authchanger
The authchanger binary can be used to manipulate the authentication database used by the loginwindow application. Functions include the following:
-
Determines the order of mechanism execution
-
Enable Jamf Connect Login for Okta or OpenID Connect (OIDC) identity providers (IdPs)
-
Reset the database to the default state
-
Run a single Jamf Connect Login mechanism during the loginwindow process
authchanger is installed by the Jamf Connect Login installation package in the following location:
/Library/Security/SecurityAgentPlugins/JamfConnectLogin.bundle/Contents/MacOS/authchanger
Then, it is used by the post-installscript in the package to set up the database for authentication. This tool must run as root.
Note: Use the -reset command before making changes to ensure the authentication database is in its default setting.
Commands
The following authchanger commands can be used:
|
Command |
Description |
|
-version |
Lists the version number |
|
-help |
Lists the help statement |
|
-reset |
Resets the authentication database to macOS default settings |
|
-Okta |
Enables Jamf Connect Login with Okta |
|
-OIDC |
Enables Jamf Connect Login with OpenID Connect IdPs |
|
|
Lists the current authorization mechanisms |
|
-debug |
Lists any changes and their possible outcomes |
|
-DefaultJCRight |
Enables Jamf Connect authentication to be used for sudo and other system preference changes. |
You can also specify custom rules:
|
Command |
Description |
|
-prelogin |
Specifies the mechanism to be used before the UI displays |
|
-preAuth |
Specifies the mechanism to be used between the login UI and authentication |
|
-postAuth |
Specifies the mechanism to be used after authentication |
Examples
Consider the following commonly used authchanger commands:
|
Command |
Description |
|
sudo authchanger -print |
Read the Authorization Database Displays the current authorization database settings. |
|
sudo authchanger -reset -OIDC |
Disable Jamf Connect Authentication Ensures the authorization database is reset to factory defaults, and then enables Jamf Connect Login with OpenID Connect IdPs with the loginwindow. |
|
sudo authchanger -reset -preAuth JamfConnectLogin:DeMobilize,privileged |
Run a Single Jamf Connect Login Mechanism You can configure Jamf Connect Login to run a single login mechanism. This example only runs the "Demobilize" mechanism during the loginwindow process. This allows users to login to using the default macOS login window while Jamf Connect converts the mobile account into a local account on the Mac in the background. |
Related Information
For related information about adding non-default mechanisms to Jamf Connect Login, see Additional Login Settings.