JamfAAD - Issue
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2021 05:25 AM
Hi All,
One of my user is getting the below pop up and after clicking on Get App it is redirecting to a weird broken link. This user is already registered in Intune/Azure AD and it just randomly started to happen. I am mostly curious about the link. Any ideas where this is coming from?
- Labels:
-
Microsoft Intune
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-31-2021 06:52 AM
We have seen this on several machines as well in our environment, the only fix we have found so far is to:
1) delete the devices from Azure and InTune
2) delete the Company Portal App from the machine and reboot
3) reinstall Company Portal App
4) reRun device registration from Self Service
5) Safari HAS to be the default browser - registration seems to fail with Chrome or Edge set as default as your screen shot shows
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 12:09 AM
Hi asidhu,
in our environment, we got similar problems too since about a week.
For us, like @brianmcbride99 already mentioned, step 5 is enough to register the clients correctly again after they got unregistered without any reason.
Till now, we got this issue only on clients installed macOS 11.4.0.
A Support Ticket about that case is already opened by us.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 01:02 AM
Thank you for confirming and yes the issue was resolved by just changing default browser to Safari without deleting anything.
So it looks like JamfAAD does not work well with other browsers or its something else there thats breaking it when using a different browser.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 12:18 PM
deleted
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 12:35 PM
We are experiencing this in our environment too. Here is our workflow.
We use this script https://github.com/macbuddy-howto/jamfAAD-and-WPJ-scripts/blob/main/jamf-wpj-clean-up
Have user Open System Preferences, select General and verify Safari is the Default web browser
Restart Mac (this is to verify they are not having login keychain issues)
Have the user open Terminal the type
/usr/local/jamf/bin/JamfAAD clean
hit return
Now open Self Service and search for the policy "Wait for Tech" (attached link to script)
run said policy
Remove the device record from Azure AD and MEM
restart the mac
wait a few minutes to verify the Mac has been removed from Azure AD
Have user register for Conditional Access
After completion wait a few moments for the machine to populate in AAD (maybe have the user run sudo jamf recon) Once the record shows compliance in Azure the user should be able to now sign into Microsoft apps
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 01:33 PM
We're seeing this in our environment as well. This was an issue with MSAL pre 10.26 previously and Jamf provided a fix in 10.26. It appears something changed and a new fix will need to be published. For now, Safari is the only workaround we have that works to "Continue".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-01-2021 02:59 PM
Happening in my environment too. Trying Safari as the workaround.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2021 12:48 AM
@mojo21221 Thanks for the workflow and information. I will try to use that if I receive anymore complaints from users but so far its only a one off as most of users use safari but I guess it would be better if Jamf can fix this and make it work on all browsers.
@IamGroot and @vcherubino So far only Safari works but really Jamf should fix such issues and it should not be something only that can be done via for example a specific browser.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2021 01:01 AM
We got the following reply for our jamf-Call:
Users must have Safari set as the default browser because jamfAAD calls MSAL (https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-overview) to do the auth. And then MSAL calls Safari via the ASWebAuth framework (https://developer.apple.com/documentation/authenticationservices/aswebauthenticationsession) and that is using Safari. I understand the concerns and compliancy if this is requested to have everything going via Microsoft Edge but so far there is no way for this to work via that browser. Changing this would be an Apple Feature Request around ASWebAuth. since jamfAAD is telling MSAL who is telling macOS to call WebKit to do the ASWebAuth. To make this work with other browser we would need to create a feature request with Apple but you could also create a feature request on Jamf Nation - however, our hand are tied because this is how Apple build it.
We used the workflow to change the standardbrowser to Microsoft Edge and registered the clients after that - there were no problems. I don't think that there is any documentation from jamf that Safari needs to be standard. Since a few days this problem occurs without changing our working workflow ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2021 01:35 AM
@whitebeer Thank you for sharing that. I went through the links given in your post and on the microsoft end it mentions about Safari. However please read this link as if i understand correctly, there is way to make it work on other applications/browsers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-02-2021 01:56 AM
follow the steps shared by @brianmcbride99 After step no 3 remove the WPJ certificate from keychain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-07-2021 10:44 PM
@asidhu long story short Chrome and Edge (Chrome based) added this and that is telling macOS to take over for the auth. as it is the default browser, but it can not actually do the auth. fully it seems as needed like Safari, and Firefox does not have that implemented.
