Remove Identity Provider Attributes from Computers

Jamf Connect Documentation
Solution
Application
Jamf Connect
Content Type
Technical Documentation
Utilities & Services
ft:locale
en-US

Before enabling a new identity provider with Jamf Pro, all previous IdP information must be removed. You can remove IdP information from computers by running a script locally or uploading it to Jamf Pro and running it using a policy.

Requirements

Using your MDM solution, delete all .mobileconfig files for Jamf Connect from your organization's devices. If you are using Jamf Pro, these can be deleted by removing the devices from the Scope of your configuration profile. See Computer Configuration Profiles in the Jamf Pro Documentation.

  1. In Jamf Pro, click Settings in the sidebar.
  2. In the Computer management section, click Scripts .
  3. Click New.
  4. Use the General pane to configure basic settings for the script, including the display name and category.
  5. Click the Script tab and enter the following script, which will remove all identity provider attributes added to all existing users recognized by Jamf Connect. 
    #!/bin/bash

# Unmigrate all users from Jamf Connect

# For all users who have a password on this machine (eliminates service accounts
# but includes the _mbsetupuser and Jamf management accounts...)
for user in $(/usr/bin/dscl . list /Users Password | /usr/bin/awk '$2 != "*" {print $1}'); do
        # If a user has the attribute "NetworkUser" in their user record, they are a Jamf Connect user.
        MIGRATESTATUS=($(/usr/bin/dscl . -read /Users/$user | grep "NetworkUser: " | /usr/bin/awk {'print $2'}))
        # If we didn't get a result, the variable is empty.  Thus that user is not 
        # a Jamf Connect Login user.
        if [[ -z $MIGRATESTATUS ]]; 
        then
                # user is not a jamf connect user
                echo "$user is Not a Jamf Connect User"
        else
                dscl . delete /Users/$user dsAttrTypeStandard:NetworkUser
                dscl . delete /Users/$user dsAttrTypeStandard:OIDCProvider
                dscl . delete /Users/$user dsAttrTypeStandard:OktaUser
                dscl . delete /Users/$user dsAttrTypeStandard:AzureUser
        fi
done
  6. Run the script using a new or existing Jamf Pro policy.
    1. Create or edit a policy.
    2. Click Configure.
    3. Click Add for the script you want to run.
    4. Click Save.

Once the policy runs, the Jamf Connect login window will be temporarily disabled and all previous IdP attributes will be removed from the users of your computers.