Posted on 06-16-2023 01:20 PM
Hello,
One of our users is requesting that we change their Name, Email, Username in all of our systems for their legal name change.
I am wondering how that will work with Jamf Connect. The Jamf Connect login screen should authenticate to Okta and allow them in but I am curious if there are other steps we would need to do like changing the Record Name value or disconnecting/reconnecting the local account with the IDP account.
Anyone have experience with this?
Posted on 11-30-2023 01:02 PM
I have this question too!
Posted on 12-19-2023 05:32 AM
Check my response below
Posted on 12-18-2023 04:19 PM
Bump!
Posted on 12-19-2023 05:31 AM
You have to unbind the network account from the local account using this process:
Once the unbind is complete, you will want to have the user log out of the computer, then log back in using the Jamf Connect login. Once authenticated, it will prompt for the user to connect to a new account on the computer. We had an issue initially where the Jamf Connect login would not ask to connect to any of the accounts, but would just continue to login to the new account it had created (with no data.) I had to delete this newer account as Jamf Connect will default to that account if the names are the same. Once I deleted that newer account, we could do the login and account-connection process correctly.
Posted on 12-19-2023 08:41 AM
Sounds like a lot of manual labor. Going to submit a feature request for something more..scalable and/or automated. Probably won't gain a lot of traction - but worth a shot.
Posted on 12-19-2023 11:49 AM
Upvote please - https://ideas.jamf.com/ideas/JN-I-26583
Posted on 08-29-2024 04:42 PM
If you're using Okta and JAMF Connect, here's a script that I use. You won't be able to just copy/paste. You'll have to make necessary changes since I sanitized our company info... o.O
I have an updated script that I'm working on that includes better logging, error handling, and a method to revert changes should anything go awry. Feel free to offer me a job if you want that one ;)
#!/bin/bash
###########################################################################################
# Script to Modify the username on the macOS.
###########################################################################################
actionLabel="Continue"
# pick a corporate icon
icon="/usr/local/JamfConnect/xxxx.png"
Success="Username on MacBook and OKTA match. The Setup will now continue"
# Logging file created in same directory as this script
d=$(date +%Y-%m-%d--%I:%M:%S)
log="${d} Account_RENAME:"
logfile="/Library/xx/logs/Account_RENAME.log"
mkdir -p /Library/xx/logs
# Create the log file
touch $logfile
# Open permissions to account for all error catching
chmod 777 $logfile
StartRenameScript(){
# Begin Logging
echo "${log} ## Rename Script Begin ##" 2>&1 | tee -a $logfile
# Ensures that script is run as ROOT
if [[ "${UID}" != 0 ]]; then
echo "${log} Error: $0 script must be run as root" 2>&1 | tee -a $logfile
exit 1
fi
oldUser=$loggedInUser
newUser=$OKTACheck
# Test to ensure account update is needed
if [[ "${oldUser}" == "${newUser}" ]]; then
echo "${log} Error: Account ${oldUser}" is the same name "${newUser}" 2>&1 | tee -a $logfile
exit 0
fi
# Query existing user accounts
readonly existingUsers=($(dscl . -list /Users | grep -Ev "^_|com.*|root|nobody|daemon|\/" | cut -d, -f1 | sed 's|CN=||g'))
# Ensure old user account is correct and account exists on system
if [[ ! " ${existingUsers[@]} " =~ " ${oldUser} " ]]; then
echo "${log} Error: ${oldUser} account not present on system to update" 2>&1 | tee -a JC_RENAME.log
exit 1
fi
# Ensure new user account is not already in use
if [[ " ${existingUsers[@]} " =~ " ${newUser} " ]]; then
echo "${log} Error: ${newUser} account already present on system. Cannot add duplicate" 2>&1 | tee -a $logfile
exit 1
fi
# Query existing home folders
readonly existingHomeFolders=($(ls /Users))
# Ensure existing home folder is not in use
if [[ " ${existingHomeFolders[@]} " =~ " ${newUser} " ]]; then
echo "${log} Error: ${newUser} home folder already in use on system. Cannot add duplicate" 2>&1 | tee -a $logfile
exit 1
fi
# Check if username differs from home directory name
actual=$(eval echo "~${oldUser}")
if [[ "/Users/${oldUser}" != "$actual" ]]; then
echo "${log} Error: Username differs from home directory name!" 2>&1 | tee -a $logfile
echo "${log} Error: home directory: ${actual} should be: /Users/${oldUser}." 2>&1 | tee -a $logfile
fi
# Updates NFS home directory
ORGhomeFolder=$(dscl . read "/Users/$oldUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\n")
sudo dscl . -change "/Users/$oldUser" NFSHomeDirectory "${ORGhomeFolder}" "/Users/$newUser"
if [[ $? -ne 0 ]]; then
