TheJumpCloud · gweinjc · Mar 31, 2026 · Mar 24, 2026 · Mar 24, 2026 · Mar 24, 2026
@@ -1,6 +1,6 @@
 #### Name
 
-Mac - Install and Update JumpCloud Password Manager App | v2.0.1 JCCG
+Mac - Install and Update JumpCloud Password Manager App | v2.0.2 JCCG
 
 #### commandType
 
@@ -26,6 +26,44 @@ DownloadYamlFileUrl="https://cdn.pwm.jumpcloud.com/DA/release/latest-mac.yml"
 # Detect device architecture
 DeviceArchitecture=$(uname -m)
 
+# JumpCloud managed users list (only these accounts receive install/update)
+MANAGED_USERS_FILE="/opt/jc/managedUsers.json"
+managed_usernames=()
+
+load_managed_usernames() {
+    managed_usernames=()
+    if [[ ! -f "$MANAGED_USERS_FILE" ]] || [[ ! -r "$MANAGED_USERS_FILE" ]]; then
+        echo "Error: Managed users file not found or not readable: $MANAGED_USERS_FILE" >&2
+        return 1
+    fi
+
+    if command -v jq >/dev/null 2>&1; then
+        while IFS= read -r line || [[ -n "$line" ]]; do
+            [[ -n "$line" ]] && managed_usernames+=("$line")
+        done < <(jq -r '.[] | select(.username != null and .username != "") | .username' "$MANAGED_USERS_FILE" 2>/dev/null)
+    else
+        # Fallback without jq: extract "username":"..." (does not support escaped quotes inside usernames)
+        while IFS= read -r line || [[ -n "$line" ]]; do
+            [[ -n "$line" ]] && managed_usernames+=("$line")
+        done < <(grep -oe '"username"[[:space:]]*:[[:space:]]*"[^"]*"' "$MANAGED_USERS_FILE" 2>/dev/null | sed -E 's/^"username"[[:space:]]*:[[:space:]]*"([^"]*)".*$/\1/')
+    fi
+
+    if [[ ${#managed_usernames[@]} -eq 0 ]]; then
+        echo "Error: No managed usernames could be parsed from $MANAGED_USERS_FILE" >&2
+        return 1
+    fi
+}
+
+is_managed_user() {
+    local u="$1"
+    printf '%s\n' "${managed_usernames[@]}" | grep -Fxq -- "$u"
+}
+
+list_local_users() {
+    dscl . list /Users | grep -vE 'root|daemon|nobody|^_'
+}
+
+load_managed_usernames || exit 1
 
 if [ "$DeviceArchitecture" = "arm64" ]; then
     DownloadUrl="https://cdn.pwm.jumpcloud.com/DA/release/arm64/JumpCloud-Password-Manager-latest.dmg"
@@ -95,8 +133,12 @@ LatestAppVersion=$(curl -s "$DownloadYamlFileUrl" | \
 # Array to track users who need update/reinstall
 users_need_update=()
 if [ "$UpdateToLatest" = true ]; then
-    for user in $(dscl . list /Users | grep -vE 'root|daemon|nobody|^_')
+    for user in $(list_local_users)
     do
+        if ! is_managed_user "$user"; then
+            echo "Skipping $user (not listed in $MANAGED_USERS_FILE)."
+            continue
+        fi
         APP_PATH="/Users/$user/Applications/JumpCloud Password Manager.app"
         InstalledAppVersion=$(mdls -name kMDItemVersion "$APP_PATH" 2>/dev/null | awk -F '"' '{print $2}')
         if [ -z "$InstalledAppVersion" ]; then
@@ -126,6 +168,20 @@ if [ "$UpdateToLatest" = true ] && [ ${#users_need_update[@]} -eq 0 ]; then
     exit 0
 fi
 
