- Jamf Nation Community
- Products
- Jamf Pro
- Scripting an Identity Preference to match a VPN UR...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Scripting an Identity Preference to match a VPN URL to a User Certificate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2019 05:21 PM
A very long tedious story short, I am trying to use an Identity Preference to 'link' a URL to a Certificate we have issued.
Users have a certificate named (First name Last name), and we have a URL *.vpnaddress.com that requires this certificate.
Chrome and Safari often like to not prompt the user for a certificate which in turn throws an error from the VPN website.
To avoid this and many other related issues I'm trying to use the Identity Preference to skip this 'prompting for certificate' step and have the machine recognise the URL and provide the certificate.
I have proven that this method works locally via this command,
#!/bin/bash
security set-identity-preference -c $(id -F) -s "*.vpnaddress.com"However the catch here is $(id -F) does not always match the users certificate, as the certificate server uses the users cn value from the object in AD and the account on the device uses the Display Name.
To combat this I've tried retrieving the certificate and snipping the excess off like this,
#!/bin/bash
usersfname=$(sudo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//')Locally this would return the name of the certificate just fine, however when deployed via a script it fails and does not return the name.
I feel there must be a better way to do this, I tried querying AD via LDAP but this was difficult to script universally as our instance requires binding to query etc.
Any help is appreciated, let me know if you need any more details.
Here is the latest iteration of the script I've tried.
#!/bin/bash
# Created by Rory Powell 14/03/19
# Create an identity preference for VPN
currentuser=`stat -f "%Su" /dev/console`
echo current user: $currentuser
fullname=`su "$currentuser" -c "id -F"`
echo fullname: $fullname
cert=`security find-certificate -a -c $fullname -Z login.keychain`
echo cert: $cert
certname=`$cert | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//'`
echo certname: $certname
security set-identity-preference -c "$certname" -s "*.vpnaddress.com"
#various other attempts
#echo security find-certificate -a -c $fullname -Z login.keychain | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//'
#usersfname=$(su "$currentuser" -c "id -F")
#usersfname=$(sudo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//')
#fullname=`id -F`
#echo security find-certificate -a -c $(id -F) -Z login.keychain | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//'
# |cut -c19- | sed 's/.$//'
#usersfname=$(id -F)
#echo id -F
#echo $usersfname
#echo The users full name is: $usersfname
Labels:
1 REPLY 1
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 03-14-2019 09:01 PM
Managed to find a 1 line solution to this issue, then just placed this in the Files and Processes window.
Although it only works locally
Here it is for future reference.
sudo -u $(stat -f "%Su" /dev/console) security set-identity-preference -c "$(security find-certificate -a -c "$(sudo -u $(stat -f "%Su" /dev/console) id -F)" -Z login.keychain | grep ^' "labl"<blob>="' |cut -c19- | sed 's/.$//')" -s "*.vpnaddress.com"
Reply
