Update User Info

The Update User Info tool identifies and validates the correct username of the currently logged-in user, leveraging various directory integrations (LDAP and Cloud Identity Providers) associated with Jamf Pro. Once a match is confirmed, this information is sent to Jamf Pro to ensure accurate user data within the system.

Quick Start

Using this example setup, the tool will check for the logged-in user's username, appends possible domains, and performs a lookup on the specified LDAP server to match the username before updating Jamf Pro. In order to set this up, you will need:

• Configuration Profile
• API Role and Client
• Policy

Example Configuration Profile

Below is a Managed PLIST that can be deployed through a Configuration Profile to the following domain: tech.rocketman.updateUserInfo

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>server</key>
    <string>ldap</string>
    <key>domains</key>
    <array>
      <string>@rocketman.tech</string>
      <string>@rocketblog.tech</string>
    </array>
    <key>ignore</key>
    <array>
      <string>breakglass</string>
      <string>commandcenter</string>
    </array>
    <key>clientId</key>
    <string>ENC:...</string>
    <key>clientSecret</key>
    <string>ENC:...</string>
  </dict>
</plist>

Example API Role and Client

Create an API Client with a Role that has the following permissions:

• Read LDAP Servers
• Update LDAP Servers
• Read Computers

Example Policy

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

Jamf Pro Script Parameters

When setting up the Launch a Tool Script in Jamf Pro, use the following script parameters:

• Parameter 4 (Global Options and Tool Name): UpdateUserInfo
• Parameter 5 (Tool-Specific Option): --clientId ENC:...
• Parameter 6 (Tool-Specific Option): --clientSecret ENC:...

Command Options

Required Parameters

--clientId [string]

Specifies the encrypted credentials for Jamf API authentication.

• Type: string
• Required: Depends
  • Required when --server is set to ldap, idp, or both.
  • Not required if --server none is specified.
• Example:

  --clientId "..." OR --clientId "ENC:..."

--clientSecret [string]

Specifies the encrypted credentials for Jamf API authentication.

• Type: string
• Required: Depends
  • Required when --server is set to ldap, idp, or both.
  • Not required if --server none is specified.
• Example:

  --clientSecret "..." OR --clientSecret "ENC:..."

Optional Parameters

--domain [string]

Defines the domain for configuration options, including plist configurations. Defaults to tech.rocketman.updateUserInfo.

• Type: string
• Default: tech.rocketman.updateUserInfo
• Example:

  --domain "custom.domain.updateUserInfo"

--server [ldap | idp | both | none]

Specifies the type of directory server lookup to perform before updating Jamf Pro:

• ldap – query an LDAP directory
• idp – query an Identity Provider
• both – perform both lookups in sequence
• none – skip all directory lookups and update Jamf Pro directly with the local username and full name. Default

Example:

--server none

--domains [list of strings]

A list of domains to append to the username for more accurate matching in systems where users may have multiple domain associations. This is crucial when users have email-like usernames (e.g., [email protected]).

• Type: array
• Required: No
• Example:

  --domains @rocketman.tech @support.rocketman.com

--ignore [list of strings]

Specifies local accounts (such as backdoor admin accounts) to ignore when determining the logged-in user.

• Type: array
• Example:

  --ignore admin backup

--simulate

Runs the tool in simulation mode, displaying the actions that would be performed without making any actual changes to Jamf Pro.

• Type: boolean (flag)
• Example:

  --simulate

Required API Permissions

The Jamf Pro API Roles and Clients for this tool must have the following permissions to ensure proper functionality:

• Read LDAP Servers
• Update LDAP Servers
• Read Computers

Ensure that these permissions are assigned to your API client configuration in Jamf Pro prior to executing the tool.

Examples

Example 1: Basic Update with Domain List and Server Type

rocketman UpdateUserInfo \
  --domains @rocketman.tech @anotherdomain.com \
  --server ldap \
  --clientId "..." \
  --clientSecret ...

This command attempts to resolve the logged-in user’s username by checking an LDAP server, appending each specified domain until a match is found.

Example 2: Using Both Directory Types with Simulate Mode

rocketman UpdateUserInfo \
  --domains @rocketman.tech \
  --server both \
  --clientId "..." \
  --clientSecret ... \
  --simulate

This example performs a simulated lookup on both LDAP and IDP servers, previewing changes without sending updates to Jamf Pro.

Example 3: Local Recon without API Credentials

rocketman UpdateUserInfo \
  --server none

This will bypass any directory integration and internally run:

jamf recon -endUsername <localUsername> -realname <localFullName>

to update the computer’s inventory record with the logged‑in user’s local information.

Important Notes

• Domain Cycling: Each provided domain is appended to the username in succession until a match is found. This process is repeated for each directory server (LDAP and/or IDP).

• Error Handling: If no match is found, the tool outputs a summary of all attempted username guesses and an error message.

• No Directory Integration: If --server none is used or API credentials are omitted, the tool bypasses all directory checks and runs:

  jamf recon -endUsername <localUsername> -realname <localFullName>

  to populate the Computer Inventory record directly with the local user’s name.