It was added on this Change ID: https://chromium-review.googlesource.com/q/I5e140d5fea8dd72e644816b99e97607173c251f3
A temporary workaround is possible in theory... at this time while work is ongoing on the browsers (not really see the EDIT at the bottom of post).
The ASWebAuthenticationSessionWebBrowserSupportCapabilities value that lives in the Info.plist of each respective Chrome based browser can be edited to make macOS not attempt to use that default browser as the ASWebAuth. owner.
To do this use these following commands on the device or as a Jamf Policy action or script.
Set Chrome to not take over ASWebAuth:
/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Google Chrome.app/Contents/Info.plist
Set Edge to not take over ASWebAuth:
/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Microsoft Edge.app/Contents/Info.plist
After that is run a user log out and login (or reboot (because you can always use a good reboot)) is needed to reload the settings to the macOS.
After that any jamfAAD gatherAADInfo agent/session that needs interactive mode (password change, session timeout, fresh registration) will default to Safari for the ASWebAuth. as it did a few versions ago.
Note: If Edge or Chrome update that ASWebAuthenticationSessionWebBrowserSupportCapabilities key will be overwritten, and the command will need to be run again. Also, test the Info.plist edit on a few devices before pushing to more devices.
EDIT: The Info.plist change would not be a viable workaround as that breaks other components in the browser as it sees the plist edit as tampering.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-07-2021 11:41 PM
From today our users are reporting a second re-register since the latest jamf upgrade. This is horrible. Our users are extremely frustrated, and so are we. Please jamf put some more resources into this, Bryce can’t do all the work by himself as it seems he is? it’s a really important feature and when it’s not working it’s a REALLY REALLY bad one that wrecks our users ability to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2021 01:17 AM
@bryce Thanks for the technical deep dive. If I understand it correctly the issue was already fixed at Chromium in March, so the Fix should have already arrived at the actual builds from Edge and Chrome?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2021 02:08 PM
@jonn1e The issue was triggered by the change in Chromium in March, so is only just now appearing in the production builds of Edge and Chrome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2021 01:54 AM
Can confirm in our environment as well. Registered users with Chrome as their default browser are complaining about the random popups.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2021 09:59 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2021 10:39 AM
@bryce In your post, one of your scripts says this:
Set Chrome to not take over ASWebAuth:
/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Google Chrome.app/Contents/Info.plist
but at the end you say that editing the Info.plist is not a viable solution. Are you saying that we shouldn't deploy your script then? Or is it more like "here's how you fix the popups, but btw, it will screw up other things so use at your own risk?"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2021 10:42 AM
Correct @inflicted I went back and edited the post as we have seen small issues here and there with some versions of Chrome and Edge that I can not safely say that is a viable band-aid while we work with others on the browser level fix. I keep the info in the post to give the context of what the root cause is etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-09-2021 01:27 PM
Yes, we've got the same issue. I was finding issues with the latest Company Portal (2.16) - I had to go back to 2.13 on Big Sur 11.4 and make Safari the default browser. Then I could get it working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-10-2021 08:01 AM
I hear that Chrome 91.0.4472.101 has been released... curious if anyone has results (fixed/not fixed) on this version yet? I'll definitely be trying with an end user later but more curious if someone's already attempted.
Update just tried it and no luck (same issue)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2021 12:55 AM
Great idea there Bryce, too bad it didn't work. Thank you for testing the idea!
So for everyone saying Safari is the work-around, are you saying that users who switch to Safari as the default browser will have NO future problems with it until they switch default browser again? I suppose I could push a policy that changes the default browser to Safari for the time being?
