Jamf Nation Community

Thanks for the reply. The Enrolment Customisation uses SSO & we've configured both the SSO and CIP. 

One thing we have found is that it does populate the User and Location information when we use a user-initiated enrolment - Just not the pre-stage method. 

+1 for this (using Azure). I note we don't currently have "Collect user and location information from LDAP" ticked within "Inventory Collection" due to PI008110, though I note that is no longer listed in active PIs.

I also can't get User and Location information to populate during a prestage enrollment. I have the enrollment customization set up to use Azure SSO and Collect User and Location information from LDAP is checked under Inventory Collection for devices.

@agrant Did you ever get this figured out?

This was an issue for me as well, I can't find the original post anymore but someone suggested a script to run upon user login. Here is the script that we are currently using. Hope it helps and sorry I can't find the original one! 

#!/bin/sh

#Get current signed in user
currentUser=$(ls -l /dev/console | awk '/ / { print $3 }')

#com.jamf.connect.state.plist location
jamfConnectStateLocation=/Users/$currentUser/Library/Preferences/com.jamf.connect.state.plist
DisplayName=$(/usr/libexec/PlistBuddy -c "Print :DisplayName" $jamfConnectStateLocation || echo "Does not exist")

if [ $currentUser != "root" ];

then

/usr/local/bin/jamf recon -endUsername $DisplayName

fi

exit 0

Did anyone get this working yet? Still having trouble.

This issue just cropped up for us (using Okta). Prior to about a week ago, mappings were coming just fine with Inventory.

Running into this same issue. User-initiated enrollments populate User and Location information, but pre-stage enrollments do not, using Azure SSO. 

Hello. Just wanted to give an update, since we got it working within our environment! We connected Azure AD. Firstly, here are the mappings within Settings > System > Cloud Identity Providers:

~~~

User Id id

User Name userPrincipalName

Real Name displayName

Email mail

Department department

Building officeLocation

Room city

Phone mobilePhone

Position jobTitle

~~~

You can test these mappings and they should populate from the username you provide. Keep in mind, some mappings need to be manually entered within Jamf, in order for them to populate correctly. For example, Department and Building. Both can be found within Settings > Network > Departments/Buildings - Within each of these sections, you'll need to manually add each Department or Building, according to how it shows up within Azure AD. What I did is had my System Admin export a list of the Department and Building attribute from AAD, and I manually created each entry within Jamf. Also an FYI, we have the checkbox enabled for Collect user and location information from Directory Service, within Settings > Computer Management > Inventory Collection.

~~~

As far as the script. For us, it only works if it uses the user's EMAIL, not username. You can gather this two ways.

1. If they use Jamf Connect, you can run this script.

#!/bin/bash
#Find the Current Logged in User
UserFound="No"
    while [[ $UserFound == "No" ]]
    do
    CURRENT_USER=$(/usr/bin/stat -f "%Su" /dev/console)
    if [[ $CURRENT_USER == "_mbsetupuser" ]] || [[ $CURRENT_USER == "root" ]]; then
    echo "User Found is $CURRENT_USER, sleeping 10 seconds for the correct username to populate"
    sleep 10
    UserFound="No"
    else
    UserFound="Yes"
    echo "User Found is $CURRENT_USER"
    fi
    done
#Find the information from Jamf Connect
 jamfConnectStateLocation=/Users/$CURRENT_USER/Library/Preferences/com.jamf.connect.state.plist
 
 DisplayName=$(/usr/libexec/PlistBuddy -c "Print :DisplayName" $jamfConnectStateLocation || echo "Does not exist")
#Update the information on JAMF
/usr/local/bin/jamf recon -endUsername "$DisplayName"
/usr/local/bin/jamf recon
exit 0

If the user does not use Jamf connect, it will display "Does not exist" in the User and Location field. And you can create a separate policy that takes the last user to login and adds an @company.com suffix to populate the fields correctly. That script is here:

#!/bin/bash

#Find the Current Logged in User
UserFound="No"
while [[ $UserFound == "No" ]]
do
CURRENT_USER=$(/usr/bin/stat -f "%Su" /dev/console)
if [[ $CURRENT_USER == "_mbsetupuser" ]] || [[ $CURRENT_USER == "root" ]]; then
echo "User Found is $CURRENT_USER, sleeping 10 seconds for the correct username to populate"
sleep 10
UserFound="No"
else
UserFound="Yes"
echo "User Found is $CURRENT_USER"
fi
done

#Find the information from Jamf Connect
jamfConnectStateLocation=/Users/$CURRENT_USER/Library/Preferences/com.jamf.connect.state.plist

#New Line
DisplayName=$(/usr/libexec/PlistBuddy -c "Print :DisplayName" $jamfConnectStateLocation || echo $CURRENT_USER"@COMPANY.com")

#Update the information on JAMF
/usr/local/bin/jamf recon -endUsername "$DisplayName"
/usr/local/bin/jamf recon

exit 0

Keep in mind this script only works if users are logging in using their AD username. Otherwise you can use the first Jamf Connect script instead.

It seems like the discussion transformed from iOS devices to computers. Has anyone progressed with the pair of iPad/Okta SSO or iPad/AD SSO?

I, too, am wondering if there has been a solution found. We also have iOS/iPadOS devices that are using PreStage Enrollment w/ Customized Enrollment Page w/ Entra SSO + Inventory set to "grab user and group information" for the Devices. It works for the Computer side without any additional scripting, but simply does not populate on the Mobile Device side. 

Update! Long story short, I had all the configs in place, but my "fix" was to simply make sure you are testing/signing into the iOS devices using an Account that is NOT an administrator inside of Jamf Pro. I was testing using my Named account (separate from Admin) and unbeknownst to me, had an Auditing Role assigned in Jamf Pro. According to the Jamf support rep, Jamf WILL NOT grab the User and Location Data if the signed-in account exists in Jamf Pro.  I have a feeling a lot of us have been doing that. I simply created an account called "ipad.enrollmenttest@domain.com" inside of my Entra tenant > re-enrolled > signed in with this "ipad.enrollmenttest@" when prompted > then the User and Location data was grabbed accordingly :)