Hi @perryd84 , 

Did you get chance to look on this? 

Hi @perryd84, 

Also to add to the above question - the policy which I pushed to test device id 

Hi @ClaudiaP 

So this looks like an authentication issue. I have found that sometimes if a new API account is created the password needs to be reset a couple of times before it can be used in a script. No idea why but it seems to fix this issue.

Another issue could be account permissions. Have a look at this link it details the lowest amount of permission for the API account to work.

Keep me posted how you get on.

Hi @perryd84 

Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)

I have completed the full configuration and tested it end to end, and it's all working.

this will make the team very happy.

Thanks again 😊!!

Hi @perryd84 

Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)

I have completed the full configuration and tested it end to end, and it's all working.

this will make the team very happy.

Thanks again 😊!!

Hi @ClaudiaP , 

Hope all well. I see it's working for you. Can you help me on below

1. How do we push LAPS package to machine? 

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset LAPS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password" Or with any other machine? 

Can you please explain each policy to whom to be scoped? 

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to only user specific or computer specific? 

4.My API account has right permission and even I reset the password. 

5.The policy which I pushed to test device the deployment is still in Pending status. Any idea why? 

Your help is appreciated here! ! 

Hi Perry, 

Thanks for all your prompt response. I appreciate your assistance. 

Quick one below

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right? 

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped? 

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name? 

Your help is appreciated here! ! 

Hi @Stady 

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped? 
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.

Hope this helps?

Thanks @perryd84 

Also how about last policy Reset LAPS password policy. Whom to scope this policy? 

I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.

Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.

I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS

Check it out to see if it does what you need.

Hello, 

And thank you for putting this together! I just had one quick question, in regards to the EA setup. I have created the EAs according to your instructions, however, I believe I must be missing a setup, because the fields remain blank. Is there anything that I need to be configuring within these EAs? I appreciate your time very much! :) 

Hi @Stady 

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped? 
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.

Hope this helps?

Hi @perryd84 

My policies are in pending state for more than 4 days. Can you help me out? 

Is there any logs I can check? 

Hi @Stady 

What are your current triggers and scope? Can you take a screen shot and share it here or in a message?

Hi @perryd84 

Here is the screenshots with scope and triggers, Currently no categories assigned, Do I need to assign the categories to applications or something else, Please let me know or else any other thing?

I added all the scripts and LAPS.pkg from this link

https://github.com/PezzaD84/macOSLAPS

Script also not assigned to any category it is showing None so let me know

Hi @Stady 

So if you run sudo jamf policy -event createLAPS on one of the 4 scoped devices does it run?

If so then this shows its working but the monthly trigger hasn't kicked off for some reason.

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

Hi @perryd84 

I need to check that on one of the machine by running this command sudo jamf policy -event createLAPS

Currently no categories assigned, hope thats fine?

I have 4 machines under scope but all of them shows pending status.

How can I achieve this below? can you provide step by step instructions for the below?

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

You could also add the enrollment trigger so that it runs at enrollment which is another way of achieving the same method of using a build script if you don't have one.

Hi @perryd84 

How do I add the enrollment trigger so that it runs at enrollment?

Under general > triggers, you need to tick "enrollment complete"

Thanks @perryd84 

I will check.

What about the categories? Do I need to assign any categories for the policies or scripts?

No categories are more for your own management to find thing and keep things neat. Nice to have I always use categories for keeping track of policies/profiles etc.

@perryd84, is there a way to use the existing management account instead of having your process create a new one?  I'd really like to utilize my account already in place but use the LAPS functionality for that account.

Hi @skinford 

The current version does not support existing local admin accounts unfortunately. A few customers are using a work around I have provided which removes the existing account and then recreates it using the LAPS script.

There is a beta version of the LAPS tool currently in testing which does take over a local admin account if specified but there are currently issues if Filevault has previously been enabled and also existing keychains.