OSX MDM plist?

conor
New Contributor III

Does anyone know where I would find a way to locate which user is the currently enabled MDM user on a system level?

I want to write a script that on login checks to see if the current user is the MDM enabled one but not sure where to point my "if" statement at.

Thanks in advance

4 REPLIES 4

flyboy
Contributor

@conor, if you're referring to the jamf management account, you'll have to do it through an API query. I use the following curl statement to get the management account name. You can then compare it to the logged in user.

You'll need to set variables to hold a username and password for the API account plus grabbing the target machine's MAC address, etc.

curl -H "Accept: text/xml" -s -u ${apiUser}:${apiPass} "${jssURL}/JSSResource/computers/macaddress/${MacAddress}" | xpath 2> /dev/null /computer/general/remote_management/management_username[1] | sed 's/<management_username>//;s/</management_username>//'

conor
New Contributor III

@Berrier Hey, I dont think its the management account,

Basically i have to switch the active MDM user for how our setup works. At the moment i have a login script that removes the current active MDM profile and assigns it to the user logging in. However i dont want this occur on every login, only when a different user logs in.

So basically i need a way for a script to go: Is this user the current MDM enabled user, then do not fire script

flyboy
Contributor

@conor, Hmm... I'm curious as to what about your process needs the MDM enabled user, but that's neither here nor there. Are you referring to the "MDM Capable Users" field on the General Tab? If so, that data can also be pulled from the API, I don't believe it's stored on the local machine.

To get the MDM Capable Users, you can do this API Query:

curl -H "Accept: text/xml" -s -u ${apiUser}:${apiPass} "${jssURL}/JSSResource/computers/macaddress/"${MacAdd}" | xpath 2>&1 /computer/general/mdm_capable_users/mdm_capable_user | sed -e 's/<mdm_capable_user>//;s/</mdm_capable_user>//' -e 's/-- NODE --//g' -e '/^$/d'

conor
New Contributor III

@Berrier So basically we need 2 accounts on our system:

An admin account and a standard user for the person who is going to be using the machine. We are manually provisioning these users as we do not have a DS.

During the first setup the Admin account needs to be MDM enabled for the first install of pkgs and mobile configs. Then we switch over to the standard user which then needs the MDM capability for our users to install app store apps without the need for using their own apple id.

Ok cool, that looks like the field im trying to pull down. Ill run that query and see what it pulls back.

Thanks