Posted on 08-26-2019 12:55 PM
Just wondering if anyone has come up with an extension attribute for Intune integration. Looking to use a smart group to keep track of devices (or users) not yet enrolled in intune.
Solved! Go to Solution.
Posted on 08-26-2019 10:15 PM
Hi,
See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered
#!/bin/bash
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
Posted on 08-26-2019 01:18 PM
What version of Jamf Pro are you running? Recent versions have added a couple InTune/AAD related things that can be used to report. I haven't found a need to use an EA anymore like I used to.
Posted on 08-26-2019 03:19 PM
I'm also looking for this. At least in 10.12, while there is an Azure AD ID you can pull as a data point for a registered Mac, you cannot use that as a criteria for group membership.
Posted on 08-26-2019 10:15 PM
Hi,
See below my EA, it will get the Azure ID from the current logged in user and report it back to Jamf Pro.
You can set a smart group to show all none and mark that as not-registered
#!/bin/bash
loggedInUser=$(/usr/bin/python -c 'from SystemConfiguration import SCDynamicStoreCopyConsoleUser; import sys; username = (SCDynamicStoreCopyConsoleUser(None, None, None) or [None])[0]; username = [username,""][username in [u"loginwindow", None, u""]]; sys.stdout.write(username + "
");')
AADUNIQUEID="$(grep UniqueId /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | awk -F""" '{print $2}')"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
Posted on 09-10-2019 11:52 AM
Thanks Thijs! Thats exactly what I needed to get this deployed.
Posted on 05-18-2020 09:43 AM
Hi @txhaflaire , sounds like it doesn't work with recent version of Intune Client, could you assist please ? Thank you in advance,
Posted on 05-18-2020 09:48 AM
@JamelB Please explain? it still works in our env. Jamf Pro collects this value out of the box at the moment though!
Posted on 05-18-2020 10:01 AM
Thank you @txhaflaire When I run the command locally, you can see the behaviour in the screenshot attached. The AADUNIQUEID is empty even if it exists in the xml file.
https://ibb.co/mDfbQtD
Posted on 05-18-2020 11:05 AM
@JamelB does the $loggedInUser get populated correctly on the device?
Posted on 05-18-2020 11:25 AM
@txhaflaire Yes it is
https://ibb.co/3p66pr3
Posted on 05-25-2020 04:36 AM
@txhaflaire any chance to assist ? Thank you
Posted on 06-05-2020 06:00 PM
This stopped working for me as well. I was able to modify the EA to use PlistBuddy instead of grep.
#!/bin/bash
loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
AADUNIQUEID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortal.usercontext.info | grep aadUniqueId | cut -d '=' -f2 | xargs)"
if [[ "${AADUNIQUEID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUNIQUEID}</result>"
fi
exit 0
Posted on 06-15-2020 12:12 PM
Daniel's EA worked for me. The built-in Azure AD values don't seem consistent, especially between the different views inside Jamf Pro.
This is consistent enough for a Smart Group
Posted on 06-19-2020 05:26 AM
@daniel.behan awesome, it works perfectly, thank you very much :)
Posted on 04-09-2021 08:25 AM
If anyone's looking at this in 2021; the name of the Company Portal .info file has changed to
com.microsoft.CompanyPortalMac.usercontext.info
Note the additional "Mac" in the filename.
Modify that in Daniel's script and you are good to go !
Posted on 06-03-2021 08:53 AM
Wondering if this is still working for everyone? I just tried in Jamf 10.29.2 with Intune Company Portal 2.14 installed and it does not appear to be working.
Posted on 06-14-2021 08:01 AM
@matt.vin I just set this up today. This grep script worked for me when I changed the name of the file as mentioned above. The other script I found out there using awk didn't work for me today. I had never used either prior.
Posted on 06-16-2021 10:53 AM
Hey everyone. Thank you all for keeping this thread going it's been a great help to me. I, unfortunately, didn't have much luck with the first script, and had some success with Daniel's script after updating the .plist name with the 'Mac' value. When I ran Daniel's script with the updated 'Mac' name value it would return a UUID-looking string.
I inspected the com.microsoft.CompanyPortalMac.usercontext.info file and observed the 'aadUniqueID' is a UUID value while the 'aadUserID' value is the UPN of the account signed in with Intune. I just modified Daniel's script replacing the 'aadUniqueID' entries with 'aadUserID' and it spits out the UPN just fine.
