Jamf Connect – Reporting the Login Window

Jamf Connect is an app that can help a Mac administrator bring directory based authentication to a mac without the need to bind the mac to an on-premises Active Directory by using a Cloud Identity Provider, such as Azure or Okta. Once Jamf Connect is implemented, users will use their directory credentials to authenticate to the mac, log in, and have the ability to sync their directory passwords to the local account created on the computer. This simplifies the process of changing passwords for the end-user and administrator while the administrator can keep things secure by implementing password policies from the IdP.

Once Jamf Connect is implemented, it may be important for the administrator to know which login window mechanism is being presented to the end-user. If the organization is using the Jamf Connect login window mechanism, we should be able to report on that and remediate those computers that are showing the standard macOS login window. This is also important because when a computer does a major upgrade (think upgrading from Big Sur to Monterey), the login window will reset to the standard macOS login window. The organization may need to target computers with the standard macOS login window with a policy to change the login window mechanism back to the Jamf Connect login window mechanism.

We will look at creating a script to use as an extension attribute that will let us know if our computers are using the standard macOS login window mechanism or the Jamf Connect login window mechanism.

To list currently installed loginwindow mechanism on a computer:

security authorizationdb read system.login.console

When we get our XML in PLIST back, we will see the loginwindow settings as an array of strings. All mechanisms that have ‘privileged’ prompt the loginwindow to run the mechanism as the root user.

When we look at these settings, we can see something similar to:

The built-in macOS mechanism that displays the standard macOS login window is:

<string>loginwindow:login</string>

And after we install Jamf Connect and change our login window mechanism to Jamf Connect Login, we see something similar to:

We can now see that the built-in macOS login mechanism to display the standard macOS login window is removed. This is the only built-in macOS mechanism removed by Jamf Connect.

Since we know that Jamf Connect will remove this login mechanism, we can use that to build our script for our Extension Attribute in Jamf Pro which will let us know if our end-user is being presented with the standard macOS login window or the Jamf Connect login window.

Our script will look for the presence of loginwindow:login which should return a 0 if it exists, if it doesn’t exist, we know that the Jamf Connect login window mechanism is being used.

#!/bin/sh

# Script will report whether the computer is
# using the macOS login window or Jamf Connect
# login window

# Updated: 3.01.2022 @robjschroeder

loginwindow_check=$(security authorizationdb read system.login.console | grep 'loginwindow:login' 2>&1 > /dev/null; echo $?)

if [ $loginwindow_check == 0 ]; then
    echo "<result>OS LoginWindow</result>"
else
    echo "<result>JC LoginWindow</result>"
fi

https://github.com/robjschroeder/Jamf-Extension-Attributes/blob/main/JamfConnect-LoginWindowMechanism.sh

Thank you for checking this out!

Leave a Reply

Blog at WordPress.com.

%d bloggers like this: