New Azure IDP and populating User and Location info

leeskade
New Contributor III

Hi all, it's really great to finally have the ability to have Azure as a Cloud Identity Provider in Jamf Pro.

Now i have all my Mac and Azure User information in one place, i'm wondering how this be brought together?

Specifically we're wanting to populate the 'User and Location' information for each Mac with the relevant information from Azure. Unfortunetly this doesn't seem to happen automatically.

Has anyone found a way to do this yet?

fdaecb00c9be4f3a809604829039f484

7 REPLIES 7

m_entholzner
Contributor III
Contributor III

I'm facing the same issue at the moment. Usually the "Username" field is filled during enrolment or when running a

jamf recon -endUsername BLAH

With the setting to "Collect user and location information from LDAP" in computer inventory collection settings, it should work. In fact, it doesn't. I've just raised a support case with this and let you know the outcome. For me, it's a PI, because manually the fields are filled...

jttavares
New Contributor II

@m_entholzner   Have you received any kind of update for this?  I am in the same situation as I desperately need the User and location fields to get populated.  Map testing works fine, they just don't populate on checkin.  Any help would be appreciated.

m_entholzner
Contributor III
Contributor III

@jttavares, for our case it turned out that there was an LDAP EA that didn't return a value, which caused the whole lookup to fail. We resolved it by removing the LDAP EA that caused the issue. Once removed, the fields were populated correctly during Enrollment or with a 

jamf recon -endUsername BLAH

You also need to make sure that "collect user and location information from LDAP" is checked from the inventory collection settings.  

jttavares
New Contributor II

@m_entholzner   Pardon the ignorance, but when-how are you running that script during enrollment?  I am not using DEP, just enrolling via URL.  So do I need to run that script for every Mac as they check in somehow?  Have that script running as a ongoing policy?  Sorry for all the questions, but unfortunately we do not have a dedicated Jamf engineer.  I would prefer to do this full time, but have other responsibilities that pull me away.  Appreciate your responses, thank you.

m_entholzner
Contributor III
Contributor III

Well, in general the command doesn't need to run at all. This is only needed when more complex scripting is involved and you need to re-assign user for a mass of devices. Depending on the amount of devices in your fleet this will also cause high load on the Jamf server when running the user assignment ongoing at every check-in. 

When using UIE (URL Enrollment), you only need to make sure that the inventory collection preferences are properly set. You find them in Settings > Computer Management (or Device Management) > Inventory Collection > "Collect user and location information from LDAP". 

Tick the box and wait for the magic to happen during Enrollment 😉 

 

@m_entholzner  OK, last question. We have around 1000 devices.  The Macs are constantly reassigned to different users as staff come and go, so once enrolled, we just setup another local account matching the SAM ID in Azure and go.  Tracking the hardware by user and location is essential.  I setup Azure CIP, mapping for user-location works fine.  From what I understand now, those fields only update during enrollment.   I was under the assumption, which is my goal, that the User and Location fields would update as the Macs check in so the User-Location fields would populate with the new owner of the Mac, but guess I am incorrect on that one.  I did check that box to "collect user and location information from LDAP.  

My systems team do not want to setup-maintain an LDAP server, so we just went with Azure Integration.   Guess I need to do more digging.  FYI,  my Jamf instant is in the cloud.  Thank you for the input.

A-bomb
New Contributor II

Hello,

We needed Azure user tracking too and use the below script. It does username, full name, and e-mail address but not the other fields. 

#!/bin/sh

#Get current signed in user
currentUser=$(ls -l /dev/console | awk '/ / { print $3 }')

#com.jamf.connect.state.plist location
jamfConnectStateLocation=/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist
DisplayName=$(/usr/libexec/PlistBuddy -c "Print :DisplayName" $jamfConnectStateLocation || echo "Does not exist")

if [ $currentUser != "root" ];

then

/usr/local/bin/jamf recon -endUsername $DisplayName

fi

exit 0