+if [ "$UpdateToLatest" = false ]; then
+    any_managed_home=false
+    for user in $(list_local_users); do
+        if is_managed_user "$user" && [[ -d "/Users/$user" ]]; then
+            any_managed_home=true
+            break
+        fi
+    done
+    if [ "$any_managed_home" = false ]; then
+        echo "No local accounts match managed users in $MANAGED_USERS_FILE; nothing to install."
+        exit 0
+    fi
+fi
+
 echo "Downloading JumpCloud Password Manager from $DownloadUrl"
 # Download File into Temp Folder
 curl -s -O "$DownloadUrl"
@@ -182,7 +238,7 @@ echo "Located DMG Mount Point: $DMGMountPoint"
 
 cd "$DMGVolume"
 
-AppName="$(ls | Grep .app)"
+AppName="$(ls | grep '\.app$')"
 
 cd ~
 
@@ -193,8 +249,12 @@ DMGAppPath=$(find "$DMGVolume" -name "*.app" -depth 1)
 
 userInstall=false
 
-for user in $(dscl . list /Users | grep -vE 'root|daemon|nobody|^_')
+for user in $(list_local_users)
 do
+    if ! is_managed_user "$user"; then
+        echo "Skipping $user (not listed in $MANAGED_USERS_FILE)."
+        continue
+    fi
     APP_PATH="/Users/$user/Applications/JumpCloud Password Manager.app"
     if [[ -d /Users/$user ]]; then
         # Create ~/Applications folder
@@ -254,7 +314,8 @@ echo "Used hdiutil to detach $DMGFile from $DMGMountPoint"
 
 err=$?
 if [ ${err} -ne 0 ]; then
-    abort "Could not detach DMG: $DMGMountPoint Error: ${err}"
+    echo "Could not detach DMG: $DMGMountPoint Error: ${err}" >&2
+    exit 1
 fi
 
 # Remove Temp Folder and download

@@ -1,8 +1,6 @@
 #### Name
 
-
-Windows - Install and Update JumpCloud Password Manager App | v2.0.0 JCCG
-
+Windows - Install and Update JumpCloud Password Manager App | v2.0.1 JCCG
 
 #### commandType
 
@@ -22,6 +20,13 @@ $updateToLatest = $true
 $loggedUser = Get-WmiObject -Class Win32_ComputerSystem | Select-Object -ExpandProperty UserName
 $loggedUser = $loggedUser -replace '.*\\'
 
+# Get managed users list
+$managedUsers = Get-Content -Path "$env:ProgramFiles\JumpCloud\Plugins\Contrib\managedUsers.json" | ConvertFrom-Json
+if ($managedUsers.username -notcontains $loggedUser) {
+    Write-Output "User $loggedUser is not a managed user, exiting."
+    exit 1
+}
+
 # Construct the Registry path using the user's SID
 $userSID = (New-Object System.Security.Principal.NTAccount($loggedUser)).Translate([System.Security.Principal.SecurityIdentifier]).Value
 $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$userSID"
@@ -34,14 +39,12 @@ Write-Output "Logged On User Profile Path: $loggedOnUserProfileImagePath"
 $appDataPath = "$loggedOnUserProfileImagePath\AppData\Local\jcpwm"
 
 $installerURL = 'https://cdn.pwm.jumpcloud.com/DA/release/JumpCloud-Password-Manager-latest.exe'
-$yamlFileURL =  'https://cdn.pwm.jumpcloud.com/DA/release/latest.yml'
+$yamlFileURL = 'https://cdn.pwm.jumpcloud.com/DA/release/latest.yml'
 
