Jamf Nation Community

Report Inappropriate Content · ‎04-20-2011

Hey everyone,

I am having trouble finding information on whether if this is possible. My company has a url that can be click in order to bring up a internal site that the user can do a self unlock of their account. This link is present at the windows login window. I am trying to reproduce this on the OSX side but have not found any information on a solution or work around. Does anyone have any ideas?

Thanks in advance,

Vantha

Report Inappropriate Content · ‎04-20-2011

I don't think Mac OS X has a way to do this. Your best bet would be to crack open Xcode and code it yourself. Actually, I'm not sure if it's possible at all, for many reasons (foremost among them is the extremely unusual state the system is in while at the login screen).

We recently had an account unlock tool set up for our Windows users. When I heard about it, I considered making something similar available on the Macs, and decided that it would likely take a very long time (maybe a year, even) for me to figure out how to do it, if it was even possible. If our Mac users get locked out, they can use the unlock tool on their PCs. Not the most elegant solution, but anything better would seem to require an enormous effort, for little gain.

You might try looking for a solution from a company that is intimately familiar with implementing AD login on Macs (Apple, Thursby, etc.), but I'd recommend against attempting something like this yourself, unless you happen to work for one of them.

...

As I type this email, it occurs to me that there might be a way to do it after all. Set up a user with no password ('accountunlock', maybe? Or how about 'help'? You could use aliases to allow the user to type in various things and still get to the same place.) that is severely restricted (Simple Finder, only one application available, etc.). This user would be configured to launch the unlock tool at login, wait for it to complete or cancel, and then to log out.

Hmm, this gives me an idea for the Macs here. I just need to develop an application to provide AD account services...

Report Inappropriate Content · ‎04-20-2011

Just make sure you lock it down, since *anyone* can log in that way. You can use '/usr/bin/open -b com.apple.safari -W https://your.url/here' as part of the login script. With -W, it won't return until the application exits; then you can force a logout (though I'm not sure how).

tlarkin · ‎04-20-2011

You try looking at iHook or jamfhelper to display a dialog box with a click-able URL at the login window? Though I am not sure if you could get any app to run since you aren't in a user session at the log in window. You could have it as a start up item so first time they log in they get the site, would that work?

-Tom

bentoms · ‎04-20-2011

I've tried to use iHook to display a web page & it doesn't work.

Best bet would be to re-write the login window!

Regards,

Ben.

bentoms · ‎04-20-2011

Some old info here; http://hints.macworld.com/article.php?story010206040016713

Regards,

Ben.

Report Inappropriate Content · ‎04-20-2011

This no longer applies; nib files are compiled and cannot be edited. Besides that, I would have my doubts about whether the login window can run WebKit properly. Not to mention the potential security issues.

nessts · ‎04-21-2011

we have to do something similar, try setting up a guest account, that has parental controls turned on, use simple finder allow safari to be the only application that can be launched by the user, allow that user to only go to that website. Not a bad way to go.

--
Todd Ness
Technology Consultant/Non-Windows Services
Americas Regional Delivery Engineering
HP Enterprise Services

sean · ‎04-26-2011

Vantha,

You could maybe have a 2nd bootable partition that runs in kiosk mode. User would hold down the 'option' key at boot to choose which partition to boot into. Don't know if that is something that you would allow or not, but that would be one option.

Sean

Jamf Nation Community

Safari window at login screen.