Posted on 10-11-2022 06:39 AM
We use Google login to enroll our users in JAMF. We were told by JAMF engineers during our setup, that we could use Google SSO for the login OR leverage Google LDAP. If we setup LDAP, then we'd have an extra step of pre-populating users and groups in the JAMF settings in order to use SSO. We don't want to have to pre-populate or manage users in the settings. So LDAP is not currently enabled. When our users login through SSO for the first time, their Username (which is their email address) is automatically captured in "User and Location", which is great. However, we have another system that will sync asset information, but it is hard coded to use the Email Address field. Is there any way to easily script setting the Email Address field to what is already populated in the Username field?
Solved! Go to Solution.
Posted on 01-27-2023 03:34 PM
I finally resolved this. I am able to retrieve the current username from "User and Location" and then set it in the email address field. I used this article to fetch the username into a variable called $username: https://community.jamf.com/t5/jamf-pro/using-data-in-jss-within-scripts/td-p/111574
In that article, I used the example that utilizes the serial number. So in my script, i retrieved the serial number with:
serialNumber=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/{print $(NF-1)}')
Then I used the following command to set the email to match the $username
sudo jamf recon -email $username
10-11-2022 06:35 PM - edited 10-11-2022 06:41 PM
Wendy,
You can use the jamf binary to set the email address in the computer record. I'm assuming that the user's short name is the left hand half of their email address:
#!/bin/zsh
# get the current user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && !/loginwindow/ { print $3 }' )
email="${loggedInUser}@example.com"
# update the email address in Jamf's computer record
/usr/local/bin/jamf recon -email $email
That should do it. Put that script (with 'example.com' replaced by your details) in a policy scoped to a smart group (computers that have an empty email address) and run it at checkin.
Posted on 10-13-2022 02:32 PM
Unfortunately, the username is not the left-hand side of the email address. The username is typically firstnamelastname, but their email is firstname.lastname. It does get stored in the Username field. I just need the exact information in the Username field to be stored in the Email field. I just don't know how I can capture that information as a variable to set it in the other field.
Posted on 10-14-2022 08:01 AM
what happens if you skip the email conversion and run this as the final line?
/usr/local/bin/jamf recon -email $loggedInUser
if that doesn't work, you should be able to reference the variables on this page to see if one holds the data you need: https://docs.jamf.com/technical-articles/LDAP_Attribute_Mappings_Reference.html
Posted on 10-14-2022 09:49 AM
Since you know the right hand side of the email address (company.com) and the user name is the left hand half it's just easier that way. No calls to Azure, no API calls to Jamf. Just set it. My solution is only a single line longer than yours.
Posted on 10-14-2022 10:21 AM
The logged in user is only the email address briefly. When they boot the computer and log into Google via SSO, JAMF install is initiated and their Google login (same as their email) is saved in the Username field in "User and Location" information. Their resulting local user account will typically be firstnamelastname or firstname.lastnamedomain.com (missing the @). What I need to store in the "User and Location" information is firstname.lastname@domain.com (period between first and last name).
Posted on 10-14-2022 10:35 AM
I wish I could use the LDAP information to populate it. The way we have it JAMF configured for zero-touch, allows any existing user in Google GSuite user to log into a new computer for auto-enrollment, as long as they are in the proper OU. If we switch to to the LDAP method for enrollment (which would be a requirement in order to reference other LDAP data), we'd have to pre-populate every new user in JAMF before they could enroll.
Posted on 10-14-2022 10:31 AM
Here are pictures to make it more clear. The username is NOT the left hand side of the email unfortunately, that would make things much easier. It is missing the period. The second example shows what we actually need. Firstname.lastname@domain.com.
Posted on 10-21-2022 12:43 AM
That's not good.
I just checked a customer I recently set up to use Google SSO with Jamf Connect and the username they are getting at account creation by Jamf Connect is in fact their email address since that is their Google log in name.
I wonder what I'm doing different to you?
It could also be that my client is on Business Plus I think. I know we had to upgrade them to get LDAP support for Jamf Connect. I'm assuming you are using Jamf Connect to create the user.
I don't want to post even a redacted config profile to here but if you drop me a note at honestpuck@gmail.com I can send you a redacted copy of mine.
Posted on 10-21-2022 08:58 AM
The username field does in fact get populated with the proper email address. The challenge I have is that I need to also populate the Email Address field with that same information. We are using a help desk system that can sync hardware inventory from JAMF. In order for it to properly associate the user to the asset, it reads the Email Address field. It is not a configurable integration, so unfortunately I can't set it to use the username field instead.
Posted on 10-21-2022 12:55 AM
OK, I think I see what is happening. The user short name in the OS is not the same as the user name in User and Location. I have the same thing here with accounts I have migrated. Are you migrating existing accounts to be synced with the Google log in password?
Is the example User and Location screen image after you have made an edit to the record or is that straight out of enrolment?
This requires some more thought.
Posted on 11-29-2022 10:25 AM
The username setting is captured during enrollment from their Google email. But there are no options I can find for it to populate the email address as well. We can't sync LDAP unfortunately. If you use Google SSO for the enrollment, it just checks that the user is in a particular Google OU. If we use Google LDAP instead, then we have to pre-populate users, which we don't want to have to do. I figured there was a way to use a script read that username field and use that data to also populate the email field. But so far, haven't found anything.
Posted on 01-27-2023 03:34 PM
I finally resolved this. I am able to retrieve the current username from "User and Location" and then set it in the email address field. I used this article to fetch the username into a variable called $username: https://community.jamf.com/t5/jamf-pro/using-data-in-jss-within-scripts/td-p/111574
In that article, I used the example that utilizes the serial number. So in my script, i retrieved the serial number with:
serialNumber=$(ioreg -c IOPlatformExpertDevice -d 2 | awk -F\" '/IOPlatformSerialNumber/{print $(NF-1)}')
Then I used the following command to set the email to match the $username
sudo jamf recon -email $username