Enhancing User Mapping on macOS with Jamf
Cyberhaven provides a solution to improve user mapping on macOS devices which are commonly managed through MDM solutions like Jamf instead of being enrolled in directory services like AD.
Although if you are using Apple Open Directory, then starting with Endpoint Sensor version 23.08, the Sensor has the capability to map endpoint users to the users in Open Directory based on their email address.
To verify that a user's email address is set up in Open Directory, open Terminal and run the following command.
| Bash | Copy |
|---|---|
| dscl . -read /Users/$(whoami) EMailAddress |
| Command Output | Description |
|---|---|
| EMailAddress: foo@example.com | This user's email address has been configured within Open Directory. |
| No such key: EMailAddress | This user's email address has not been configured within Open Directory. Proceed to the following section and set up email-based user mapping using your MDM solution. |
Setting up email-based user mapping with Jamf
This solution is recommended for Jamf which is configured to use user email addresses as the username. In this case, you can leverage Jamf to set up an email-based mapping between endpoint users and your user directory service.
The solution requires you to create a new MDM profile
Create a new Jamf profile
Log into Jamf Pro and navigate to Computers > Configuration Profiles. Click New.
Provide a name to identify this profile and adjust the scope of the deployment.
On the left navigation pane of the New Configuration Profile page, click Application & Custom Settings and then click External Applications.
To add Cyberhaven as an external application, click Add and select the source as Custom Schema.
In the Preference Domain field, add io.cyberhaven.lightbeam.
Click Add Schema and add the following JSON schema.
{
"title": "Cyberhaven user mapping schema",
"description": "User mapping from Jamf to the endpoint",
"properties": {
"mdm_username": {
"title": "Username",
"description": "The Jamf device owner",
"property_order": 10,
"type": "string"
}
}
}In the Preference Domain Properties section under Username, enter $EMAIL.
infoNote Depending on your Jamf setup, the $EMAIL variable may need to be changed to $USERNAME. To verify this, review the computer's "User and Location" information.
Click Save.
When the custom schema is saved, the following screen is displayed.
The profile stores the mdm_username property within /Library/Managed\ Preferences/io.cyberhaven.lightbeam . The Sensor then retrieves this value and maps the field to the user directory service.
To verify that the configuration has been successfully applied to the endpoint, you can either check your MDM logs or the endpoint by running the following command.
| Bash | Copy |
|---|---|
| defaults read /Library/Managed\ Preferences/io.cyberhaven.lightbeam |
The output should contain the mdm_username variable.
The following is an example output.
| None | Copy |
|---|---|
{ backend \= { "installer\_token" \= "eyJ......"; url \= "https://\<your-tenant\>.cyberhaven.io"; }; "mdm\_username" \= "<username@your.domain>"; version \= "2.0.1"; } |