problem with jss not seeing Mobile account

appleguru
New Contributor

During Covid we had a lot of Macs built offline, then before they were sent to the users we logged onto our VPN and bound them to AD, then run:

 sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n username

to give them mobile accounts, this worked fine, however we are now moving everyone over to Jamf connect and have noticed that theses accounts even though they are working on the mac as mobile accounts and authenticating through AD as well as show in the users pref to be mobile accounts the JSS does not see them as mobile accounts, we have noticed that the UID is still at the original value example 503 so think this is the issue however we are unable to find a way create a extension attribute to display if the user is mobile or not? any ideas?

2 REPLIES 2

mm2270
Legendary Contributor III

The most reliable way to tell if an account is an actual cached AD mobile account or a local account only is to use dscl to check for the OriginalAuthenticationAuthority key.

/usr/bin/dscl . read /Users/username OriginalAuthenticationAuthority

Only mobile accounts from a directory service should have that key in their account record. It usually displays something like:

 

OriginalAuthenticationAuthority: ;Kerberosv5;;username@DOMAIN.COMPANY.COM;DOMAIN.COMPANY.COM; ;NetLogon;username;DOMAIN

 

A local account will return:

 

No such key: OriginalAuthenticationAuthority

 

Using this, you can create an Extension Attribute that checks the logged in user, or any accounts and reports their status.

 

#!/bin/zsh

logged_in_user=$(/usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name :/ && ! /loginwindow/ {print $3}')

mobile_account_check=$(/usr/bin/dscl . read /Users/$logged_in_user OriginalAuthenticationAuthority)

if [[ "$mobile_account_check" =~ "Kerberosv5" ]]; then
	/bin/echo "<result>${logged_in_user}: Mobile</result>"
else
	/bin/echo "<result>${logged_in_user}: Local</result>"
fi

 

 

Many Thanks for your reply, however I did try this and although if I look under Users&Groups in system prefs the account on our test mac shows as a Mobile account when I run this I get "local" ? very odd ?