+1This might be a stupid question but here goes.
I'm looking to use LAPS with Jamf and I can't seem to find the "ClientManagementID" for the API call.
/v2/local-admin-password/{clientManagementId}/account/{username}/password
Any help will be appreciated
Thanks in advance.
+36This will tell you what you need to know to find it. It takes a few steps.
How to Securely Manage Local Admin Passwords with Jamf Pro and LAPS
This will tell you what you need to know to find it. It takes a few steps.
How to Securely Manage Local Admin Passwords with Jamf Pro and LAPS
How do i create an Extension Attribute to populate the Mac's "managementid" so that we can view the managementid from the Mac General view in Jamf Pro?
+18This will tell you what you need to know to find it. It takes a few steps.
How to Securely Manage Local Admin Passwords with Jamf Pro and LAPS
So we had some issues with Apple Silicon machines not liking the admin password from the laps feature, and these machines stopped granting volume ownership properly and are keeping us from allowing those users to perform updates. (we use the erase and install script). Once I ran through the api call to reset the laps password on the individual machine back to what it was, then the machine granted volume ownership to the standard user. Do you know of a script thats been made that does what you suggested in your great article in the last paragraph: "While Jamf Pro offers a PUT /v2/local-admin-password/{clientManagement}/set-password endpoint, it’s only available to set one computer at a time. The Jamf Pro administrator will need to create a Jamf Pro API script to set every computer password using LAPS. Only after ensuring all passwords are changed to known passwords should the administrator turn off LAPS"?
For us to move forward I would need a script to hit each machine (looking up each management id for a smart group).
+18So we had some issues with Apple Silicon machines not liking the admin password from the laps feature, and these machines stopped granting volume ownership properly and are keeping us from allowing those users to perform updates. (we use the erase and install script). Once I ran through the api call to reset the laps password on the individual machine back to what it was, then the machine granted volume ownership to the standard user. Do you know of a script thats been made that does what you suggested in your great article in the last paragraph: "While Jamf Pro offers a PUT /v2/local-admin-password/{clientManagement}/set-password endpoint, it’s only available to set one computer at a time. The Jamf Pro administrator will need to create a Jamf Pro API script to set every computer password using LAPS. Only after ensuring all passwords are changed to known passwords should the administrator turn off LAPS"?
For us to move forward I would need a script to hit each machine (looking up each management id for a smart group).
Came up with a script that can reset the laps passwords to a manual one scoped by a smart group.
This has alleviated the volume ownership issues we were having on Apple Silicon Machines and let us set a password for the time being. Hope this helps someone else out there:
#!/bin/bash
# API USER
user="YOUR_API_USERNAME_HERE"
# API PASSWORD
pass="YOUR_API_USER_PASSWORD_HERE"
# URL (https://yourjamfserver.jamfcloud.com)
jurl="https://YOUR_JAMF_URL_HERE"
# Smart group or static group ID to get computer IDs from
groupID="YOUR_SMARTGROUP_ID_HERE"
# Define the admin user name
adminname="YOUR_ADMIN_USERNAME_HERE"
# New LAPS password to set
newPassword="YOUR_PASSWORD_HERE"
# Get Bearer token for API calls
getBearerToken() {
response=$(curl -s -u "$user:$pass" "$jurl/api/v1/auth/token" -X POST)
token=$(echo "$response" | plutil -extract token raw -)
tokenExpiration=$(echo "$response" | plutil -extract expires raw - | awk -F . '{print $1}')
tokenExpirationEpoch=$(date -j -f "%Y-%m-%dT%T" "$tokenExpiration" +"%s")
echo "Token acquired."
}
# Invalidate the token once done
invalidateToken() {
curl -w "%{http_code}" -H "Authorization: Bearer $token" "$jurl/api/v1/auth/invalidate-token" -X POST -s -o /dev/null
echo "Token invalidated."
}
# Check token expiration and get a new one if necessary
checkTokenExpiration() {
nowEpochUTC=$(date -j -f "%Y-%m-%dT%T" "$(date -u +"%Y-%m-%dT%T")" +"%s")
if [[ tokenExpirationEpoch -gt nowEpochUTC ]]; then
echo "Token is valid."
else
echo "Token expired, fetching new token."
getBearerToken
fi
}
# Run the function to get the token
getBearerToken
# Grab all computer IDs from the smart group (ID 802)
echo "Fetching computer IDs from group ID: $groupID"
computerids=($(curl -s $jurl/JSSResource/computergroups/id/$groupID \\
-H 'accept: application/xml' \\
-H "Authorization: Bearer $token" | xmllint --xpath '/computer_group/computers/computer/id/text()' -))
echo "Found Computer IDs: ${computerids[@]}"
# Loop through all computer IDs to look up the managementId and reset the LAPS password
for id in "${computerids[@]}"; do
checkTokenExpiration
# Get computer details to retrieve the managementId
computerInfo=$(curl -s "$jurl/api/v1/computers-inventory/$id?section=GENERAL" \\
-H 'accept: application/json' \\
-H "Authorization: Bearer $token")
# Extract the managementId using jq
managementId=$(echo "$computerInfo" | jq -r '.general.managementId')
if [[ -z "$managementId" || "$managementId" == "null" ]]; then
echo "No management ID found for computer $id, skipping..."
continue
fi
echo "Found Management ID: $managementId for computer $id"
# Reset the LAPS password for the macadmin user using the correct API endpoint
curl -s -X PUT "$jurl/api/v2/local-admin-password/$managementId/set-password" \\
-H "accept: application/json" \\
-H "Authorization: Bearer $token" \\
-H "Content-Type: application/json" \\
-d "{\\"lapsUserPasswordList\\": [{\\"username\\": \\"$adminname\\", \\"password\\": \\"$newPassword\\"}]}" || echo "Failed to reset LAPS password for computer $id with Management ID: $managementId"
done
# Invalidate the token when done
invalidateToken
exit 0
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.