Jamf Support is telling me Firefox may work as well, but we're dead set on Edge.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2021 03:12 AM
@bryce Thank you for the information and providing the reason for this issue. Fortunately we have a very small user base for macOS. Looks like making safari the default browser would be the best way to avoid such issues for now but it would be great if there will be a way for Jamf to find a fix for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-11-2021 08:00 AM
Been following this one with some interest as we are seeing the same thing in our environment. I wondered if it was possible to write a script to check the default browser, change it to safari if necessary and leave the existing default in a text file so you could prompt the user to change back later (or automate it somehow - not really looked into it)
The idea being that you could add this to the start of your Intune registration policy and it would make sure that users are registering with Safari, getting a JamfAAD clean and hopefully rule out about 80% of your issues, I still need to add some checks, but curious to see what people think.
#!/bin/zsh
# A script to find the default browser and change it to Safari for JamfAAD registration if necessary, also takes a note of the current
# browser so you can prompt the user to change back in a post script on your registration policy. Mercilessly hacked together from a script
# to find the default browser from VikingOSX on Apple Communities - https://discussions.apple.com/thread/251602703 and a script to change
# the default browser from Palandir Technologies on GitHub - https://github.com/palantir/jamf-pro-scripts/blob/main/scripts/Set%20Default%20Browser%20and%20Email%20Client.sh
# Tested on Catalina, may have unpredictable results on Big Sur or later.
# Find the default browser
user=`ls -la /dev/console | cut -d " " -f 4`
function default_browser () {
sudo -u $user osascript <<-AS
use framework "AppKit"
use AppleScript version "2.4"
use scripting additions
property NSWorkspace : a reference to current application's NSWorkspace
property NSURL : a reference to current application's NSURL
set wurl to NSURL's URLWithString:"https://www.apple.com"
set thisBrowser to (NSWorkspace's sharedWorkspace)'s ¬
URLForApplicationToOpenURL:wurl
set appname to (thisBrowser's absoluteString)'s lastPathComponent()'s ¬
stringByDeletingPathExtension() as text
return appname as text
AS
return
}
defaultbrowser=$(printf '%s
' $(default_browser) | sed 's/%20/ /g')
function 1stcheck () {
if [[ $defaultbrowser == "Safari" ]]; then
echo "As default browser is already Safari, registration can continue..."
/usr/local/jamf/bin/jamfAAD clean
exit 0
else
echo "As default browser is not Safari, we will need to change it before registration can continue..."
fi
}
function printbrowser () {
if [[ $defaultbrowser == "Firefox" ]]; then
echo "Printing Firefox to file..."
echo "Firefox" > /tmp/defaultbrowser.txt
fi
if [[ $defaultbrowser == "Microsoft Edge" ]]; then
echo "Printing Microsoft Edge to file..."
echo "Edge" > /tmp/defaultbrowser.txt
fi
if [[ $defaultbrowser == "Google Chrome" ]]; then
echo "Printing Google Chrome to file..."
echo "Chrome" > /tmp/defaultbrowser.txt
fi
}
function changebrowsertosafari () {
########## variable-ing ##########
# Browser agent string should be in the format domain.vendor.app (e.g. com.apple.safari).
browserAgentString="com.apple.safari"
loggedInUser=$(/usr/bin/stat -f%Su "/dev/console")
loggedInUserHome=$(/usr/bin/dscl . -read "/Users/$loggedInUser" NFSHomeDirectory | /usr/bin/awk '{print $NF}')
launchServicesPlistFolder="$loggedInUserHome/Library/Preferences/com.apple.LaunchServices"
launchServicesPlist="$launchServicesPlistFolder/com.apple.launchservices.secure.plist"
plistbuddyPath="/usr/libexec/PlistBuddy"
plistbuddyPreferences=(
"Add :LSHandlers:0:LSHandlerRoleAll string $browserAgentString"
"Add :LSHandlers:0:LSHandlerURLScheme string http"
"Add :LSHandlers:1:LSHandlerRoleAll string $browserAgentString"
"Add :LSHandlers:1:LSHandlerURLScheme string https"
"Add :LSHandlers:2:LSHandlerRoleViewer string $browserAgentString"
"Add :LSHandlers:2:LSHandlerContentType string public.html"
"Add :LSHandlers:3:LSHandlerRoleViewer string $browserAgentString"
"Add :LSHandlers:3:LSHandlerContentType string public.url"
"Add :LSHandlers:4:LSHandlerRoleViewer string $browserAgentString"
"Add :LSHandlers:4:LSHandlerContentType string public.xhtml"
)
lsregisterPath="/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister"
########## main process ##########
# Clear out LSHandlers array data from $launchServicesPlist, or create new plist if file does not exist.
if [[ -e "$launchServicesPlist" ]]; then
"$plistbuddyPath" -c "Delete :LSHandlers" "$launchServicesPlist"
echo "Reset LSHandlers array from $launchServicesPlist."
