Home > Active Directory, Casper, Enterprise Connect, Jamf Pro, Mac OS X, macOS > Identifying which Active Directory account is logged into Enterprise Connect

Identifying which Active Directory account is logged into Enterprise Connect

As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.

Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:

/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""

That should produce output similar to that shown below:

computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$

It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.

I’ve written a script which is designed to the following:

  1. Identify if Apple Enterprise Connect is installed on a particular Mac
  2. If Enterprise Connect is installed, identify the username of the Active Directory account logged into Enterprise Connect.
  3. Upload the username information to a Jamf Pro server and update the User and Location section of the computer’s inventory listing.

The script is available below. It is also available on Github at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/update_jamf_pro_user_inventory_using_apple_enterprise_connect_credentials

If you want to run this script from your Jamf Pro server, it should be set up as follows:

Screen Shot 2017 04 12 at 4 57 55 PM

Screen Shot 2017 04 12 at 4 57 52 PM

 

One way to use the inventory update capability would be to set up a policy which runs the script, where the policy is triggered by a user logging in to the Mac.

Screen Shot 2017 04 12 at 5 01 05 PM

 

Screen Shot 2017 04 12 at 5 01 09 PM

  1. jhbush
    April 12, 2017 at 9:47 pm

    Thanks. I modified it a little for NoMAD. https://gist.github.com/jhbush/263531aa2a0920ed597ee9a4664709d0

  2. April 12, 2017 at 11:51 pm

    Very handy Rich! Will be putting this to use in our environment. Will help with asset ownership.

  3. April 14, 2017 at 8:51 pm

    Thanks for this post. We use EC heavily in my environment and user issues can be a bugger.

  4. April 20, 2017 at 2:12 pm

    i am facing issue in script at line
    if [[ -d “/Applications/Enterprise Connect.app” ]];

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: