Identifying which Active Directory account is logged into Enterprise Connect

As more Mac environments move away from binding Macs to Active Directory and using AD mobile accounts, and towards using local accounts in combination of tools like NoMAD and Apple’s Enterprise Connect, it’s become more challenging to identify which people are logged into which computers. While mobile Active Directory accounts will use the username and password of the person’s AD account, there is no such certainty with local user accounts.

Fortunately, my colleague Joe Chilcote recently let me know that it’s possible to query the logged-in user’s login keychain and get the username of the Active Directory account which is logged into Enterprise Connect. This can be accomplished by running the following command as the logged-in user:

/usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""

That should produce output similar to that shown below:

computername:~ username$ /usr/bin/security find-generic-password -l "Enterprise Connect" $HOME/Library/Keychains/login.keychain | awk -F "=" '/acct/ {print $2}' | tr -d "\""
AD_username_here
computername:~ username$

It’s also possible to leverage this technique to update the User and Location section of a particular computer managed by a Jamf Pro server. For more information, see below the jump.

I’ve written a script which is designed to the following:

1. Identify if Apple Enterprise Connect is installed on a particular Mac
2. If Enterprise Connect is installed, identify the username of the Active Directory account logged into Enterprise Connect.
3. Upload the username information to a Jamf Pro server and update the User and Location section of the computer’s inventory listing.

The script is available below. It is also available on Github at the following address:

https://github.com/rtrouton/rtrouton_scripts/tree/master/rtrouton_scripts/Casper_Scripts/update_jamf_pro_user_inventory_using_apple_enterprise_connect_credentials

If you want to run this script from your Jamf Pro server, it should be set up as follows:

One way to use the inventory update capability would be to set up a policy which runs the script, where the policy is triggered by a user logging in to the Mac.