Hi @perryd84 ,
Did you get chance to look on this?
Hi @perryd84,
Also to add to the above question - the policy which I pushed to test device id
Hi @perryd84,
Also to add to the above question - the policy which I pushed to test device id
Hi @perryd84
Also to add to the above question - the policy which I pushed to test device the deployment is still in Pending status. Any idea why?
Hi @ClaudiaP
So this looks like an authentication issue. I have found that sometimes if a new API account is created the password needs to be reset a couple of times before it can be used in a script. No idea why but it seems to fix this issue.
Another issue could be account permissions. Have a look at this link it details the lowest amount of permission for the API account to work.
Keep me posted how you get on.
Hi @perryd84
Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)
I have completed the full configuration and tested it end to end, and it's all working.
this will make the team very happy.
Thanks again 😊!!
Hi @perryd84
Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)
I have completed the full configuration and tested it end to end, and it's all working.
this will make the team very happy.
Thanks again 😊!!
Hi @ClaudiaP ,
Hope all well. I see it's working for you. Can you help me on below
1. How do we push LAPS package to machine?
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset LAPS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password" Or with any other machine?
Can you please explain each policy to whom to be scoped?
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to only user specific or computer specific?
4.My API account has right permission and even I reset the password.
5.The policy which I pushed to test device the deployment is still in Pending status. Any idea why?
Your help is appreciated here! !
Hi @perryd84
Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)
I have completed the full configuration and tested it end to end, and it's all working.
this will make the team very happy.
Thanks again 😊!!
Hi @ClaudiaP
Glad to hear its working now 👍
Feel free to drop me a message if you run into any other issues.
Hi @ClaudiaP ,
Hope all well. I see it's working for you. Can you help me on below
1. How do we push LAPS package to machine?
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset LAPS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password" Or with any other machine?
Can you please explain each policy to whom to be scoped?
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to only user specific or computer specific?
4.My API account has right permission and even I reset the password.
5.The policy which I pushed to test device the deployment is still in Pending status. Any idea why?
Your help is appreciated here! !
Hi @ClaudiaP @perryd84 ,
Can anyone of you respond for my query below?
I am stuck.
Your help is really appreciated here !
Hi Perry,
Thanks for all your prompt response. I appreciate your assistance.
Quick one below
1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"
Can you please explain each policy to whom to be scoped?
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
Your help is appreciated here! !
Hi @Stady
1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"
Can you please explain each policy to whom to be scoped?
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.
Hope this helps?
Hi @Stady
1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"
Can you please explain each policy to whom to be scoped?
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.
Hope this helps?
Thanks @perryd84
Also how about last policy Reset LAPS password policy. Whom to scope this policy?
Thanks @perryd84
Also how about last policy Reset LAPS password policy. Whom to scope this policy?
Yes sorry the Reset policy should be scoped to the Reset Password smart group as detailed on the github setup instructions.
I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.
Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.
I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS
Check it out to see if it does what you need.
Hello,
And thank you for putting this together! I just had one quick question, in regards to the EA setup. I have created the EAs according to your instructions, however, I believe I must be missing a setup, because the fields remain blank. Is there anything that I need to be configuring within these EAs? I appreciate your time very much! :)
Hello,
And thank you for putting this together! I just had one quick question, in regards to the EA setup. I have created the EAs according to your instructions, however, I believe I must be missing a setup, because the fields remain blank. Is there anything that I need to be configuring within these EAs? I appreciate your time very much! :)
Hi @llullo1
The EA's will be empty until the script has run and then they are populated with the LAPS information.
If you have already run the script check the logs as there could be errors with the escrowing of the details which could point towards an issue with the API account.
Feel free to share the logs if you are having issues and I will have a look into it for you.
Hi @Stady
1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"
Can you please explain each policy to whom to be scoped?
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.
Hope this helps?
Hi @perryd84
My policies are in pending state for more than 4 days. Can you help me out?
Is there any logs I can check?
Hi @perryd84
My policies are in pending state for more than 4 days. Can you help me out?
Is there any logs I can check?
Hi @Stady
What are your current triggers and scope? Can you take a screen shot and share it here or in a message?
Hi @Stady
What are your current triggers and scope? Can you take a screen shot and share it here or in a message?
Hi @perryd84
Here is the screenshots with scope and triggers, Currently no categories assigned, Do I need to assign the categories to applications or something else, Please let me know or else any other thing?
I added all the scripts and LAPS.pkg from this link
https://github.com/PezzaD84/macOSLAPS