 # If user already has the app installed and admin wants to update to latest
 if ((Test-Path "$appDataPath") -and ($updateToLatest -eq $true)) {
     $folderPrefix = "app-"
-    $versionFolders = Get-ChildItem -Path $appDataPath -Directory |
-                  Where-Object { $_.Name -like "$($folderPrefix)*" } |
-                  Sort-Object Name -Descending
+    $versionFolders = Get-ChildItem -Path $appDataPath -Directory | Where-Object { $_.Name -like "$($folderPrefix)*" } | Sort-Object Name -Descending
 
     if ($versionFolders.Count -gt 0) {
         # Get the name of the top (latest) matching folder (app-x.x.x)
@@ -60,10 +63,9 @@ if (Test-Path "$loggedOnUserProfileImagePath\AppData\Local\Temp" ) {
     $installerTempLocation = "$loggedOnUserProfileImagePath\AppData\Local\Temp\JumpCloud-Password-Manager-latest.exe"
     $yamlFileTempLocation = "$loggedOnUserProfileImagePath\AppData\Local\Temp\jcpwm-latest.yml"
     Write-Output "Installer Location: $installerTempLocation"
-}
-else {
+} else {
     Write-Output "Unable to determine user profile folder"
-    Exit 1
+    exit 1
 }
 
 if ($updateToLatest -eq $true) {
@@ -78,7 +80,7 @@ if ($updateToLatest -eq $true) {
             try {
                 Invoke-WebRequest -Uri $yamlFileURL -OutFile $yamlFileTempLocation
             } catch {
-                Write-Error "Unable to download Password Manager latest yml file to $yamlFileTempLocation."
+                Write-Output "Unable to download Password Manager latest yml file to $yamlFileTempLocation."
                 exit 1
             }
             Write-Output 'Finished downloading Password Manager installer.'
@@ -91,15 +93,15 @@ if ($updateToLatest -eq $true) {
     Write-Output "Checking for version in YAML file: $yamlFileTempLocation"
     Write-Output "Version Line: $versionLine"
     if ($versionLine) {
-    # Extract the version number from the matched line
-    # The 'Groups[1]' captures the content after 'version: '
-    [System.Version]$latestVersion = $versionLine.Matches[0].Groups[1].Value.Trim()
-    Write-Output "Latest version: $latestVersion"
-    # If the admin has previously installed the dogfood/beta version of the app for the users
-    # it might be greater than the version found under the $installerURL.
-    if ($currentInstalledAppVersion -ge $latestVersion) {
+        # Extract the version number from the matched line
+        # The 'Groups[1]' captures the content after 'version: '
+        [System.Version]$latestVersion = $versionLine.Matches[0].Groups[1].Value.Trim()
+        Write-Output "Latest version: $latestVersion"
+        # If the admin has previously installed the dogfood/beta version of the app for the users
+        # it might be greater than the version found under the $installerURL.
+        if ($currentInstalledAppVersion -ge $latestVersion) {
             Write-Output "App is already up to date, exiting."
-            Exit 0
+            exit 0
         }
     } else {
         Write-Warning "Could not find 'version' in the YAML file, falling back to full download."
@@ -120,7 +122,7 @@ if (-not(Test-Path -Path $installerTempLocation -PathType Leaf)) {
         try {
             Invoke-WebRequest -Uri $installerURL -OutFile $installerTempLocation
         } catch {
-            Write-Error "Unable to download Password Manager installer to $InstallerTempLocation."
+            Write-Output "Unable to download Password Manager installer to $installerTempLocation."
             exit 1
         }
         Write-Output 'Finished downloading Password Manager installer.'
@@ -152,7 +154,7 @@ $Command = {
     $LaunchPasswordManager = $true
     $installerTempLocation = "$loggedOnUserProfileImagePath\AppData\Local\Temp\JumpCloud-Password-Manager-latest.exe"
     if ($LaunchPasswordManager -eq $false) {
-        $env:QUIT_PWM_AFTER_INITIAL_INSTALL="true"
+        $env:QUIT_PWM_AFTER_INITIAL_INSTALL = "true"
     }
     . $installerTempLocation
 
@@ -182,7 +184,7 @@ $Command = {
         $startMenuShortcut.WorkingDirectory = "$appDataPath"
         $startMenuShortcut.Save()
         Write-Output "Start Menu Shortcut created."
-     }
+    }
 }
 
 $Source = @'