+3As anyone moved between Josh's LAPS project. And the Jamf implementation of LAPS?
I've found myself in a situation where the former was implemented, and we need to move to a system with vendor support.
I'm trying to find out if it'll continue to work on the existing machines if I switch the install package policy off.
You can use this script to fully uninstall macOSLAPS and attempt to reset the account's password back to whatever your default in the configuration is. I wrote it up a while back but have not done in-depth testing or production deployment with it yet.
#!/bin/sh
# Variables
## Path to macOSLAPS binary ##
LAPS=/usr/local/laps/macOSLAPS
## Path to Password File ##
PW_FILE="/var/root/Library/Application Support/macOSLAPS-password"
## Local Admin Account ##
LOCAL_ADMIN=$(/usr/bin/defaults read \\
"/Library/Managed Preferences/edu.psu.macoslaps.plist" LocalAdminAccount)
defaultPassword=$(/usr/bin/defaults read \\
"/Library/Managed Preferences/edu.psu.macoslaps.plist" FirstPass)
# Identify the location of the jamf binary for the jamf_binary variable.
CheckBinary (){
# Identify location of jamf binary.
jamf_binary=`/usr/bin/which jamf`
if [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ ! -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/sbin/jamf";
elif [[ "$jamf_binary" == "" ]] && [[ ! -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf";
elif [[ "$jamf_binary" == "" ]] && [[ -e "/usr/sbin/jamf" ]] && [[ -e "/usr/local/bin/jamf" ]]; then jamf_binary="/usr/local/bin/jamf";
fi
}
# Verify that macOSLAPS is installed. If not, exit immediately.
if [ ! -e $LAPS ]
then
/bin/echo "macOSLAPS Not Installed"
exit 0
fi
CheckBinary
# Reset local admin account password to a known default value
## Verify Local Admin Specified Exists ##
if id "$LOCAL_ADMIN" &> /dev/null
then
/bin/echo "Account exists."
if [ -z "$defaultPassword" ]; then
echo "No default password has been specified. Skipping password reset."
else
echo "A default password has been specified. Reverting $LOCAL_ADMIN password to known default."
## Ask macOSLAPS to write out the current password and echo it for the Jamf EA
$LAPS -getPassword > /dev/null
CURRENT_PASSWORD=$( cat "$PW_FILE" )
## Test $current_password to ensure there is a value
if [ -z "$CURRENT_PASSWORD" ]
then
echo "No password saved in keychain. Assuming already using default."
else
## Run macOSLAPS a second time to remove the password file
## and expiration date file from the system
$LAPS
# Change password back to default
$jamf_binary changePassword -username $LOCAL_ADMIN -oldPassword $CURRENT_PASSWORD -password $defaultPassword
fi
fi
# Account not found, no need to reset the password to a known default.
else
/bin/echo "Account Not Found. Skipping password reset."
fi
# Remove LaunchAgent
if [ -e /Library/LaunchDaemons/edu.psu.macoslaps-check.plist ]; then
echo "Removing LaunchAgent"
rm /Library/LaunchDaemons/edu.psu.macoslaps-check.plist
else
echo "LaunchAgent not present"
fi
# Remove paths.d shortcut
if [ -e /private/etc/paths.d/laps ]; then
echo "Removing macOSLAPS terminal shortcut"
rm /private/etc/paths.d/laps
fi
# Remove Main Binary and repair tool
if [ -e $LAPS ]; then
echo "Removing main binary and repair tool."
rm -rf /usr/local/laps
fi
# Remove keychain entries
echo "Removing macOSLAPS keychain entries"
security delete-generic-password -l "macOSLAPS" /Library/Keychains/System.keychain || set t 0
+3@McAwesome Thanks for that - but I'm still not up-to-date on the Jamf side. Since these machines already ran through a prestage before Jamf laps was an option - I don't think I can enable it for them - Any input on that side would be appreciated
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.