Description
If Jamf Connect Notifications are configured, there will be a Desktop Notification in the Notification center if a password is out of sync. However, if your end users are missing the notification when their password is out of sync, you can utilize a custom script to detect if the password is out of sync and a launch agent to trigger the Jamf Connect "Sign In" window popup. This will prompt end-users to re-authenticate, which would be followed by a password sync prompt.
Note - In this article, Jamf Connect menu bar refers to settings configured with the com.jamf.connect preference domain. It applies to Jamf Connect menu bar versions 2.x, but these same errors may occur if using Self Service+ menu bar and/or Self Service+ Account management dashboard.
Deploying a Script to Launch Jamf Connect Sign In Window
Add the script below into Jamf Pro.
For more information, see Scripts in the Jamf Pro documentation.
Optional: Adjust the number provided for the
StartIntervalkey in the plist as desired. In the script below it is set to 900 (seconds), or 15 minutes.
#!/bin/bash
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
# INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
# PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE
# FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
# OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
# Define the path to the script path sh file
SCRIPT_PATH="/usr/local/bin/connectsignin.sh"
# Create the script directory if it doesn't exist
if [ ! -d "/usr/local/bin" ]; then
mkdir -p /usr/local/bin
fi
# Copy the script to /private/tmp/
cat <<'EOF' > "$SCRIPT_PATH"
#!/bin/bash
# Read PasswordCurrent value from com.jamf.connect.state plist
passwordCurrent=$(defaults read com.jamf.connect.state PasswordCurrent 2>/dev/null)
# If PasswordCurrent=0, execute open jamfconnect://signin
if [ "$passwordCurrent" -eq 0 ]; then
/usr/bin/open jamfconnect://signin
fi
EOF
# Set proper permissions for the script
chown root:wheel "$SCRIPT_PATH"
chmod 644 "$SCRIPT_PATH"
# Define the path to the LaunchAgent plist file
PLIST_PATH="/Library/LaunchAgents/com.jamf.connectsignin.plist"
# Create the LaunchAgents directory if it doesn't exist
if [ ! -d "/Library/LaunchAgents" ]; then
mkdir -p /Library/LaunchAgents
fi
# Copy the plist file from the script's payload to the correct location
cat <<'EOF' > "$PLIST_PATH"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>Label</key>
<string>com.jamf.connectsignin</string>
<key>LimitLoadToSessionType</key>
<array>
<string>Aqua</string>
</array>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/usr/local/bin/connectsignin.sh</string>
</array>
<key>StartInterval</key>
<integer>900</integer>
<key>RunAtLoad</key>
<false/>
</dict>
</plist>
EOF
# Set proper permissions for the LaunchAgent plist
chown root:wheel "$PLIST_PATH"
chmod 644 "$PLIST_PATH"
#Get Logged In User:
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
#Get UID:
uid=$(/usr/bin/id -u "$loggedInUser")
# check if LA is loaded already
if /bin/launchctl asuser "$uid" launchctl list | grep -q "com.jamf.connectsignin"; then
echo "$PLIST_PATH is already running for the logged-in user."
else
echo "$PLIST_PATH is not running for the logged-in user. Loading launch agent.."
#Load LA as that UID:
/bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl load "$PLIST_PATH"
fi
exit 0
Create a Policy in Jamf Pro to deploy the script to any computers that utilize the Jamf Connect application.
Go to Computers > Policies and click New.
At a minimum, fill out the following on the General payload:
Display name
Trigger
Execution Frequency
Select the Scripts payload and click Configure.
Click Add for the script uploaded in step 1.
Click Scope and add a desired test computer.
Click Save.
Please deploy the script to a test computer (group) first before installing it on all managed computers.
Keep in mind:
If we don't want the launch agent to run, it can be unloaded using the line below:
sudo launchctl bootout gui/$(id -u) /Library/LaunchAgents/com.jamf.connectsignin.plist
To have it run again, load the launch agent with the command:
sudo launchctl bootload gui/$(id -u) /Library/LaunchAgents/com.jamf.connectsignin.plist
If the launch agent needs to be unloaded/loaded in mass, please utilize:
#!/bin/bash
#Get UID:
uid=$(/usr/bin/id -u "$loggedInUser")
#Get Logged In User:
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
# Define the path to the LaunchAgent plist file
PLIST_PATH="/Library/LaunchAgents/com.jamf.connectsignin.plist"
# Unload Launch agent
/bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl unload "$PLIST_PATH"
#Load Launch agent
#/bin/launchctl asuser "$uid" /usr/bin/sudo -u "$loggedInUser" /bin/launchctl load "$PLIST_PATH"
Please note: Lines 12-14 may need to be modified based on whether the launch agent should be unloaded or loaded. In the provided example, the launch agent would be unloaded, meaning it will not run.