else
/bin/mkdir -p "$launchServicesPlistFolder"
"$plistbuddyPath" -c "Save" "$launchServicesPlist"
echo "Created $launchServicesPlist."
fi
# Add new LSHandlers array.
"$plistbuddyPath" -c "Add :LSHandlers array" "$launchServicesPlist"
echo "Initialized LSHandlers array."
# Set handler for each URL scheme and content type to specified browser
for plistbuddyCommand in "${plistbuddyPreferences[@]}"; do
"$plistbuddyPath" -c "$plistbuddyCommand" "$launchServicesPlist"
if [[ "$plistbuddyCommand" = *"$browserAgentString"* ]]; then
arrayEntry=$(echo "$plistbuddyCommand" | /usr/bin/awk -F: '{print $2 ":" $3 ":" $4}' | /usr/bin/sed 's/ .*//')
prefLabel=$(echo "$plistbuddyCommand" | /usr/bin/awk '{print $4}')
echo "Set $arrayEntry to $prefLabel."
fi
done
# Fix permissions on $launchServicesPlistFolder.
/usr/sbin/chown -R "$loggedInUser" "$launchServicesPlistFolder"
echo "Fixed permissions on $launchServicesPlistFolder."
# Reset Launch Services database.
sudo -u $user "$lsregisterPath" -kill -r -domain local -domain system -domain user
echo "Reset Launch Services database. A restart may also be required for these new default client changes to take effect."
}
function jamfaadclean () {
/usr/local/jamf/bin/jamfAAD clean
}
echo "Finding the default browser..."
echo "The default browser is... $defaultbrowser"
1stcheck
echo "Taking a note of the current default browser..."
printbrowser
echo "Changing browser to Safari..."
changebrowsertosafari
echo "Running a JamfAAD clean just to be safe...."
jamfaadclean
echo "Sleeping for 10 seconds just to be EXTRA safe...."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-13-2021 10:41 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2021 12:44 PM
@bouvet if Safari is the default browser the end user would not be re-prompted unless the AAD session ends and MSAL (the auth. binary inside of jamfAAD) needs to interact with the end user to start a new session. This would be if the password has changed (AAD ends the sessions for a re-auth. then), if the end user hits the global time out for all sessions (14 days is default, but an org. can change that in AAD), if the end users macOS keychain was deleted, or if the Revoke all sessions action it taken on the AAD portal for a given user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-14-2021 12:46 PM
@piotrr an update on a workaround for right now. For those orgs. that are Edge mandated we have a workaround while we work on this with Microsoft.
If you roll back to v90.0.816.66 (last version of v90 ) the ASWebAuth. goes to Safari as needed. This could be a workaround for the time being. The Microsoft CDN location to get this from safely can be found here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 02:58 AM
@bryce, Thank you that's a sweet idea but Edge v90 (and Chrome v90) had a bug with Dynamics 365 interaction that can cause tens of thousands of sign-in events per user per day.
Besides, Edge v90 would just update back to v91 as soon as the user restarts the browser, unless I force that in yet another policy, wouldn't it?
I'm sorry to say we may have to accept Safari as the default browser until Edge v92. At least it will only affect clicks from other apps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 06:05 AM
@davidjess This is the first I've seen of jamfaad clean. Reading the Help, it seems JamfAAD clean does many of the tasks listed under "Cause 6" in Microsoft's troubleshooting article for MEM/Intune integration problems here :
https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-jamf#cause-6
So far I've been doing this mostly manually, but it looks like jamfaad clean could be incorporated into a the first two rows of instructions: There's should be no point running jamfaad at all after jamf removeframework. :)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 06:34 AM
So we're also getting hit by this now
keep getting a "jamfaad wants to use microsoftonline.com to sign in" prompt which is really hard to ignore (it takes you away from full screen windows).
