authchanger

The authchanger command-line tool can be used to manipulate the authentication database used by the macOS loginwindow application. Functions include the following:

  • Determine the order of mechanism execution.

  • Enable Jamf Connect for Okta or OpenID Connect authentication with a cloud identity provider (IdP).

  • Reset the database to the default state.

  • Run a single Jamf Connect mechanism during the loginwindow process, such as the demobilize mechanism.

  • Configure Jamf Connect to run a script after the authentication process.

authchanger commands can be executed from the following file path:

/usr/local/bin/authchanger

You can use the authchanger to set up the authentication database for authentication with Jamf Connect in any of the following ways:

  • Execute authchanger commands via a postinstall script in the login window installer package.

Note:

  • This tool must run as root to make database changes.

  • Use the -reset command before making changes to ensure the authentication database is in its default setting. 


  • Execute authchanger commands manually at the command-line.

  • Include authchanger arguments in a configuration profile written to the com.jamf.connect.authchanger domain. Jamf Connect will look for authchanger arguments as an array of strings in the Arguments key and read them in the order in which the strings are configured, similar to how they are ordered in the command-line.

The Jamf Connect installer does not add any arguments to authchanger by default.

Jamf Connect will look for authchanger arguments in the following order after the login window is installed:

  1. Commands executed via the command-line. Consider the following scenarios:

    • If a command is executed with arguments, any preferences found in a configuration profile will be ignored.

    • If a command is executed without arguments, Jamf Connect will look for preferences in a configuration profile.

  2. Preferences found in a configuration profile written to com.jamf.connect.authchanger

  3. The Identity Provider (OIDCProvider) or Auth Server (AuthServer) preferences written to the com.jamf.connect.login domain. These pass the -JamfConnect argument to automatically enable OpenID Connect or Okta authentication.

  4. If no arguments or preferences are found, the default loginwindow mechanisms will remain unchanged.

authchanger Commands

The following authchanger commands can be used:
-version
Lists the version number
-help
Lists the help statement
-reset
Resets the authentication database to macOS default settings
-JamfConnect

Enables the Jamf Connect login window

-Notify
Enables the Notify screen.
-print
Lists the current authorization mechanisms
-debug
Lists any changes and their possible outcomes
-DefaultJCRight

Enables Jamf Connect Pluggable Authentication Module (PAM) authentication to be used for sudo and other system preference changes.

-SysPrefs
Enables PAM authentication for changing Network settings in System Preferences.
-SysPrefsReset
Disables PAM authentication for changing Network settings in System Preferences.

You can also specify custom rules that determine the order that the mechanisms run:

-prelogin
Specifies the mechanism to be used before the UI displays
-preAuth
Specifies the mechanism to be used between the login UI and authentication
-postAuth
Specifies the mechanism to be used after authentication

authchanger Examples

Command

Description

authchanger -print

Read the Authorization Database

Displays the current authorization database settings.

sudo authchanger -reset -JamfConnect

Enable Jamf Connect Authentication

Ensures the authorization database is reset to factory defaults, and then enables Jamf Connect Login with an IdP at the loginwindow.

sudo authchanger -reset -preAuth JamfConnectLogin:DeMobilize,privileged

Run a Single Jamf Connect login window Mechanism

You can configure Jamf Connect Login to run a single login mechanism. This example only runs the demobilize mechanism during the loginwindow process. This allows users to login to using the default macOS login window while Jamf Connect converts the mobile account into a local account on the Mac in the background.

authchanger Configuration Profile

The following configuration profile shows how to pass arguments to authchanger:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Arguments</key>
<array>
<string>-reset</string>
<string>-JamfConnect</string>
<string>-Notify</string>
</array>
</dict>
</plist>