Menu Close

Managed Apple ID Pre-work: Determining Impacted Users

A Jamf Pro Computer Extension Attribute which returns enterprise-domain Apple IDs

Background

Like most organizations, we want the best — most secure — experience for our users. So, naturally, we’ve investigated leveraging Managed Apple IDs.

While Managed Apple IDs come with some significant limitations, my personal favorite has to be:

Allows browsing but not purchasing, paid or free in: App Store

However, the promise of a Shared iPad is quite alluring.

The Rub

I also suspect “the rub” for most organizations who wish to federate their domain is Apple’s unwillingness to inform the enterprise which of the enterprise’s users will be impacted before federation is enabled:

… but you can’t see their actual personal Apple ID.

Get notified about federated authentication user name conflicts, Item No. 7

Script

The following Domain Apple IDs Jamf Pro Computer Extension Attribute will inspect the current (or previous) logged-in user’s MobileMeAccounts.plist for Apple IDs associated with domains included in the domainsToCheck array and return a semicolon-delimited list.

Note: The presumption is that your Mac users have configured an organizationally associated Apple ID on a managed Mac; organizationally associated Apple IDs in-use on iOS / iPadOS devices won’t be caught by this net.

Domain Apple IDs

#!/usr/bin/env bash
####################################################################################################
# A script to collect the domain-associated accounts logged-in to iCloud                           #
# • If no accounts are logged-in to iCloud, "None" will be returned.                               #
####################################################################################################



####################################################################################################
#
# Global Variables
#
####################################################################################################

scriptVersion="0.0.3"
domainsToCheck=("domain1.org" "domain2.org" "domain3.org")
export PATH=/usr/bin:/bin:/usr/sbin:/sbin
loggedInUser=$( echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# If no user is logged-in; fail back to last logged-in user
if [[ -z "${loggedInUser}" || "${loggedInUser}" == "loginwindow" ]]; then
    loggedInUser=$( last -1 -t ttys000 | awk '{print $1}' )
fi



####################################################################################################
#
# Functions
#
####################################################################################################

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Check for match in domains to check
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

function domainCheck() {
    accountDomain="${1}"
    if [[ "${iCloudTest}" == *"${accountDomain}"* ]]; then
        appleID=$( grep -e "[a-zA-Z0-9._]\+@${accountDomain}" <<< "${iCloudTest}" )
        RESULT+="${appleID}; "
    fi
}



####################################################################################################
#
# Program
#
####################################################################################################

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Retrieve all iCloud accounts
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

iCloudTest=$( defaults read /Users/"${loggedInUser}"/Library/Preferences/MobileMeAccounts.plist Accounts | grep AccountID | cut -d '"' -f 2)



# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Evalute domain-specific iCloud accounts
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

if [[ -n "${iCloudTest}" ]]; then
    for accountDomain in "${domainsToCheck[@]}"; do
        domainCheck "${accountDomain}"
    done
fi



# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Output Results
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #

if [[ -z "${RESULT}" ]]; then RESULT="None"; fi

echo "<result>${RESULT}</result>"

Advanced Search

Use the following criteria for your Advanced Computer Search (which presumes you named your computer Extension Attribute Domain Apple IDs):

And / OrCriteriaOperatorValue
Domain Apple IDs
is not
None
and
Domain Apple IDs
is not
Posted in Jamf Pro, Scripts, Tips & Tricks

Related Posts