an annoying message that pops up over and over until they sign into their Managed Apple ID.

I figure something with an open /System/Library/PreferencePanes/Accounts.prefPane/ command. Anyone doing something like this already and care to share?

Gabe Shackney
Princeton Public Schools

Gabe Shackney
Princeton Public Schools

matt_wiese
New Contributor III

@GabeShack I'm very much on this train - any luck in your venture?

GabeShack
Valued Contributor III

Screen Shot 2021-11-15 at 12.09.15 PM.png

So we are using this with the following paramaters:

 

 

 

 

#!/bin/bash

# 05/19/17
# Written by Balmes Pavlov
#
# This script is intended to be used with Jamf Pro.
# The purpose of this script is to load the JAMFHelper dialog in when a policy runs.
# Parameters will be used to determine the Window Type, Header, Description, Icon, and Button Text. They are described in full detail below.
# The JAMFHelper has many more functions beyond what's used in this script. This script was intended to cover the features I'd most likely use
# while making it flexible enough to use in multiple policies.
# 
# Parameters:
# Required: $4 is the window type used by JamfHelper. There are only three possible values: fs, hud, and utility. Note: All these window types can be exited using CMD + Q.
#    hud: creates an Apple "Heads Up Display" style window
#    utility: creates an Apple "Utility" style window
#    fs: creates a full screen window the restricts all user input
# Required: $5 is the title text used by JamfHelper for the dialog window. Does not appear in the fullscreen dialog, but you still need to fill it out.
# Required: $6 is the header text used by JamfHelper.
# Required: $7 is the description message used by JamfHelper.
# Optional: $8 is the icon path used by JamfHelper. Do not escape characters. If not using one, leave empty. Heavily recommended to use it otherwise dialogs look weird.
# e.g. /My Directory.app/icon.icns is a valid path. /My\ Directory.app/icon.icns is not a valid path.
# Optional: $9 is the text in the first button. Requires that $4 be set to "utility" or "hud" otherwise the value in this parameter will be ignored.
# Pressing the button will not have any effect other than to cause the dialog window to close.
# 
# Exit Codes:
# 1. Indicates that there is a parameter missing.
# 
# The following variable is used for JAMF Helper. While it will pick up text from JSS parameter 6, there is extra text that is hard coded which perhaps you want to modify.
#
# IT Contact Info
# You can supply an email address or contact number for your end users to contact you. This will appear in JAMF Helper dialogs.
# If left blank, it will default to just "IT" which may not be as helpful to your end users.
it_contact="support@princetonk12.org"

if [[ -z "$it_contact" ]]; then
    it_contact="IT"
fi

message="${7}"
#This update may take up to 20 minutes, but if you're on a slower connection it can take substantially longer. If it takes longer than expected, please contact: $it_contact.
#START TIME: $(/bin/date)

# Modify the code below at your own risk.
window_type="${4}"
title="${5}"
header="${6}"
icon="${8}"
button_one="${9}"

jamfHelper="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
path_to_jhpid="/tmp/jamfHelper_PID.txt"
# Get the logged in user
loggedInUser=$( echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name ‌‌"> && ! /loginwindow/ { print $3 }' )
loggedInUID=$(/usr/bin/id -u "$loggedInUser" 2>/dev/null)
# global check if there is a user logged in
if [ -z "$loggedInUser" -o "$loggedInUser" = "loginwindow" ]; then
echo "no user logged in, cannot proceed"
exit 1
fi

