- Jamf Nation Community
- Products
- Jamf Pro
- Report on "Mobile" AD Users
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 10:59 AM
Has anyone done any work to create an Extension attribute to list systems that have a mobile account? Doesn't necessarily need to iterate what those accounts are (although it would be nice), just that there are 1 or more.
Reason I want it is that we use AD accounts, and FV2 can't be enabled for an AD account until they're mobile. So i want to scope my FV2 policy to only systems that have a mobile AD user.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 04:20 PM
@Jason The authentication authority attribute for the user should tell you if its a cached/mobile user. This is the EA I use:
#!/bin/sh
userList=`dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}'`
echo "<result>$userList</result>"
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 11:27 AM
Hi Jason,
We have an extension attribute that looks to see if Mobile Accounts are turned on:
echo "<result>`dsconfigad -show | grep "Create mobile" | cut -f2 -d "=" | cut -f2 -d " "`</result>"I am thinking to find if there is a mobile account on the machine you could do something like this:
accounts=`ls -l /Users | grep Domain | wc -l`
if [ $accounts = 0 ]
then echo "<result>No Mobile Accounts Found</result>"
else echo "<result>Mobile Accounts Found</result>"
fiThis assumes that Domain users is the group on the user folder permissions.
Good luck,
Brad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 11:51 AM
Hi @brad,
Create Mobile is showing disabled on my system. I'm not forcing it on for every AD user since a support person may need to log on temporarily and I don't want a mobile account created for them. It does continuously prompt at every logon though. So that wouldn't work for us to show if an account is mobile or not. The latter commands would only show if there is an AD account on the machine, not if it's mobile. I tested this by logging in with 2 AD accounts. One that is mobile, and one that is not. Both get listed with the 2nd set of code.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 12:41 PM
Hi @Jason,
In my experience a folder is not created in /Users unless they are a mobile account. We force it on though so I could be mistaken. We could iterate through /Local/Default/Users as well. I think anything listed there would be a mobile account.
If they don't create a mobile account do they have their home folder on the network?
Would the smart group criteria "FileVault 2 Eligibility" give you what you need?
-Brad
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-02-2015 04:20 PM
@Jason The authentication authority attribute for the user should tell you if its a cached/mobile user. This is the EA I use:
#!/bin/sh
userList=`dscl . -list /Users AuthenticationAuthority | grep LocalCachedUser | awk '{print $1}'`
echo "<result>$userList</result>"Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-07-2015 10:21 AM
@chriscollins, that's a fantastic solution. It does exactly what i'm looking for very cleanly. I really need to explore all of dscl more because it seems to be the solution to many of my recent questions.
Thanks