echo "${log} Could not rename the user's home directory pointer, aborting further changes! - err=$?" 2>&1 | tee -a $logfile
echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
echo "${log} Reverting RealName changes" 2>&1 | tee -a $logfile
exit 1
else
echo "${log} NFSHomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile
fi
# Actual username change
sudo dscl . -change "/Users/$oldUser" RecordName "$oldUser" "$newUser"
if [[ $? -ne 0 ]]; then
echo "${log} Could not rename the user's RecordName in dscl - the user should still be able to login, but with user name ${oldUser}" 2>&1 | tee -a $logfile
echo "${log} Reverting username change" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}"
echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
mv "/Users/${newUser}" "${ORGhomeFolder}"
sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
exit 1
else
echo "${log} RecordName successfully changed to "${newUser}""
fi
# Updates name of home directory to new usernam
sudo mv "$ORGhomeFolder" "/Users/$newUser"
if [[ $? -ne 0 ]]; then
echo "${log} Could not rename the user's home directory in /Users" 2>&1 | tee -a $logfile
echo "${log} Reverting Home Directory changes" 2>&1 | tee -a $logfile
mv "/Users/${newUser}" "${ORGhomeFolder}"
sudo dscl . -change "/Users/${oldUser}" NFSHomeDirectory "/Users/${newUser}" "${ORGhomeFolder}"
echo "${log} Reverting username change" 2>&1 | tee -a $logfile 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/${oldUser}" RecordName "${newUser}" "${oldUser}"
exit 1
else
echo "${log} HomeDirectory successfully changed to "/Users/${newUser}"" 2>&1 | tee -a $logfile
fi
# Links old home directory to new. Fixes dock mapping issue
sudo ln -s "/Users/$newUser" "$homeFolder"
# Fixing the permissions on the Home Directory
sudo chown -R "$newUser:staff /Users/$newUser"
#Updating all other entires of Directory Utility
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_AvatarRepresentation "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_hint "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_jpegphoto "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_passwd "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_picture "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_unlockOptions "$oldUser" "$newUser" 2>&1 | tee -a $logfile
sudo dscl . -change "/Users/$newUser" dsAttrTypeNative:_writers_UserCertificate "$oldUser" "$newUser" 2>&1 | tee -a $logfile
# Success message
read -r -d '' successOutput <<EOM
Success ${oldUser} username has been updated to ${newUser}
Folder "${origHomeDir}" has been renamed to "/Users/${newUser}"
RecordName: ${newUser}
NFSHomeDirectory: "/Users/${newUser}"
SYSTEM RESTARTING in 2 minutes to complete username update.
EOM
echo "${log} ${successOutput}" 2>&1 | tee -a $logfile
# System restart
Sleep 10
sudo jamf policy -event RestartMyMacbook
}
FetchOKTAID(){
OKTACheck=$(osascript -e 'display dialog "Please Enter your OKTA ID. default answer "" buttons {"Continue"} default button 1' | tr [A-Z] [a-z] | awk -F ':' '{print $3}')
echo $OKTACheck
callButton=$(osascript -e 'display dialog "The OKTA ID entered is '$OKTACheck'
If it is correct, please click Confirm.
Else, Click on Re-Enter." buttons {"Confirm", "Re-Enter"} default button "Confirm"')
if [[ $callButton == "button returned:Confirm" ]]; then
if [ "$loggedInUser" == "$OKTACheck" ]; then
echo "Usernames Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser"
"/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$Success" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center -timeout 5
else
echo "Usernames Don't Match OKTA ID: $OKTACheck and MacBook User ID: $loggedInUser"
StartRenameScript
fi
else
FetchOKTAID
fi
}
AlertUser(){
loggedInUser=`python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "\n");'`
loggedInUID=$(id -u "$loggedInUser")
homeFolder=$(dscl . read "/Users/$loggedInUser" NFSHomeDirectory | cut -d: -f 2 | sed "s/^ *//"| tr -d "\n")
title="Annoying IT Alert"
message="
We will check the username used to setup this device. If it is not as per IT Standards. This tool will modify username as per the policy and automatically restart the device.
The device setup will continue post restart"
# Call window with appropriate messaging
userClick=$( "/Library/Application Support/JAMF/bin/jamfHelper.app/Contents/MacOS/jamfHelper" -windowType utility -icon "$icon" -title "$title" -description "$message" -button1 "$actionLabel" -defaultButton 1 -lockHUD -startlaunchd -windowPosition center )
# Call function to capture user input
jamfHelperClick
}
jamfHelperClick() {
if [[ $userClick == 0 ]]; then
echo "$currentUser chose to proceed..."
FetchOKTAID
elif [[ $userClick == 2 ]]; then
echo "$currentUser Aborted Tool"
exit 0
fi
}
AlertUser
exit 0