03-17-2023 02:31 AM - edited 03-17-2023 03:02 AM
During Covid we had a lot of Macs built offline, then before they were sent to the users we logged onto our VPN and bound them to AD, then run:
sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username
to give them mobile accounts, this worked fine, however we are now moving everyone over to Jamf connect and have noticed that theses accounts even though they are working on the mac as mobile accounts and authenticating through AD as well as show in the users pref to be mobile accounts the JSS does not see them as mobile accounts, we have noticed that the UID is still at the original value example 503 so think this is the issue however we are unable to find a way create a extension attribute to display if the user is mobile or not? any ideas?
Posted on 03-17-2023 10:20 AM
The most reliable way to tell if an account is an actual cached AD mobile account or a local account only is to use dscl to check for the OriginalAuthenticationAuthority key.
/usr/bin/dscl . read /Users/username OriginalAuthenticationAuthority
Only mobile accounts from a directory service should have that key in their account record. It usually displays something like:
OriginalAuthenticationAuthority: ;Kerberosv5;;username@DOMAIN.COMPANY.COM;DOMAIN.COMPANY.COM; ;NetLogon;username;DOMAIN
A local account will return:
No such key: OriginalAuthenticationAuthority
Using this, you can create an Extension Attribute that checks the logged in user, or any accounts and reports their status.
#!/bin/zsh
logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ {print $3}')
mobile_account_check=$(/usr/bin/dscl . read /Users/$logged_in_user OriginalAuthenticationAuthority)
if [[ "$mobile_account_check" =~ "Kerberosv5" ]]; then
/bin/echo "<result>${logged_in_user}: Mobile</result>"
else
/bin/echo "<result>${logged_in_user}: Local</result>"
fi
Posted on 03-19-2023 09:15 AM
Many Thanks for your reply, however I did try this and although if I look under Users&Groups in system prefs the account on our test mac shows as a Mobile account when I run this I get "local" ? very odd ?