Following the steps gets me to a chrome window with the following question "Are you trying to sign in to Cloud Connector user registration app?"
Attempting to click continue results in nothing happening. Looking in the developer tools for errors I am seeing this error "Failed to launch 'jamfaad://aadtokenrequest/?code=<REDACTED> because the scheme does not have a registered handler".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 02:15 PM
@bryce and I have been working with Google for a few days now and there is a potential fix that is currently implemented in Chrome Canary version 93.0.4543.0.
If you have the time, could you
1. Download Chrome Canary from here, https://www.google.com/chrome/canary/
2. Make it the default browser
3. Log out/in or restart
4. Then attempt the Intune registration
The webauth should go through Chrome Canary but it should work fine, I've tried it with some VMs and physical machines and it has been working really well. Let me know how it goes. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 02:41 PM
How soon would this hit Microsoft Edge beta?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-15-2021 03:15 PM
@Cayde-6 no idea just yet but normal cadence is 6 weeks for Edge Beta. Will reply here as soon as I hear anything about timeline.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-16-2021 12:05 AM
Try running this /Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfAAD.app/Contents/MacOS/JamfAAD -verbose gatherAADInfo -disable-cache-read
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2021 07:39 AM
sorry duplicate post
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2021 07:39 AM
sorry duplicate post
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-17-2021 02:01 PM
Hey @blockcham,
I've tested this on two of my machines 10.15.7 and 11.2.3 and was successful. I even skipped step 3 as an additional test run and still worked.
Hopefully Googs pushes whatever change in this Canary build to a production build soon and Edge gets the fix too.
Thank you man.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2021 12:54 AM
Hi @bryce,
Any updates or news with this issue? Seems like in my small environment everyone is starting to get this, we even had issue after setting Safari as default where it would open a page in Safari, the user enters the creds then it brings them to an "Get App" button which when clicked downloads a blank txt file. What we had to do was to run the jamfaad clean, change default browser again to safari, remove company portal and reinstall from Microsoft site, do a restart then run the reg again using the command then it works fine.
Just wanted to know if something new is coming or i will just need to do this for all of them.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-22-2021 05:38 PM
As a temporary workaround this seems to work for us in place of the normal device registration policy.
- It backs up both info.plists
- Writes the preference to the Info.plists
- Performs device registration
- Restores the plists
#!/bin/bash
consoleUser=$(/usr/bin/stat -f%Su /dev/console)
if [ "$consoleUser" == "root" ] || [ "$consoleUser" == "_mbsetupuser" ] || [ "$consoleUser" == "temp" ]; then
echo "Current User is $consoleUser exiting "
exit 0
fi
##Kill jamfAAD if running and probably frozen
pkill -9 jamfAAD
if [ -d "/Applications/Google Chrome.app" ]; then
echo "Found Google Chrome"
cp /Applications/Google Chrome.app/Contents/Info.plist /tmp/ChromeInfo.plist
/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Google Chrome.app/Contents/Info.plist
killall cfprefsd
killall Google Chrome
fi
if [ -d "/Applications/Microsoft Edge.app" ]; then
echo "Found Microsoft Edge"
cp /Applications/Microsoft Edge.app/Contents/Info.plist /tmp/EdgeInfo.plist
/usr/libexec/PlistBuddy -c "set :ASWebAuthenticationSessionWebBrowserSupportCapabilities:IsSupported false" /Applications/Microsoft Edge.app/Contents/Info.plist
killall cfprefsd
killall Microsoft Edge
fi
sudo -u ${consoleUser} /usr/local/jamf/bin/jamfAAD registerWithIntune
if [ -d "/Applications/Google Chrome.app" ]; then
echo "Found Google Chrome"
cp /tmp/ChromeInfo.plist /Applications/Google Chrome.app/Contents/Info.plist
killall cfprefsd
killall Google Chrome
fi
if [ -d "/Applications/Microsoft Edge.app" ]; then
echo "Found Microsoft Edge"
cp /tmp/EdgeInfo.plist /Applications/Microsoft Edge.app/Contents/Info.plist
killall cfprefsd
killall Microsoft Edge
fi