display_message (){
    shopt -s nocasematch
    
    if [[ "$1" = "fs" ]]; then
        if [[ -n "$3" ]] && [[ -n "$4" ]]; then
            if [[ -z "$5" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" & /bin/echo $! > "$path_to_jhpid"
                exit
            elif [[ -n "$5" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" -icon "$5" & /bin/echo $! > "$path_to_jhpid"
                exit
            fi
        elif [[ -z "$2" ]] || [[ -z "$3" ]] || [[ -z "$4" ]]; then
            /bin//bin/echo "You are missing a parameter in the JSS. Please make sure to fill in all JSS parameters."
            exit 1
        fi
    elif [[ "$1" = "utility" ]] || [[ "$1" = "hud" ]]; then
        if [[ -n "$2" ]] && [[ -n "$3" ]] && [[ -n "$4" ]]; then
            if [[ -z "$5" ]] && [[ -n "$6" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" -button1 "$6" -defaultButton 1 & /bin/echo $! > "$path_to_jhpid"
                exit
            elif [[ -z "$5" ]] && [[ -z "$6" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" & /bin/echo $! > "$path_to_jhpid"
                exit
            elif [[ -n "$5" ]] && [[ -z "$6" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" -icon "$5" & /bin/echo $! > "$path_to_jhpid"
                exit
            elif [[ -n "$5" ]] && [[ -n "$6" ]]; then
                "$jamfHelper" -windowType "$1" -title "$2" -heading "$3" -description "$4" -icon "$5" -button1 "$6" -defaultButton 1 & /bin/echo $! > "$path_to_jhpid"
                exit
            fi
        fi
    fi
    
    shopt -u nocasematch
}

display_message "$window_type" "$title" "$header" "$message" "$icon" "$button_one"

/bin/echo "You are missing a parameter in the JSS. Please make sure to fill in all JSS parameters."
exit 1

 

 

 

Followed by this:

 

#!/bin/bash

loggedInUser=$( echo "show State:/Users/ConsoleUser" | /usr/sbin/scutil | /usr/bin/awk '/Name  && ! /loginwindow/ { print $3 }' )
loggedInUID=$(/usr/bin/id -u "$loggedInUser" 2>/dev/null)
# global check if there is a user logged in
if [ -z "$loggedInUser" -o "$loggedInUser" = "loginwindow" ]; then
echo "no user logged in, cannot proceed"
exit 1
fi

if [[ -n "$loggedInUser" ]]; then
    /bin/launchctl asuser "$loggedInUID" /usr/bin/open /System/Library/PreferencePanes/AppleIDPrefPane.prefPane
fi

sleep 200
jamf recon
exit 0

 

 
Gabe Shackney
Princeton Public Schools

matt_wiese
New Contributor III

this is fantastic Gabe! Having some issues getting the account truly recognized, whether logged in or not. Also having an issue with getting iCloud pref pane to open upon button click if you can help out.

GabeShack
Valued Contributor III

@matt_wiese 

Sorry for the much delayed response but I've been underwater lately with all the support for one-to-one.

 I see the same issue, since it doesn't actually show if the iCloud account is "fully" logged in, it just shows it as the user who at least "was" logged into iCloud.  Apple has said the random log outs from iCloud should have been resolved in 11.6 (or it may have been 11.5 or 11.4 I forget now).  

The pref pane issue is usually a PPPC issue where you have to allow Jamf or AppleScript etc to use accessibility to click and open buttons in the system.  I take a wide road in allowing things to use accessibility, since I love to automate so much, but Apple is not a fan of this and these automations usually break with each MacOS update.  If you read the policy failure log, you should see the service that is getting denied access to click the button, and then you just have to make a config profile to allow it access to the Privacy/Accessibility settings, but much easier to create in PPPC Utility.  

 

Hope that helps!

Gabe Shackney
Princeton Public Schools

sdamiano
Contributor II

@gshackney you can use jamfHelper for nags! Here is a script that I use to use jamfHelper in a policy. https://github.com/bp88/JSS-Scripts/blob/master/jamfHelperScreen.sh

St0rMl0rD
Contributor III

Thanks for the script, works great. However, it would be awesome if the results could be written into a file (let's say, on a server). How would one achieve that, without having to go through each individual Mac in the logs of the script to check for the results?

GabeShack
Valued Contributor III

So I end up making smart groups based on if our domain appears in the results or not which then keeps them in or out of the logout portions of the script, but Im sure you could write it to a file.  Uploading to a server would also be scriptable, but not sure how that would work.

What are you needing to see from the logs?  

Gabe Shackney
Princeton Public Schools