Skip to main content

As anyone moved between Josh's LAPS project. And the Jamf implementation of LAPS?

I've found myself in a situation where the former was implemented, and we need to move to a system with vendor support.

I'm trying to find out if it'll continue to work on the existing machines if I switch the install package policy off.

 

You can use this script to fully uninstall macOSLAPS and attempt to reset the account's password back to whatever your default in the configuration is.  I wrote it up a while back but have not done in-depth testing or production deployment with it yet.

 

#!/bin/sh # Variables ## Path to macOSLAPS binary ## LAPS=/usr/local/laps/macOSLAPS ## Path to Password File ## PW_FILE="/var/root/Library/Application Support/macOSLAPS-password" ## Local Admin Account ## LOCAL_ADMIN=$(/usr/bin/defaults read \\ "/Library/Managed Preferences/edu.psu.macoslaps.plist" LocalAdminAccount) defaultPassword=$(/usr/bin/defaults read \\ "/Library/Managed Preferences/edu.psu.macoslaps.plist" FirstPass) # Identify the location of the jamf binary for the jamf_binary variable. CheckBinary (){ # Identify location of jamf binary. jamf_binary=`/usr/bin/which jamf` if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/sbin/jamf"; elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf"; elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf"; fi } # Verify that macOSLAPS is installed. If not, exit immediately. if [ ! -e $LAPS ] then /bin/echo "macOSLAPS Not Installed" exit 0 fi CheckBinary # Reset local admin account password to a known default value ## Verify Local Admin Specified Exists ## if id "$LOCAL_ADMIN" &> /dev/null then /bin/echo "Account exists." if [ -z "$defaultPassword" ]; then echo "No default password has been specified. Skipping password reset." else echo "A default password has been specified. Reverting $LOCAL_ADMIN password to known default." ## Ask macOSLAPS to write out the current password and echo it for the Jamf EA $LAPS -getPassword > /dev/null CURRENT_PASSWORD=$( cat "$PW_FILE" ) ## Test $current_password to ensure there is a value if [ -z "$CURRENT_PASSWORD" ] then echo "No password saved in keychain. Assuming already using default." else ## Run macOSLAPS a second time to remove the password file ## and expiration date file from the system $LAPS # Change password back to default $jamf_binary changePassword -username $LOCAL_ADMIN -oldPassword $CURRENT_PASSWORD -password $defaultPassword fi fi # Account not found, no need to reset the password to a known default. else /bin/echo "Account Not Found. Skipping password reset." fi # Remove LaunchAgent if [ -e /Library/LaunchDaemons/edu.psu.macoslaps-check.plist ]; then echo "Removing LaunchAgent" rm /Library/LaunchDaemons/edu.psu.macoslaps-check.plist else echo "LaunchAgent not present" fi # Remove paths.d shortcut if [ -e /private/etc/paths.d/laps ]; then echo "Removing macOSLAPS terminal shortcut" rm /private/etc/paths.d/laps fi # Remove Main Binary and repair tool if [ -e $LAPS ]; then echo "Removing main binary and repair tool." rm -rf /usr/local/laps fi # Remove keychain entries echo "Removing macOSLAPS keychain entries" security delete-generic-password -l "macOSLAPS" /Library/Keychains/System.keychain || set t 0

 

 


@McAwesome  Thanks for that - but I'm still not up-to-date on the Jamf side.  Since these machines already ran through a prestage before Jamf laps was an option - I don't think I can enable it for them -  Any input on that side would be appreciated