Let’s Get Conditional - Jamf Pro Extension Attribute for AAD ID

This is the ninth of a multi-part series about the macOS Intune and Azure AD integration for inventory data and Conditional Access with Jamf Pro.

The topic of this post is about a way to display the Device AAD ID as a inventory variable from an extension attribute outside of the local user data gathered from Jamf AAD.

TL;DR: When jamfAAD runs a gatherAADInfo it uses MSAL to read the login.keychain, and return the AAD ID of the WPJ cert. CN on the device. However; if re-registartion has occurred an ID might get stuck and the login.keychain may have a newer record. The EA talked about here today will read the CN of the WPJ cert. direct from the login.keychain.

Disclaimer: Run EA script at your own risk. Please test before deployment.
Note: The value is clear text so run with the consent of security officers and or only on devices in troubleshooting (as a SSH command or ARD one off UNIX command possibly).

The Extension Attribute can be found here.