Update User Info - Rocketman-Tech/rcc GitHub Wiki

The Update User Info tool identifies and validates the correct username of the currently logged-in user, leveraging various directory integrations (LDAP and Cloud Identity Providers) associated with Jamf Pro. Once a match is confirmed, this information is sent to Jamf Pro to ensure accurate user data within the system.

Quick Start

Using this example setup, the tool will check for the logged-in user's username, appends possible domains, and performs a lookup on the specified LDAP server to match the username before updating Jamf Pro. In order to set this up, you will need:

Configuration Profile
API Role and Client
Policy

Example Configuration Profile

Below is a Managed PLIST that can be deployed through a Configuration Profile to the following domain: tech.rocketman.updateUserInfo

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>server</key>
    <string>ldap</string>
    <key>domains</key>
    <array>
      <string>@rocketman.tech</string>
      <string>@rocketblog.tech</string>
    </array>
    <key>ignore</key>
    <array>
      <string>breakglass</string>
      <string>commandcenter</string>
    </array>
  </dict>
</plist>

Example API Role and Client

Create an API Client with a Role that has the following permissions:

Read LDAP Servers
Update LDAP Servers
Read Computers

Example Policy

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Jamf Pro Script Parameters

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Parameter 4 (Global Options and Tool Name): UpdateUserInfo
Parameter 5 (Tool-Specific Option): --clientId YOUR_CLIENT_ID
Parameter 6 (Tool-Specific Option): --clientSecret YOUR_CLIENT_SECRET

IMPORTANT: Never include sensitive information such as clientId or clientSecret in the configuration profile, as these will be stored in plaintext. Always place this data in Jamf Pro’s script parameter fields.

Command Options

Required Parameters

`--clientId [string]`

Provides the Jamf API Client ID required to authenticate with the Jamf Pro API when performing directory lookups.

Type: string
Required: Depends
- Required when --server is set to ldap, idp, or both.
- Not required if --server none is specified.
Example:
```
--clientId "yourClientId"
```

`--clientSecret [string]`

Supplies the Jamf API Client Secret for authentication, used in conjunction with the --clientId.

Type: string
Required: Depends
- Required when --server is set to ldap, idp, or both.
- Not required if --server none is specified.
Example:
```
--clientSecret "yourClientSecret"
```

Optional Parameters

`--domain [string]`

Defines the domain for configuration options, including plist configurations. Defaults to tech.rocketman.updateUserInfo.

Type: string
Default: tech.rocketman.updateUserInfo
Example:
```
--domain "custom.domain.updateUserInfo"
```

`--server [ldap | idp | both | none]`

Specifies the type of directory server lookup to perform before updating Jamf Pro:

ldap – query an LDAP directory
idp – query an Identity Provider
both – perform both lookups in sequence
none – skip all directory lookups and update Jamf Pro directly with the local username and full name

Example:

rocketman UpdateUserInfo --server none

`--domains [list of strings]`

A list of domains to append to the username for more accurate matching in systems where users may have multiple domain associations. This is crucial when users have email-like usernames (e.g., [email protected]).

Type: array
Required: No

Example:

--domains @rocketman.tech @support.rocketman.com

`--ignore [list of strings]`

Specifies local accounts (such as backdoor admin accounts) to ignore when determining the logged-in user.

Type: array
Example:
```
--ignore admin backup
```

`--simulate`

Runs the tool in simulation mode, displaying the actions that would be performed without making any actual changes to Jamf Pro.

Type: boolean (flag)
Example:
```
--simulate
```

Required API Permissions

The Jamf Pro API Roles and Clients for this tool must have the following permissions to ensure proper functionality:

Read LDAP Servers
Update LDAP Servers
Read Computers

Ensure that these permissions are assigned to your API client configuration in Jamf Pro prior to executing the tool.

Examples

Example 1: Basic Update with Domain List and Server Type

rocketman UpdateUserInfo \
  --domains @rocketman.tech @anotherdomain.com \
  --server ldap \
  --clientId "yourClientId" \
  --clientSecret "yourClientSecret"

This command attempts to resolve the logged-in user’s username by checking an LDAP server, appending each specified domain until a match is found.

Example 2: Using Both Directory Types with Simulate Mode

rocketman UpdateUserInfo \
  --domains @rocketman.tech \
  --server both \
  --clientId "yourClientId" \
  --clientSecret "yourClientSecret" \
  --simulate

This example performs a simulated lookup on both LDAP and IDP servers, previewing changes without sending updates to Jamf Pro.

Example 3: Local Recon without API Credentials

rocketman UpdateUserInfo \
  --server none

This will bypass any directory integration and internally run:

jamf recon -endUsername <localUsername> -realname <localFullName>

to update the computer’s inventory record with the logged‑in user’s local information.

Important Notes

Domain Cycling: Each provided domain is appended to the username in succession until a match is found. This process is repeated for each directory server (LDAP and/or IDP).
Error Handling: If no match is found, the tool outputs a summary of all attempted username guesses and an error message.
No Directory Integration: If --server none is used or API credentials are omitted, the tool bypasses all directory checks and runs:
```
jamf recon -endUsername <localUsername> -realname <localFullName>
```
to populate the Computer Inventory record directly with the local user’s name.