Script also not assigned to any category it is showing None so let me know

Hi @perryd84
Here is the screenshots with scope and triggers, Currently no categories assigned, Do I need to assign the categories to applications or something else, Please let me know or else any other thing?
I added all the scripts and LAPS.pkg from this link
https://github.com/PezzaD84/macOSLAPS



Script also not assigned to any category it is showing None so let me know

Hi @Stady
So if you run sudo jamf policy -event createLAPS on one of the 4 scoped devices does it run?
If so then this shows its working but the monthly trigger hasn't kicked off for some reason.
Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.
Hi @Stady
So if you run sudo jamf policy -event createLAPS on one of the 4 scoped devices does it run?
If so then this shows its working but the monthly trigger hasn't kicked off for some reason.
Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.
Hi @perryd84
I need to check that on one of the machine by running this command sudo jamf policy -event createLAPS
Currently no categories assigned, hope thats fine?
I have 4 machines under scope but all of them shows pending status.
How can I achieve this below? can you provide step by step instructions for the below?
Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.
Hi @perryd84
I need to check that on one of the machine by running this command sudo jamf policy -event createLAPS
Currently no categories assigned, hope thats fine?
I have 4 machines under scope but all of them shows pending status.
How can I achieve this below? can you provide step by step instructions for the below?
Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.
You could also add the enrollment trigger so that it runs at enrollment which is another way of achieving the same method of using a build script if you don't have one.
You could also add the enrollment trigger so that it runs at enrollment which is another way of achieving the same method of using a build script if you don't have one.
Hi @perryd84
How do I add the enrollment trigger so that it runs at enrollment?
Hi @perryd84
How do I add the enrollment trigger so that it runs at enrollment?
Under general > triggers, you need to tick "enrollment complete"
Under general > triggers, you need to tick "enrollment complete"
Thanks @perryd84
I will check.
What about the categories? Do I need to assign any categories for the policies or scripts?
Thanks @perryd84
I will check.
What about the categories? Do I need to assign any categories for the policies or scripts?
No categories are more for your own management to find thing and keep things neat. Nice to have I always use categories for keeping track of policies/profiles etc.
No categories are more for your own management to find thing and keep things neat. Nice to have I always use categories for keeping track of policies/profiles etc.
Hi @perryd84
I am just thinking how the custom trigger will initiate the LAPS?
How the LAPS process will get initiated? I have scoped 4 machines but none of them is getting pushed so was wondering.
@perryd84, is there a way to use the existing management account instead of having your process create a new one? I'd really like to utilize my account already in place but use the LAPS functionality for that account.
@perryd84, is there a way to use the existing management account instead of having your process create a new one? I'd really like to utilize my account already in place but use the LAPS functionality for that account.
Hi @skinford
The current version does not support existing local admin accounts unfortunately. A few customers are using a work around I have provided which removes the existing account and then recreates it using the LAPS script.
There is a beta version of the LAPS tool currently in testing which does take over a local admin account if specified but there are currently issues if Filevault has previously been enabled and also existing keychains.
Hi @skinford
The current version does not support existing local admin accounts unfortunately. A few customers are using a work around I have provided which removes the existing account and then recreates it using the LAPS script.
There is a beta version of the LAPS tool currently in testing which does take over a local admin account if specified but there are currently issues if Filevault has previously been enabled and also existing keychains.
If you could share that work around to delete and recreate the current account that would be great.
And thank you for your work with LAPS. Appreciate everyone who is working towards a good secure solution.