!/bin/bash

Hi @Cooley26

You need to return/echo the variable wrapped in result tags

echo "<result>$LAPS_Password</result>"

You may need/want to wrap the variable in curly-braces if spaces were present for expansion

echo "<result>${LAPS_Password}</result>"

This article can speak more to it for you...
Creating Extension Attributes Populated by a Custom Script

@dkmansion THANK YOU!! I’ll try this in the morning! If it works I owe you bug time!!

@dkmansion Hmmm... Still not working. Now I get this return in the logs:

Huh. I do know that all our scripts grabbing any kind of value to insert into EAs we have the result as
echo "<result>$variable</result>"

Here's one of mine: just getting local machine /app info:

If you used the curly brace in my suggestion above, maybe remove that.

Also Ensure that the data type in the EA setting is appropriate for your use.. I hope this helps get you to a result.

I've just gotten macOSLAPS running in our environment, so allow me to share my configuration if anyone's still running into issues:

Configuration Profile (note that I'm running in "Local" mode):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>DaysTillExpiration</key>

    <integer>30</integer>

    <key>LocalAdminAccount</key>

    <string>YOURACCOUNT</string>

    <key>PasswordLength</key>

    <integer>14</integer>

    <key>RemovePassChars</key>

    <string>{}[]|</string>

    <key>Method</key>

    <string>Local</string>

    <key>FirstPass</key>

    <string>YOURPASSWORD</string>

</dict>

</plist>

Extension Attribute (echoes password to Jamf for easy retrieval):

#!/bin/bash

#Resets macOSLAPS password

/usr/local/laps/macOSLAPS -resetPassword

#Writes macOSLAPS password to file

/usr/local/laps/macOSLAPS -getPassword

#Retrieves password

password=$(sudo cat /var/root/Library/Application\\ Support/macOSLAPS-password | awk '{print $0}')

#Echoes result to Jamf MDM

echo "<result>$password</result>"

Few things. using 

<key>FirstPass</key><string>YOURPASSWORD</string>

Doesn't that show the password in the profile on the users system?

also using 

password=$(sudo cat /var/root/Library/Application\\ Support/macOSLAPS-password | awk '{print $0}')

That means the password is in a text file, so if a user is logged in, they could go to the /var/root/Library/Application\\ Support/macOSLAPS-password and get the admin password for the local admin account correct?

Yup, correct on both counts:

1. Yes, it does show the password in the configuration profile. But that password is temporary anyway and our provisioning model has the technician login first - so by the time the end-user might see this, it has already changed. (Obviously, this wouldn't work in all cases or at all companies.) You could populate that initial password in a myriad of ways, or even generate it to include a variable or random number generator to obfuscate things - but that's not strictly needed in my environment. And just to clarify, this would require not including the "FirstPass" key in the configuration profile and instead writing that value separately, like by using a script leveraging "defaults".

2. Yes, this does store the password in the file which is why I added an "rm" command in the production version to immediately delete it after the EA echo but before the "exit 0" - the file exists for milliseconds. 

EDIT: This is probably a better solution, but I haven't yet investigated further: https://github.com/PezzaD84/macOSLAPS 

Credit to @perryd84 from the thread here: https://community.jamf.com/t5/jamf-pro/macoslaps-by-joshua-miller/m-p/281535#M253790

Hello,

I am looking to implement LAPS on MACS using JAMF pro. Can anyone please provide me the step by step instruction to get this accomplished?

Your help is appreciated