Intune Extension Attribute

jarradyuhas
Contributor

Just wondering if anyone has come up with an extension attribute for Intune integration. Looking to use a smart group to keep track of devices (or users) not yet enrolled in intune.

1 ACCEPTED SOLUTION

ThijsX
Valued Contributor
Valued Contributor

Hi,

See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered

#!/bin/bash


loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"

if [[ "${AADUNIQUEID}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

View solution in original post

25 REPLIES 25

patgmac
Contributor III

What version of Jamf Pro are you running? Recent versions have added a couple InTune/AAD related things that can be used to report. I haven't found a need to use an EA anymore like I used to.

alexjdale
Valued Contributor III

I'm also looking for this. At least in 10.12, while there is an Azure AD ID you can pull as a data point for a registered Mac, you cannot use that as a criteria for group membership.

ThijsX
Valued Contributor
Valued Contributor

Hi,

See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered

#!/bin/bash


loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"

if [[ "${AADUNIQUEID}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

jarradyuhas
Contributor

Thanks Thijs! Thats exactly what I needed to get this deployed.

JamelB
New Contributor III

Hi @txhaflaire , sounds like it doesn't work with recent version of Intune Client, could you assist please ? Thank you in advance,

ThijsX
Valued Contributor
Valued Contributor

@JamelB Please explain? it still works in our env. Jamf Pro collects this value out of the box at the moment though!

JamelB
New Contributor III

Thank you @txhaflaire When I run the command locally, you can see the behaviour in the screenshot attached. The AADUNIQUEID is empty even if it exists in the xml file.

https://ibb.co/mDfbQtD

ThijsX
Valued Contributor
Valued Contributor

@JamelB does the $loggedInUser get populated correctly on the device?

JamelB
New Contributor III

@txhaflaire Yes it is

https://ibb.co/3p66pr3

JamelB
New Contributor III

@txhaflaire any chance to assist ? Thank you

daniel_behan
Contributor II

This stopped working for me as well. I was able to modify the EA to use PlistBuddy instead of grep.

#!/bin/bash

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUNIQUEID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | grep aadUniqueId | cut -d '=' -f2 | xargs)"

if [[ "${AADUNIQUEID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

davidi4
Contributor

Daniel's EA worked for me. The built-in Azure AD values don't seem consistent, especially between the different views inside Jamf Pro.

This is consistent enough for a Smart Group

JamelB
New Contributor III

@daniel.behan awesome, it works perfectly, thank you very much :)

tvalente
New Contributor III

If anyone's looking at this in 2021; the name of the Company Portal .info file has changed to

com.microsoft.CompanyPortalMac.usercontext.info

Note the additional "Mac" in the filename.
Modify that in Daniel's script and you are good to go !

matt_vin
New Contributor II

Wondering if this is still working for everyone? I just tried in Jamf 10.29.2 with Intune Company Portal 2.14 installed and it does not appear to be working.

dswitmer
New Contributor III

@matt.vin I just set this up today. This grep script worked for me when I changed the name of the file as mentioned above. The other script I found out there using awk didn't work for me today. I had never used either prior.

Levi_
Contributor

Hey everyone. Thank you all for keeping this thread going it's been a great help to me. I, unfortunately, didn't have much luck with the first script, and had some success with Daniel's script after updating the .plist name with the 'Mac' value. When I ran Daniel's script with the updated 'Mac' name value it would return a UUID-looking string.

I inspected the com.microsoft.CompanyPortalMac.usercontext.info file and observed the 'aadUniqueID' is a UUID value while the 'aadUserID' value is the UPN of the account signed in with Intune. I just modified Daniel's script replacing the 'aadUniqueID' entries with 'aadUserID' and it spits out the UPN just fine.

I hope this helps.

Company Portal 2.16.210501

#!/bin/sh

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

Harrie
New Contributor III

I tried your script as well and the result is none even though I enrolled it in intune

any idea?

 

tvalente
New Contributor III

Can you manually check that the devices has a AAUserID exists ? Does Jamf list it in "Local Accounts" on a device inventory ?

Harrie
New Contributor III

HI 

 

I checked and yes it does list a AADUserID

Hey Harrie,

I apologize for replying so late. Is your script now returning the enrolled AADUSERID user? If you go to the .info file does it show a user enrolled? - 

/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info

TobiasO
New Contributor III

hey, 

 

try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as  the command above also showed other users logged in.

 

#!/bin/sh

loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

 

Harrie
New Contributor III

This seems to work

 

thnx

amartin253
New Contributor III

Thanks for the tip! The quotes did the trick!

AdamN_
New Contributor

You can also get PlistBiddy to print the value directly instead of parsing it out:

 

loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

AADUSERID="$(/usr/libexec/PlistBuddy -c 'Print:aadUserId' /Users/$loggedInUser/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0