I hope this helps.
Company Portal 2.16.210501
#!/bin/sh
loggedInUser=$( /usr/bin/who | /usr/bin/awk '/console/{ print $1 }' )
AADUSERID="$(/usr/libexec/PlistBuddy -c Print /Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
Posted on 12-30-2021 08:03 AM
I tried your script as well and the result is none even though I enrolled it in intune
any idea?
Posted on 01-06-2022 06:36 AM
Can you manually check that the devices has a AAUserID exists ? Does Jamf list it in "Local Accounts" on a device inventory ?
Posted on 01-06-2022 06:54 AM
HI
I checked and yes it does list a AADUserID
Posted on 01-19-2022 10:26 AM
Hey Harrie,
I apologize for replying so late. Is your script now returning the enrolled AADUSERID user? If you go to the .info file does it show a user enrolled? -
/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info
02-16-2022 05:30 AM - edited 02-16-2022 05:32 AM
hey,
try this. Levi forgot to add quotes around the file path :) And I adjusted the way to get the current user as the command above also showed other users logged in.
#!/bin/sh
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c Print "/Users/$loggedInUser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info" | grep aadUserId | cut -d '=' -f2 | xargs)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
Posted on 02-16-2022 05:49 AM
This seems to work
thnx
Posted on 03-25-2022 11:19 AM
Thanks for the tip! The quotes did the trick!
Posted on 09-15-2022 10:15 AM
You can also get PlistBiddy to print the value directly instead of parsing it out:
loggedInUser=$(/bin/ls -l /dev/console | /usr/bin/awk '{print $3}')
AADUSERID="$(/usr/libexec/PlistBuddy -c 'Print:aadUserId' /Users/$loggedInUser/Library/Application\ Support/com.microsoft.CompanyPortalMac.usercontext.info)"
if [[ "${AADUSERID}" == "" ]] ;
then
/bin/echo "<result>None</result>"
else
/bin/echo "<result>${AADUSERID}</result>"
fi
exit 0
02-10-2023 06:20 AM - edited 02-10-2023 06:21 AM
For me the already given methods for getting the logged in user were still pulling the wrong username, so the script always returned "none".
The one I use is this one:
loggedInUser=$(scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ { print $3 }')
Given as the recommended method in this JNUC 2020 Scripting Best practices presentation
10-04-2023 08:30 AM - edited 10-04-2023 08:35 AM
Thank you, this is successful, and yes using the "scutil" is the way to go for loggedInUser....
Just wondering, I am getting the following result instead on "None":
"File Doesn't Exist, Will Create: /Users/_mbsetupuser/Library/Application Support/com.microsoft.CompanyPortalMac.usercontext.info"
Once one AAD Registers (In Self Service, and a recon), the EA is updated with the users AAD ID, as expected.
Returning "None" if the AAD / Intune Registration has not happened, would be nice....(so I think something may be missing / awry?)
Also, anyone have any ideas with guiding users to Self Service and performing the Intune Registration Install, using Jamf Helper notification right now....Much thanks in advance...
Posted on 10-04-2023 08:48 AM
I guess there are a number of ways you could implement this. We have a fairly dumb policy that runs a script. We can then run that policy Once a day, Once a week etc. I'm sure there are smarter ways of determining the frequency it should run at, basing it on Smart Groups or enhancing the script and using a launch daemon.
This is the script:
#!/bin/bash
# Define Variables
brandIcon="/Library/Application Support/JAMF/Jamf.app/Contents/Resources/AppIcon.icns"
policyID="91"
#get logged in user
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
answer=$( osascript << EOF
button returned of (display dialog "Please finish setting up your computer by running the Device Compliance Registration. You will not have full access to company resources until you have completed this registration. Click OK to get started!" buttons {"OK"} default button 1 with icon POSIX file "$brandIcon")
EOF
)
echo "$answer"
if [[ $answer -eq "OK" ]]; then
su "$loggedInUser" -c "killall Self\ Service"
su "$loggedInUser" -c "open \"jamfselfservice://content?entity=policy&id=$policyID&action=view\""
fi
This will close Self Service if open and then re-open it straight to the Self Service policy that actually performs the registration. In this example, Policy ID 91.
Posted on 10-04-2023 09:50 AM
@Keav Excellent, looks very nice, will give this a try. Thank you!