Posted on 04-21-2021 01:30 PM
Hey Jamf Nation,
Wondering if anyone has come up with a way from a macOS password reset to trigger an even in Jamf. We currently use Okta Device trust, which lives in the keychain, so everytime a user resets their password or we have to provide FV key for password reset, the Okta keychain needs to be replaced. Has anyone found a solution for this?
Posted on 04-21-2021 01:57 PM
@lukasindre Is there a file besides the login keychain database that gets modified when the user resets their password? If so you could use a LaunchDaemon with a WatchPaths key to call the jamf binary and run a policy any time that file changes.
Posted on 04-21-2021 05:38 PM
That is an awesome starting point to look for. I’ll do some testing and see what I can find!
Posted on 04-21-2021 05:47 PM
So we run into this issue as well. I just created a self service policy that reissues the cert. Would be curious to see what solution you come up with. Would be happy to collaborate!
Posted on 04-21-2021 08:20 PM
@rqomsiya would you be willing to share that policy?
Are you just re-running the same normal initial Okta device trust enrollment policy, or something else?
Posted on 04-22-2021 03:56 AM
We reissue the cert via silent policy that runs at checkin, we scope manually to affected users. I'm sure there is a better way to do this, but this just seems to work for us @lucas.cantor
Posted on 04-22-2021 06:56 AM
@lucas.cantor : I just re-run the same policy, however, there is concern b/c you can't re-issue more than 5 times. Has anyone run into that issue?
"A certificate becomes bound to a given user the first time that user accesses a device trust-secured application from a device trust-secured macOS device. Unused certificates are unbound. Okta can issue up to five unbound certificates to the device, one each time you perform the enrollment procedure. As a security precaution, Okta will not issue more than five unbound certificates to a given device. To avoid reaching the unbound certificate limit, ensure that users use the unbound certificates already on the device before you attempt to obtain more certificates through enrollment. If you reach the enrollment limit, the Syslog indicates an enrollment failure and the error message Maximum enrollment limit of 5 certificates for a device is reached appears in the JAMF log."
Posted on 04-22-2021 06:57 AM
As a follow-up, I run a quick script to delete the existing certificate before re-issuing. Is that what you are doing @lukasindre ?
Posted on 04-22-2021 11:16 AM
In the event that there isn't a readily available file that changes or something else you can use as the trigger, maybe take a different tack that accomplishes the same purpose: can you initiate the password change process you need to use from a Self Service item, and set a flag file or validate somehow that the password change completed from within that policy or a followup one, then perform the additional tasks that need to follow after the password change?
We had a requirement to be connected to the org network before changing passwords or things didn't sync properly. It was a bit obvious once we set up a Self Service "change password" item how the act of putting it in Self Service and training users to use only that item was the best solution (since, in our case, getting to Self Service required being on the org network.) Seems like a different scenario where a similar solution could drive this forward...
Posted on 04-22-2021 12:40 PM
Does the login keychain get updated when a password reset occurs? If so, it is actually possible to monitor the logged in user's login.keychain for changes with a LaunchAgent. I've done it before. You could have a script run on every change to the keychain and try to determine if the Okta keychain has been replaced. Once that happens it would need to trigger something to get a policy to run. Perhaps have a corresponding LaunchDaemon watch a file that the LaunchAgent can write to when it detects the change to the Okta keychain entry, which in turn can run a Jamf policy.
It sounds complicated, and I suppose it is a little, but it's doable.