Mac OS LAPS

Matt_Roy93
Contributor

Does anyone have any experience utilizing Jamf Connect login LAPS functionality? https://travellingtechguy.blog/jamf-connect-and-laps/ Following this link there is specific plist config info called out for LAPS control built into Jamf Connect, our intended use case would be finding something that can manage our local admin passwords without being AD bound and securely using the FV2 escrow key seems like an interesting idea.  Any thoughts on best practice?

2 ACCEPTED SOLUTIONS

rossmclaren
New Contributor III

Here is the script we use:

#!/bin/sh
####################################################################################################
#
#   MIT License
#
#   Copyright (c) 2016 University of Nebraska–Lincoln
#
#	Permission is hereby granted, free of charge, to any person obtaining a copy
#   of this software and associated documentation files (the "Software"), to deal
#   in the Software without restriction, including without limitation the rights
#   to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
#   copies of the Software, and to permit persons to whom the Software is
#   furnished to do so, subject to the following conditions:
#
#   The above copyright notice and this permission notice shall be included in all
#   copies or substantial portions of the Software.
#
#   THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
#   IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
#   FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
#   AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
#   LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
#   OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
#   SOFTWARE.
#
####################################################################################################
#
# HISTORY
#
#	Version: 1.4
#
#	- 04/29/2016 Created by Phil Redfern
#   - 05/01/2016 Updated by Phil Redfern, added upload verification and local Logging.
#   - 05/02/2016 Updated by Phil Redfern and John Ross, added keychain update and fixed a bug where no stored LAPS password would cause the process to hang.
#   - 05/06/2016 Updated by Phil Redfern, improved local logging and increased random passcode length.
#   - 05/11/2016 Updated by Phil Redfern, removed ambiguous characters from the password generator.
#
#   - This script will randomize the password of the specified user account and post the password to the LAPS Extention Attribute in Jamf.
#  Version 1.5
#   - 8 Sep 2020 Mark Lamont  Removed reliance on API user thus closing security hole. Now uses standard inventory function to update.
#   - Password does remain on the device though but is obscured and only available to root user.
#   - Not written to work with FileVault enabled admin users because of all the issues with secure token
#
####################################################################################################
#
# DEFINE VARIABLES & READ IN PARAMETERS
#
####################################################################################################

resetUser=""
basePassword=""
# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 4 AND, IF SO, ASSIGN TO "resetUser"
if [ "$4" != "" ] && [ "$resetUser" == "" ];then
resetUser=$4
fi

# CHECK TO SEE IF A VALUE WAS PASSED IN PARAMETER 5 AND, IF SO, ASSIGN TO "initialPassword"
if [ "$5" != "" ] && [ "$basePassword" == "" ];then
basePassword=$5
fi

udid=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')

LogLocation="/Library/Logs/Jamf_LAPS.log"
LAPSFileLocation="/usr/local/jamf/$udid/"
if [ ! -d "$LAPSFileLocation" ]; then
mkdir -p $LAPSFileLocation
chmod 600 $LAPSFileLocation
fi

LAPSFile="$LAPSFileLocation.$udid"

newPass=$(openssl rand -base64 10 | tr -d OoIi1lLS | head -c12;echo)
####################################################################
#
#            ┌─── openssl is used to create
#            │	a random Base64 string
#            │                    ┌── remove ambiguous characters
#            │                    │
# ┌──────────┴──────────┐	  ┌───┴────────┐
# openssl rand -base64 10 | tr -d OoIi1lLS | head -c12;echo
#                                            └──────┬─────┘
#                                                   │
#             prints the first 12 characters  ──────┘
#             of the randomly generated string
#
####################################################################################################
#
# SCRIPT CONTENTS - DO NOT MODIFY BELOW THIS LINE
#
####################################################################################################

# jamf binary path
jamf_binary="/usr/local/jamf/bin/jamf"
# Logging Function for reporting actions
ScriptLogging(){

DATE=$(date +%Y-%m-%d\ %H:%M:%S)
LOG="$LogLocation"

echo "$DATE" " $1" >> $LOG
}

ScriptLogging "======== Starting LAPS Update ========"
ScriptLogging "Checking parameters."

if [ "$resetUser" == "" ];then
    ScriptLogging "Error:  The parameter 'User to Reset' is blank.  Please specify a user to reset."
    echo "Error:  The parameter 'User to Reset' is blank.  Please specify a user to reset."
    ScriptLogging "======== Aborting LAPS Update ========"
    exit 1
fi

# Verify resetUser is a local user on the computer
checkUser=$(dseditgroup -o checkmember -m $resetUser localaccounts | awk '{ print $1 }')

if [[ "$checkUser" = "yes" ]];then
    echo "$resetUser is a local user on the Computer"
else
    echo "Error: $checkUser is not a local user on the Computer!"
    ScriptLogging "======== Aborting LAPS Update ========"
    exit 1
fi

ScriptLogging "Parameters Verified."

