User and Location: SAM ID > Email Address (UPN > JSS Username

jttavares
New Contributor III

Hi, I am trying to get my User and Location info in JSS to automatically populate from the last user logged into the Mac.  Have successfully setup Azure AD as a Cloud Identity Provider on our Jamf cloud instance.  The way we setup our Macs is we use the SAM ID from MS on-prem AD as the Mac Account Name as we run a Hybrid AD. With trying to keep some type of standardization,  the SAM ID matches the Account Name (local account) on the Macs.  The way I see it, the only way the User and Location fields populate via Azure in JSS is when enrolling and the user assigned is added in with their email address, which works fine getting the user info from Azure.  However, we have a lot of turnaround in my company, and with users working remotely, we would like to add accounts remotely and have the User and Location info populate automatically. It would work if I could setup the local Mac account name as the email address, but I can't use the "@" symbol in Mac Account Name.  Interesting enough, I can use the email address as an alias though. For numerous reasons, we can't use DEP in our environment yet.  If I could get the "Last User Logged In: info to somehow look up the SAM ID email account, and then populate that into the "Username" field, my problem would be solved.

I have looked at other posts about this, and it would seem nobody has a full resolution.  Just posting to see for feedback and thank you.  Hope I explained this clearly.

Picture1.png

 

8 REPLIES 8

Tribruin
Valued Contributor II

You could do a script that runs via policy to pull the local account name (assuming it your SAM account), add the domain name, and then do a `sudo jamf recon -endUserName <<UPN>>` to update the user in Jamf. 

Since you have Azure setup as a Cloud IdP, Jamf will pull the rest of the information from Azure. Just make sure you have Collect user and location information from LDAP  enabled under Settings->Computer -> Inventory Collect. Despite the name, it works with both LDAP and Cloud IdPs. 

jttavares
New Contributor III

Yes, that would work but our local account names on the Macs are not firstname.lastname like the UPN.  We are actually switching to that format for all new accounts.  If that were the case I assume your script would work for me. The SAM format in on premise AD, is first 7 letters of last name, followed by first letter of first name. Thats what we follow when we setup the local accounts on our Macs.  

 

pkleiber
Contributor

Hi @Tribruin could you explain your process in more detail?

So we have Azure connected under Cloud IdP and we get all the user information when setting up via DEP and user authentication.

I made the following script to pull the Username and the Full Name to Jamf:

 

#!/bin/zsh
#Get Username for the logged in User
loggedInUser=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/Name  && ! /loginwindow/ { print $3 }' )
/usr/local/bin/jamf recon -endUsername "$loggedInUser"

#Get Full Name for the logged in User
realname=$( /usr/sbin/scutil <<< "show State:/Users/ConsoleUser" | /usr/bin/awk '/kCGSessionLongUserNameKey  && ! /loginwindow/ { print $3,$4 }' )
/usr/local/bin/jamf recon -realname "$realname"

 

This works, but only Username and Full Name is filled. No other info despite the active setting Collect user and location information from LDAP enabled.

Tribruin
Valued Contributor II

Double check your mappings under your Azure settings. Make sure your fields are mapped correctly to the same properties in Azure. Most of them should fill in automatically.  

 

I don't current use Buildings and Department in my environment, but, IIRC, you have to add them to the Jamf Buildings and Departments to fill in correctly. So, if a user has a department assigned in Azure, but the same Department does not existing in Jamf, nothing will be filled in for the user/computer. 

 

jttavares
New Contributor III

The mappings all work, which is great.  What I am trying to achieve is,  I need the "last user logged in" by Extension Attribute, their email address to populate as the "Username" in Users and Location.  This will then get the additional info for the user from Azure automatically.  Azure does not store the SAM account info, so I don't see how I can use the SAM (last user logged in, which is the local account name) to somehow get the email address.  Hope I explained that correctly and thanks for the help.

remyb
Contributor

I'm not sure how this would work for an azure connection, but we use the following while connected to an on-prem AD:

echo "Setting owner, then running recon to update computername and owner in JSS"
jamf recon -ldapServerID 2 -userID "$EMAIL" > /dev/null 2>&1

the userID here is what would map to the User ID in the attribute mappings of the LDAP server settings of the JAMF pro server. In theory you could change the mapping here to reflect the SAM ID. If you then run above command, where $EMAIL is the SAM ID, it would match the rest of the information automatically.

I'm of-course not sure if this would work in your environment, as changing the User ID mapping might break other stuff.

pkleiber
Contributor

jttavares
New Contributor III

@pkleiber

Going to look at this link now.  Thanks for all the responses.