Skip to main content

Have the Jamf Connect Menubar "Sign In" Window Appear when Password is Out of Sync

Updated over 2 weeks ago

Description

If Jamf Connect Notifications are configured, there will be a Desktop Notification in the Notification center if a password is out of sync. However, if your end users are missing the notification when their password is out of sync, you can utilize a custom script to detect if the password is out of sync and a launch agent to trigger the Jamf Connect "Sign In" window popup. This will prompt end-users to re-authenticate, which would be followed by a password sync prompt.

Note - In this article, Jamf Connect menu bar refers to settings configured with the com.jamf.connect preference domain. It applies to Jamf Connect menu bar versions 2.x, but these same errors may occur if using Self Service+ menu bar and/or Self Service+ Account management dashboard.

Deploying a Script to Launch Jamf Connect Sign In Window

  1. Add the script below into Jamf Pro.

    • For more information, see Scripts in the Jamf Pro documentation.

    • Optional: Adjust the number provided for the StartInterval key in the plist as desired. In the script below it is set to 900 (seconds), or 15 minutes.

      #!/bin/bash

      # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
      # INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
      # PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
      # FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
      # OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
      # DEALINGS IN THE SOFTWARE.

      # Define the path to the script path sh file
      SCRIPT_PATH="/usr/local/bin/connectsignin.sh"

      # Create the script directory if it doesn't exist
      if [ ! -d "/usr/local/bin" ]; then
      mkdir -p /usr/local/bin
      fi

      # Copy the script to /private/tmp/
      cat <<'EOF' > "$SCRIPT_PATH"
      #!/bin/bash
      # Read PasswordCurrent value from com.jamf.connect.state plist
      passwordCurrent=$(defaults read com.jamf.connect.state PasswordCurrent 2>/dev/null)

      # If PasswordCurrent=0, execute open jamfconnect://signin
      if [ "$passwordCurrent" -eq 0 ]; then
      /usr/bin/open jamfconnect://signin
      fi
      EOF

      # Set proper permissions for the script
      chown root:wheel "$SCRIPT_PATH"
      chmod 644 "$SCRIPT_PATH"

      # Define the path to the LaunchAgent plist file
      PLIST_PATH="/Library/LaunchAgents/com.jamf.connectsignin.plist"

      # Create the LaunchAgents directory if it doesn't exist
      if [ ! -d "/Library/LaunchAgents" ]; then
      mkdir -p /Library/LaunchAgents
      fi

      # Copy the plist file from the script's payload to the correct location
      cat <<'EOF' > "$PLIST_PATH"
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
      <plist version="1.0">
      <dict>
      <key>KeepAlive</key>
      <false/>
      <key>Label</key>
      <string>com.jamf.connectsignin</string>
      <key>LimitLoadToSessionType</key>
      <array>
      <string>Aqua</string>
      </array>
      <key>ProgramArguments</key>
      <array>
      <string>/bin/bash</string>
      <string>/usr/local/bin/connectsignin.sh</string>
      </array>
      <key>StartInterval</key>
      <integer>900</integer>
      <key>RunAtLoad</key>
      <false/>
      </dict>
      </plist>
      EOF

      # Set proper permissions for the LaunchAgent plist
      chown root:wheel "$PLIST_PATH"
      chmod 644 "$PLIST_PATH"

      #Get Logged In User:
      loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

      #Get UID:
      uid=$(/usr/bin/id -u "$loggedInUser")

      # check if LA is loaded already
      if /bin/launchctl asuser "$uid" launchctl list | grep -q "com.jamf.connectsignin"; then
      echo "$PLIST_PATH is already running for the logged-in user."
      else
      echo "$PLIST_PATH is not running for the logged-in user. Loading launch agent.."
      #Load LA as that UID:
      /bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl load "$PLIST_PATH"
      fi

      exit 0

  2. Create a Policy in Jamf Pro to deploy the script to any computers that utilize the Jamf Connect application.

    1. Go to Computers > Policies and click New.

    2. At a minimum, fill out the following on the General payload:

      • Display name

      • Trigger

      • Execution Frequency

    3. Select the Scripts payload and click Configure.

    4. Click Add for the script uploaded in step 1.

    5. Click Scope and add a desired test computer.

    6. Click Save.

Please deploy the script to a test computer (group) first before installing it on all managed computers.

Keep in mind:

  • If we don't want the launch agent to run, it can be unloaded using the line below:

    sudo launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.jamf.connectsignin.plist

  • To have it run again, load the launch agent with the command:

    sudo launchctl bootload gui/$(id -u) /Library/LaunchAgents/com.jamf.connectsignin.plist

  • If the launch agent needs to be unloaded/loaded in mass, please utilize:

    #!/bin/bash

    #Get UID:
    uid=$(/usr/bin/id -u "$loggedInUser")

    #Get Logged In User:
    loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

    # Define the path to the LaunchAgent plist file
    PLIST_PATH="/Library/LaunchAgents/com.jamf.connectsignin.plist"

    # Unload Launch agent
    /bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl unload "$PLIST_PATH"

    #Load Launch agent
    #/bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl load "$PLIST_PATH"

Please note: Lines 12-14 may need to be modified based on whether the launch agent should be unloaded or loaded. In the provided example, the launch agent would be unloaded, meaning it will not run.

Did this answer your question?