Updating Username on Login

BaddMann
Contributor

Wrote this script so that our Helpdesk staff can use Casper Remote to find user's computers via their username.
As a lot of our computers are open to anyone to use, Assigning a Computer to a User hasn't helped us out too much, this reuses that Username Field, while avoiding changes to Room, Building, departments, and such.
Might Be useful for others, I apologize if this has already been addressed, I was unable to find anything like this.

#!/bin/sh
#   The purpose of the script is to add the user to the Computer's Location, User attribute. 
#   This way the helpdesk can lookup where our users are sitting based on their username.
#   There is no logoff policy as we might find it useful being static until next login.

#   Define the variables

 jssAPIUsername="locked down api user"
 jssAPIPassword="passwordhere"

#   Enter in the hostname in the quotes here, replacing https://jss.organization.com:8443 without the trailing slash
 jssAddress="https://jss.organization.com:8443"

#   Get Computer Main Mac Address, for lookup via Casper. (Might Fail on Airs)
 hwAddress=`/sbin/ifconfig en0 | awk '/ether/ { gsub(":", "."); print $2 }'`

#   Get the username used for login.
 loggedInUser="$3"


# Do not edit below this line
# -----------------------------------------------------


############################################################
#Start Of Posting Username
#This Grabs the username at login and uses the API to update 
#the Username on the computer within casper.
############################################################


##  Now that we have the name, we'll basically grab it, put it in a custom xml that will get put into the device's location info
    echo "<?xml version="1.0" encoding="utf-8" standalone="no"?>
 <computer>
    <location>
        <username>$loggedInUser</username>
    </location>
 </computer>" > /tmp/deviceFinal.xml

#   Then, take that /tmp/deviceFinal.xml and put it in the JSS for the device
function LogUser {
    res=`curl -k -s -I -u $jssAPIUsername:$jssAPIPassword $jssAddress/JSSResource/computers/macaddress/$hwAddress -X PUT -T /tmp/deviceFinal.xml | grep HTTP/1.1 | awk {'print $2'}`
    echo "All HTTP Status:
$res"
    res=`echo $res | awk {'print $NF'}`
    #echo $res
    if [ $res -ne "201" ]
    then
        echo "Error $res"
    fi
}  


#   Call function to Log user into Casper.
    LogUser

#   Test or display Results
 echo "------------------"
 echo "Username: $loggedInUser"
 echo "Mac Address: $hwAddress"
 echo "XML File: "
 cat /tmp/deviceFinal.xml
 echo "------------------"

#   clean up
rm /tmp/deviceFinal.xml

Just create a Policy that runs this at login and your user is updated for each login.

20 REPLIES 20

bentoms
Release Candidate Programs Tester

Something like this would work too:

sudo jamf recon -endUsername $3

BaddMann
Contributor

That does a whole Recon!
Unfortunately that bit me already as I had Adobe SpeedGrade messing up Jamf on a few computers (Fixed now, but lesson learnt).

mm2270
Legendary Contributor III

I might be overlooking something, but it seems you should be able to do this without needing the API, though props on creating and importing a custom xml file in your script. I may just find some use for that syntax.

The jamf binary can already update just the username field for a Computer's location settings and leave everything else in place by calling a custom flag with recon.

#!/bin/sh

loggedInUser="$3"

/usr/sbin/jamf recon -endUsername "$loggedInUser"

As long as you disable the "Populate the computer location information of a username from an LDAP lookup" setting in your inventory collection, you should be able to update the Username field from this login policy/script and not touch anything else in the Location data you may have there.

That said, there may be a very valid reason you went this route instead that I'm just not aware of.

Edit: I see I was too slow in posting as Ben beat me to it.

BaddMann
Contributor

Again, that performs a Full recon, when the recon is stuck in a loop thanks to Adobe or some other Software, the user is left twiddling their thumbs.

Not acceptable, especially in my environment where IT has a bad rap.

luke_j_nelson
New Contributor II

You don't do any inventory collection?

Josh_S
Contributor III

It sounds like BaddMann is running this policy, and therefore updating the username, on every single login to a machine.

I imagine that inventory collection is being done, just not as part of a login script. That way the user isn't sitting there waiting for the inventory collection to finish every time they log in.

BaddMann
Contributor

@Josh_S is Correct.
I do weekly Inventory, Enrollment Inventory, and "Updates just ran" Inventory. To have inventory performed when every user logs in is excessive, and only leads to unhappy faculty thanks to Jamf being tied to the users' logins. :P

BaddMann
Contributor

Looks like I have a error in my Script.
I need to Scrub the "loggedInUser" Variable of any invalid XML characters.

Any users using this syntax will fail: DOMAINUser

Basically it's a Sanitary problem.

Anyone know of anything else I should be Checking for? That way I can just write a AWK Script that takes care of all invalid characters.
Thanks in Advance.

mm2270
Legendary Contributor III

Its true that full recons can be excessive, especially when you start building up a lot of Extension Attributes and have items like font and/or plug-in collection on, which is why Feature Requests like this need to be voted up by any and all people who agree:
https://jamfnation.jamfsoftware.com/featureRequest.html?id=78

If we had the ability to focus a recon task to only certain sub sections, like jamf recon -extatt, or jamf recon -location or such, issues like this could be and would be easily avoided.

It worries me that FRs like Ben's above have yet to be tagged as "Planned" by JAMF. I sincerely hope someone there is paying attention. We really need more selective inventory gathering.

bentoms
Release Candidate Programs Tester

@Mike.. Thanks for the support!

Funny thing is, @ v5 or v6 it worked the same way as the FR.

@Baddmann, I've run a recon @ login for years & my users update the computer record with their AD info @ login.

No impact to end users even with SpeedGrade... We're you running other polices?

luke_j_nelson
New Contributor II

BadMann, you could look for the owner of /dev/console to see who the current user is, like this:

loggedInUser=`/bin/ls -l /dev/console | /usr/bin/awk '{ print $3 }'`

Pretty sure that will just get you the username regardless of how they logged on.

BaddMann
Contributor

@mm2270
I've already up voted that feature request. Would love it to be implemented.

@bentoms
I don't run my any heavy scripts in Tandem to user login, I've found the behavior of scripts and results are wildly susceptible to timing. If the recon is performed before a network resource is mapped for a user, then it would finally map a drive for a user at large variations in time.

If I've learnt anything, I've learnt our users love Consistency, if they all take ten minutes to login to that network resource they will simply complain. If user A logs in at 10 minutes and user B logs in in 20 seconds, User A goes Ballistic.

When Jamf Runs it's full recon on our various Macs, we get wildly different login times based on how many apps are installed and how many items are starting up. Our users don't care to know these technical details, they just think we have it in for them.

Our AD is overly complicated thanks to our head office forcing us into an AD trust relationship with their AD and the only way to connect correctly being the "woefully under-documented" Powerbroker Client.

So I have a few more factors coming into play than an ideal network would have.

@Luke
Are you talking about my XML Error?
Yes that code works just fine, but it would probably still include the same syntax from the domain users. The problem isn't the collection of the user, it's the various Characters that Caspers' API might not accept within the XML I send it.
I want Domain name listed in the username if the user is providing it at login, that way we can see the syntax they are using for login when troubleshooting.
Thanks though.

Sorry if i sound Like A Debbie Downer. Oliver

BaddMann
Contributor

----duplicate ----

luke_j_nelson
New Contributor II

Ah, you DO want the domain, I thought you were attempting to filter that out.

I agree on wanting to avoid long login delays. Nothing frustrates customers more than unnecessary waiting.

spalmer
Contributor III

@badmann
I don't run inventory at login myself, but it seems like enabling "Perform login actions in background" under Settings> Computer Management Framework Settings>Login/LogoutHooks would alleviate the situation where User A and User B have wildly different login times. I don't use this option because I don't yet have many policies that run at login but thought this might be worth mentioning as that may be why bentoms doesn't have any slow login issues when running inventory at login.

Having said that, I also voted up the "Bring back the Verbs" feature request because I think it is wasteful to inventory everything when sometimes you only need to inventory applications or extension attributes.

bentoms
Release Candidate Programs Tester

I always have what Shane mentions ticked... So maybe why it's been a non-issue for me.

BaddMann
Contributor

Thank you @spalmer

I wanted to mention it but forgot the area where that's set.
I've used that setting, and unfortunately something happened with my scripts of the time. My scripts have evolved since then, but it left a sour taste in my mouth that I forgot about, yet still don't want to taste again. :P

I've only just managed to create my first VMware Mac VM in-between other tasks. Hoping to use it for some more dangerous testing in an enclosed environment and re-enable that setting for testing.

Thanks for the Back and Forth
Oliver

acdesigntech
Contributor II

yeah I REALLY hate that there are no longer any verbs in the recon command. In v6.01 it was ideal to run the recon to submit endusername every day. As of v7 and what seems like the foreseeable future, we can't just update the endusername.

I've taken to doing this part of my login scripts only once a week. Seems sufficient since i first filter the results of a last command to get rid of the OS X cruft (shutdown/restart) and any known local admin user, plus things Casper creates like adobeinstall, and our test network account 'spanky.' Tally all the rest up and pick the one that occurrs most. Of course that tends to burn us when a person leaves and their mac is just handed to someone new without our reimaging procedure being followed. So far that's only happened twice in the 4 years I've been the Casper administrator.

Once thats done i submit it with a recon. Overly complicated to do it any other way since I'm reliant on a revolving door of a level 2 Break/fix team to maintain such things. Doesn't seem to affect usage of the Macs, but then again we only have about a half dozen EAs to run at recon time, and we're not collecting AD info, plugins, unix apps, services, or fonts.

johnklimeck
Contributor II

BaddMan,

Got this working, and with Luke's suggestion, it works no matter who is logged in.

Was timing out, and then I realised I was not using the primary DNS name of the server, but an alias / associated name

Also, any suggestion on what has to be enabled in the JSS for this to work, in terms of account privileges

thx

j

BaddMann
Contributor

I'm sorry John i didn't see any notification about your message...
I've never really explored the absolute minimum rights needed to perform the API write...

Um yeah, bad admin...

Anyway my api user's read and update permissions are set on just about all objects.
I assume I'm never going to create or delete any objects with the user, so I generally have that unchecked, with a few exceptions.

What I do find curious is that if i don't have "create policies" checked I'm generally S.O.L., when limiting my regular users or my api accounts.
Maybe a bug? maybe not?

Hope this very late reply isn't absolutely useless.