Intune Extension Attribute

jarradyuhas
Contributor

Just wondering if anyone has come up with an extension attribute for Intune integration. Looking to use a smart group to keep track of devices (or users) not yet enrolled in intune.

1 ACCEPTED SOLUTION

ThijsX
Valued Contributor
Valued Contributor

Hi,

See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered

#!/bin/bash


loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"

if [[ "${AADUNIQUEID}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

View solution in original post

29 REPLIES 29

patgmac
Contributor III

What version of Jamf Pro are you running? Recent versions have added a couple InTune/AAD related things that can be used to report. I haven't found a need to use an EA anymore like I used to.

alexjdale
Valued Contributor III

I'm also looking for this. At least in 10.12, while there is an Azure AD ID you can pull as a data point for a registered Mac, you cannot use that as a criteria for group membership.

ThijsX
Valued Contributor
Valued Contributor

Hi,

See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered

#!/bin/bash


loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')

AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"

if [[ "${AADUNIQUEID}" == "" ]] ; 
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

jarradyuhas
Contributor

Thanks Thijs! Thats exactly what I needed to get this deployed.

JamelB
New Contributor III

Hi @txhaflaire , sounds like it doesn't work with recent version of Intune Client, could you assist please ? Thank you in advance,

ThijsX
Valued Contributor
Valued Contributor

@JamelB Please explain? it still works in our env. Jamf Pro collects this value out of the box at the moment though!

JamelB
New Contributor III

Thank you @txhaflaire When I run the command locally, you can see the behaviour in the screenshot attached. The AADUNIQUEID is empty even if it exists in the xml file.

https://ibb.co/mDfbQtD

ThijsX
Valued Contributor
Valued Contributor

@JamelB does the $loggedInUser get populated correctly on the device?

JamelB
New Contributor III

@txhaflaire Yes it is

https://ibb.co/3p66pr3

JamelB
New Contributor III

@txhaflaire any chance to assist ? Thank you

daniel_behan
Contributor III

This stopped working for me as well. I was able to modify the EA to use PlistBuddy instead of grep.

#!/bin/bash

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUNIQUEID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | grep aadUniqueId | cut -d '=' -f2 | xargs)"

if [[ "${AADUNIQUEID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUNIQUEID}</result>"
fi

exit 0

davidi4
Contributor

Daniel's EA worked for me. The built-in Azure AD values don't seem consistent, especially between the different views inside Jamf Pro.

This is consistent enough for a Smart Group

JamelB
New Contributor III

@daniel.behan awesome, it works perfectly, thank you very much :)

tvalente
New Contributor III

If anyone's looking at this in 2021; the name of the Company Portal .info file has changed to

com.microsoft.CompanyPortalMac.usercontext.info

Note the additional "Mac" in the filename.
Modify that in Daniel's script and you are good to go !

matt_vin
New Contributor II

Wondering if this is still working for everyone? I just tried in Jamf 10.29.2 with Intune Company Portal 2.14 installed and it does not appear to be working.

dswitmer
New Contributor III

@matt.vin I just set this up today. This grep script worked for me when I changed the name of the file as mentioned above. The other script I found out there using awk didn't work for me today. I had never used either prior.

Levi_
Contributor II

Hey everyone. Thank you all for keeping this thread going it's been a great help to me. I, unfortunately, didn't have much luck with the first script, and had some success with Daniel's script after updating the .plist name with the 'Mac' value. When I ran Daniel's script with the updated 'Mac' name value it would return a UUID-looking string.

I inspected the com.microsoft.CompanyPortalMac.usercontext.info file and observed the 'aadUniqueID' is a UUID value while the 'aadUserID' value is the UPN of the account signed in with Intune. I just modified Daniel's script replacing the 'aadUniqueID' entries with 'aadUserID' and it spits out the UPN just fine.

I hope this helps.

Company Portal 2.16.210501

#!/bin/sh

loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )

AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

Harrie
New Contributor III

I tried your script as well and the result is none even though I enrolled it in intune

any idea?

 

tvalente
New Contributor III

Can you manually check that the devices has a AAUserID exists ? Does Jamf list it in "Local Accounts" on a device inventory ?

Harrie
New Contributor III

HI 

 

I checked and yes it does list a AADUserID

Levi_
Contributor II

Hey Harrie,

I apologize for replying so late. Is your script now returning the enrolled AADUSERID user? If you go to the .info file does it show a user enrolled? - 

/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info

TobiasO
New Contributor III

hey, 

 

try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as  the command above also showed other users logged in.

 

#!/bin/sh

loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

 

Harrie
New Contributor III

This seems to work

 

thnx

amartin253
New Contributor III

Thanks for the tip! The quotes did the trick!

AdamN_
New Contributor

You can also get PlistBiddy to print the value directly instead of parsing it out:

 

loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')

AADUSERID="$(/usr/libexec/PlistBuddy -c 'Print:aadUserId' /Users/$loggedInUser/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)"

if [[ "${AADUSERID}" == "" ]] ;
then
    /bin/echo "<result>None</result>"
else
    /bin/echo "<result>${AADUSERID}</result>"
fi

exit 0

 

Keav
New Contributor II

For me the already given methods for getting the logged in user were still pulling the wrong username, so the script always returned "none".

The one I use is this one:

loggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ { print $3 }')

Given as the recommended method in this JNUC 2020 Scripting Best practices presentation

https://www.youtube.com/watch?v=L6sabMTyQV8

macguitarman
New Contributor III

Thank you, this is successful, and yes using the "scutil" is the way to go for loggedInUser....

 

Just wondering, I am getting the following result instead on "None":   

"File Doesn't Exist, Will Create: /Users/_mbsetupuser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info"

Once one AAD Registers (In Self Service, and a recon), the EA is updated with the users AAD ID, as expected.

Returning "None" if the AAD / Intune Registration has not happened, would be nice....(so I think something may be missing / awry?)

 

Also, anyone have any ideas with guiding users to Self Service and performing the Intune Registration Install, using Jamf Helper notification right now....Much thanks in advance...

Keav
New Contributor II

I guess there are a number of ways you could implement this. We have a fairly dumb policy that runs a script. We can then run that policy Once a day, Once a week etc. I'm sure there are smarter ways of determining the frequency it should run at, basing it on Smart Groups or enhancing the script and using a launch daemon.

 

This is the script:

 

#!/bin/bash

# Define Variables
brandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
policyID="91"
#get logged in user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

answer=$( osascript << EOF
button returned of (display dialog "Please finish setting up your computer by running the Device Compliance Registration. You will not have full access to company resources until you have completed this registration. Click OK to get started!" buttons {"OK"} default button 1 with icon POSIX file "$brandIcon")
EOF
)

echo "$answer"

if [[ $answer -eq "OK" ]]; then
  su "$loggedInUser" -c "killall Self\ Service"
  su "$loggedInUser" -c "open \"jamfselfservice://content?entity=policy&id=$policyID&action=view\""
fi

This will close Self Service if open and then re-open it straight to the Self Service policy that actually performs the registration. In this example, Policy ID 91. 

 

macguitarman
New Contributor III

@Keav Excellent, looks very nice, will give this a try. Thank you!