Login Window Deny Access for Active Directory Users

bofh
New Contributor III

Hi,

I created a Configuration Profile for my Machines that would enforce, that Group XY and User ZZZ are denied at login. (Configuration Profile -> LoginWindow -> Access Tab -> Deny )
The Profile got distributed and i can see it on the Machine.
But I still can login with Users in the Group aswell as with the User is explicitly denied.
I use OSX 10.10, with an Active Directory on Server 2012 level.
We have CasperSuite 9.63 running at our site.

Can anyone help me how to deny some accounts via a Profile - or do you have similar Problems doing that with Profiles?

Best regards,
bofh

1 ACCEPTED SOLUTION

etippett
Contributor II

I tried doing this with Casper 9.63 and OSX 10.9. I experienced the same issue and was told by JAMF it was a bug on Apple's part. It's unfortunate to see this hasn't been fixed in 10.10. I ended up writing a script that runs with the login trigger that checks to see if the user is a member of one of my denied groups and kills the loginwindow process if so. It's rather brute force, but it works. I can get it to you if you want.

View solution in original post

11 REPLIES 11

etippett
Contributor II

I tried doing this with Casper 9.63 and OSX 10.9. I experienced the same issue and was told by JAMF it was a bug on Apple's part. It's unfortunate to see this hasn't been fixed in 10.10. I ended up writing a script that runs with the login trigger that checks to see if the user is a member of one of my denied groups and kills the loginwindow process if so. It's rather brute force, but it works. I can get it to you if you want.

bofh
New Contributor III

Okay - I'll write a Script then which will do that using the last two commands:
https://jamfnation.jamfsoftware.com/discussion.html?id=4591#responseChild22732

Good to know, that I'm not doing it wrong ;)

etippett
Contributor II

Hmmm....That post looks familiar. I feel like I tried that too. Can't recall if it didn't work, or if I just decided to go another route. For what it's worth, here's my method:

  • Ongoing policy that runs at login
  • Set target to computers on which you wish to restrict login
  • Run the following script
#!/bin/bash

#Script to prevent login of users in specific AD groups
#As of OS X 10.9 MCX- and profile-based methods for this do not seem to be working
#Code borrowed from https://jamfnation.jamfsoftware.com/discussion.html?id=4591

user=$3     #Use existing Casper variable for user
groups=( DOMAIN\AD_GROUP_1 DOMAIN\AD_GROUP_2 )

for group in ${groups[@]}
do
    if [ "$(dsmemberutil checkmembership -U $user -G $group)" = "user is a member of the group" ]
    then 
        echo "$user is a member of $group.  Killing login session..."
        /Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper -windowType fs -title "Login Not Allowed" -icon /System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertCautionIcon.icns -description "Use of individual student accounts is not allowed.  This computer will return to the login window in 10 seconds." &
        sleep 10
        killall jamfHelper
        kill `ps -ef | fgrep loginwindow | grep -v grep | awk '{print $2}'`
    fi
done

Note that you could also remove the logic for specific AD groups from the script and instead use the Limitations portion of the policy scope to instead determine what groups are denied. This is probably the cleaner way to do it, but I didn't think of this until after the fact.

Good luck!
Eric

etippett
Contributor II

Haven't updated to Casper 9.7 yet, but noticed this in the bug fixes and enhancements. ‚
D-008199 Fixed an issue that prevented a user group from being added to a Login Window OS X configuration profile.

However, this is still listed under Known Issues:
‚‚
[D-005532] OS X configuration profiles with a Login Window payload that is configured to deny users and groups the ability to log in fail to do so.

Anyone upgraded to 9.7 yet and tried to see if there's any change in the configuration profile behavior?

dstranathan
Valued Contributor II

I'm considering using Configuration Profiles to restrict access to specific AD groups.

Does anyone know if the bug(s) listed above have been resolved?

LRZ_Jamf
Contributor

As they are still listed within the latest Release Notes I guess they arent fixed yet. :-(

dstranathan
Valued Contributor II

That would make these bugs almost 2 years old. Wow.

LRZ_Jamf
Contributor

Actually it's longer then that, as it even didnt work with 10.9 ;-)

rstasel
Valued Contributor

Is this still a bug? Because yeah, it doesn't seem to be working with 10.11.6 and Casper 9.96.

apizz
Valued Contributor

I couldn't get this to work the way I needed it to via Config Profile as well. So, I took @etippett 's script and expanded on it a bit.

In our school environment, unfortunately not all our students logout of the computers they use. Rather than force subsequent students to power down the machine, we enable Fast User Switching to allow other students to continue to use the same machine. The addition of a for-do loop in the script allows us to identify which loginwindow process corresponds to the logging-in user and kill only that process.

Additionally, even though the loginwindow process gets killed, in my testing the user account still gets created, or at least partially. To get around this, I added a dscl command to remove the logging-in user's account from the local database and an rm to remove their home folder from the machine. I like logging, so I added a function and a log file to record when this runs on local machines.

Haven't deployed this yet, but in my tests with this applied to a policy, triggered at login, scoped to a test machine, this worked exactly as expected and only kills the logging-in user's loginwindow process when multiple users are logged in on the same machine.

#!/bin/bash

#Script to prevent login of users in specific AD groups
#As of OS X 10.9 MCX- and profile-based methods for this do not seem to be working
#Code borrowed from https://jamfnation.jamfsoftware.com/discussion.html?id=4591

USER=`/bin/ls -l /dev/console | /usr/bin/awk '{print $3}'`
LOG="/path/to/RestrictedLogins.log"
JAMFHELPER="/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper"
windowtype="fs"
heading="Restricted Login"
icon="/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns"
description="Student logins on this computer are restricted. Please use a different computer.

This computer will return to the login window in 10 seconds."

# function to write to log file
writelog () {
    /bin/echo "${1}"
    /bin/echo $(date) "${1}" >> $LOG
}

writelog "${USER} is a student. Killing login session ..."

# for-do statement to get all loginwindow processes and determine which one is for the logging-in user, so it can be killed
for LOGWINPID in $(/usr/bin/pgrep loginwindow) ; do
    P_OWNER=`/bin/ps -eo user,pid | /usr/bin/grep ${LOGWINPID} | /usr/bin/awk '{print $1}'`

    # When the process owner with the given loginwindow process ID matches 
    # the logged in user, presents jamfHelper message and kills that loginwindow process    
    if [ "$P_OWNER" = "$USER" ]; then

        "$JAMFHELPER" -windowType "$windowtype" -heading "$heading" -icon "$icon" -description "$description" & sleep 10

        killall jamfHelper

        kill -3 ${LOGWINPID}

        if [ $? = 0 ]; then
            writelog "${USER}'s login session successfully killed!"

            if [ -d "/Users/${USER}" ]; then
                writelog "${USER} home folder detected. Removing ..."

                /usr/bin/dscl localhost -delete /Local/Default/Users/${USER}

                /bin/rm -rf /Users/${USER}

                if [ ! -d "/Users/${USER}" ]; then
                    writelog "${USER}'s home folder successfully removed!"
                else
                    writelog "${USER}'s home folder removal failed."
                fi
            fi

        else
            writelog "${USER}'s login session was not killed."
        fi
    fi
done

exit

cbd4s
Contributor II

It's now 10.20.1. Just bump up this thread. Jamf, how is this making your product acceptable as the enterprise-ready solution with such critical and simple function still broken for 5 years and counting....