Enhancing User Mapping on macOS with Jamf
Cyberhaven provides a solution to improve user mapping on macOS devices which are commonly managed through MDM solutions like Jamf instead of being enrolled in directory services like AD.
Although if you are using Apple Open Directory, then starting with Endpoint Sensor version 23.08, the Sensor has the capability to map endpoint users to the users in Open Directory based on their email address.
To verify that a user's email address is set up in Open Directory, open Terminal and run the following command.
| Bash | Copy |
|---|---|
| dscl . -read /Users/$(whoami) EMailAddress |
| Command Output | Description |
|---|---|
| EMailAddress: foo@example.com | This user's email address has been configured within Open Directory. |
| No such key: EMailAddress | This user's email address has not been configured within Open Directory. Proceed to the following section and set up email-based user mapping using your MDM solution. |
Setting up email-based user mapping with Jamf
This solution is recommended for Jamf which is configured to use user email addresses as the username. In this case, you can leverage Jamf to set up an email-based mapping between endpoint users and your user directory service.
The solution requires you to create a new MDM profile
1. Log into Jamf Pro and navigate to Computers > Configuration Profiles. Click New.
2. Provide a name to identify this profile and adjust the scope of the deployment.
3. On the left navigation pane of the New Configuration Profile page, click Application & Custom Settings and then click External Applications. 4. To add Cyberhaven as an external application, click Add and select the source as Custom Schema.
5. In the Preference Domain field, add io.cyberhaven.lightbeam. 6. Click Add Schema and add the following JSON schema.
{
"title": "Cyberhaven user mapping schema",
"description": "User mapping from Jamf to the endpoint",
"properties": {
"mdm_username": {
"title": "Username",
"description": "The Jamf device owner",
"property_order": 10,
"type": "string"
}
}
}
7. In the Preference Domain Properties section under Username, enter $EMAIL.
NOTE Depending on your Jamf setup, the $EMAIL variable may need to be changed to $USERNAME. To verify this, review the computer's "User and Location" information.
8. Click Save.
When the custom schema is saved, the following screen is displayed.
The profile stores the mdm_username property within /Library/Managed\ Preferences/io.cyberhaven.lightbeam . The Sensor then retrieves this value and maps the field to the user directory service.
To verify that the configuration has been successfully applied to the endpoint, you can either check your MDM logs or the endpoint by running the following command.
| Bash | Copy |
|---|---|
| defaults read /Library/Managed\ Preferences/io.cyberhaven.lightbeam |
The output should contain the mdm_username variable.
The following is an example output.
| None | Copy |
|---|---|
{ backend \= { "installer\_token" \= "eyJ......"; url \= "https://\<your-tenant\>.cyberhaven.io"; }; "mdm\_username" \= "<username@your.domain>"; version \= "2.0.1"; } |
User Mapping on macOS with Kandji
This article provides instructions on how to map macOS users in Kandji with Cyberhaven using a custom MDM configuration profile. Cyberhaven uses the user’s email address as a unique identifier for mapping.
Before you begin, make sure that the devices where you want to deploy the MDM configuration profile are assigned to Device Users with a registered email address.
Deploy the MDM Profile
1. Copy the following MDM configuration profile into a text editor and save it as Cyberhaven-Kandji-UserMapping.mobileconfig.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-/Apple/DTD PLIST 1.0/EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDisplayName</key>
<string>Cyberhaven User Mapping</string>
<key>PayloadIdentifier</key>
<string>io.cyberhaven.lightbeam.66ECCE2B-09FA-4890-9A15-CF9C03803736</string>
<key>PayloadType</key>
<string>io.cyberhaven.lightbeam</string>
<key>PayloadUUID</key>
<string>66ECCE2B-09FA-4890-9A15-CF9C03803736</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>mdm_username</key>
<string>$EMAIL</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Cyberhaven User Mapping Profile</string>
<key>PayloadIdentifier</key>
<string>com.kandji.profile.custom.deb6d422-7700-47cb-86ca-9624ce666b37</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>deb6d422-7700-47cb-86ca-9624ce666b37</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
2. In Kandji create a new custom profile. Navigate to Library and click Add new.
3. Select Custom Profile from the options and click on Add and Configure to begin configuring the profile.
4. Give the profile a name. For example, “Cyberhaven User Mapping Profile”.
5. Under Install on, select Mac.
6. Assign the profile to the blueprints to specify the devices where you want to deploy it.
7. Upload Cyberhaven-Kandji-UserMapping.mobileconfig to the profile.
Verify User Mapping
You can verify the user mapping by checking the .plist file on a device where the custom profile is deployed.
In a terminal window, run the following command to open and read the .plist file. defaults read /Library/Managed\ Preferences/io.cyberhaven.lightbeam
The field mdm_username will now be included in the .plist file, along with the device user’s email address.
The following is an example of a .plist file that includes mdm_username .
{
PayloadUUID = “deb6d422-7700-47cb-86ca-9624ce666b37”;
backend = {
“dlp_url” = “https://test.cyberhaven.io”;
“installer_token” = “eyJhbGcviHRxNWOHzmOs6go_tw.....”;
url = “https://test.cyberhaven.io”;
};
“mdm_username” = “clu@cyberhaven.eu”;
“use_system_extension” = 0;
version = “2.0.5";
}