# Update the User Password
RunLAPS (){
ScriptLogging "Running LAPS..."

if [[ "$secureTokenStatus" = "DISABLED" ]]; then

    ScriptLogging "Updating password for $resetUser."
    echo "Updating password."
    $jamf_binary resetPassword -username $resetUser -password $newPass
else
    ScriptLogging "*** Secure Token Enabled! ***"
    sysadminctl -resetPasswordFor "$resetUser" -newPassword "$newPass" -adminUser "$resetUser" -adminPassword "$basePassword"
    
    
fi

}

# Verify the new User Password
CheckNewPassword (){
ScriptLogging "Verifying new password for $resetUser."
passwdB=`dscl /Local/Default -authonly $resetUser $newPass`

if [ "$passwdB" == "" ];then
    ScriptLogging "New password for $resetUser is verified."
    echo "New password for $resetUser is verified."
else
    ScriptLogging "Error: Password reset for $resetUser was not successful!"
    echo "Error: Password reset for $resetUser was not successful!"
    ScriptLogging "======== Aborting LAPS Update ========"
    exit 1
fi
}

# Update the LAPS Extention Attribute
UpdateJamf (){
ScriptLogging "Recording new password for $resetUser into LAPS."
# debug
# ScriptLogging "*** new pass is $newPass ***"
touch $LAPSFile

#echo "$resetUser|$newPass" > $LAPSFile
echo "$newPass" > $LAPSFile

# EA must be in Jamf to record the value
jamf recon

}

checkSecureTokenStatus () {

secureTokenStatus=$(sysadminctl -secureTokenStatus $resetUser 2>&1 | awk '{ print $7 }' | sed s'/ //g')

ScriptLogging "secure token for $resetUser is $secureTokenStatus"

}

checkIfRunBefore () {

if [ -f "$LAPSFile" ]; then
    previousPassword=$(cat $LAPSFile)
    basePassword=${previousPassword}
    # Debug
    #ScriptLogging "base password is $basePassword"

fi

}
#====================================================
# The script itself

checkSecureTokenStatus
checkIfRunBefore
RunLAPS
CheckNewPassword
UpdateJamf

ScriptLogging "======== LAPS Update Finished ========"
echo "LAPS Update Finished."

exit 0

 

You will also need to use this below as an Extension Attribute:

#!/bin/sh

###################################
# EA to update LAPS Password      #
###################################
udid=$(/usr/sbin/ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')
LAPSFileLocation="/usr/local/jamf/$udid/"
LAPSFile="$LAPSFileLocation.$udid"

if [[ -f "$LAPSFile" ]]; then
   value=$(cat $LAPSFile)
   echo "<result>$value</result>"
   else
   value="Not recorded"
fi

 

View solution in original post

perryd84
Contributor II

I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.

Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.

I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS

Check it out to see if it does what you need.

View solution in original post

53 REPLIES 53

Hi @caio_clemente

The credentials should be your encoded api account. There is a small script in the github which can do this for you.

Hi @caio_clemente 
Really sorry I missed this message!
The encoded API account is a regular API account but encoded into a secure string.

You can use this small script to encode your API account.
https://github.com/PezzaD84/macOSLAPS/blob/main/Encode%20API%20Credentials

Perry has probably replied already. You create a new user in Jamf and then use that for the api creds.

Stady
New Contributor II

Hi Perry,

I followed your script

It has some variable to enter API credentials, JSS URL, LAPS Account name  so what are these to be filled up? Can you help?

And also how the decrypt self service password app works, Is it for all users will be deployed?or for specific users?

I am confused.

Can you help step by step?

snowwalker1988
New Contributor

Hi @perryd84,

very nice work. 

Do you have a recommendation for the rights of the API user?
This one I think don´t need full admin rights.

Do you use an extra user only for the LAPS function?

How you are build the LAPS.pkg?
The 10 seconds time is not set by a variable or?

Best regards

Hi @snowwalker1988 
You can find permissions for the API account here https://github.com/PezzaD84/macOSLAPS/issues/2

The LAPS account created can be an additional admin account or just replace your local admin account it's up to you. If the same account exists before the LAPS Creation runs then it will conflict with the existing account. Best practice is to have this set up a brand new account not the same as anything else already existing.

The pkg was created in Composer. You can download the LAPS.pkg from here https://github.com/PezzaD84/macOSLAPS/raw/main/LAPS.pkg

The 10 second timer is just a default timer setting in the script. It can be changed if you want by editing the --timer key followed by a custom seconds time.

Feel free to message me if you need any more help with it.

First of thanks @perryd84 for putting this together. It looks excellent and it pretty much exactly what I'm after.

I'm hoping could give me some pointers since I think I'm almost there.

I've set everything up and now have a new local laps account on my test Mac and the extension attributes are populated in the Jamf inventory. My problem is that the password generated from 'Decrypt' doesn't work with the newly created laps admin account.  This is what I got in the policy install logs (running it on MacOS 13.2.1):

admin has already been created and is a local admin. Resetting local admin password....
2023-02-16 15:06:40.790 sysadminctl[70436:2815752] ### Error:-14090 File:/AppleInternal/Library/BuildRoots/9e200cfa-7d96-11ed-886f-a23c4f261b56/Library/Caches/com.apple.xbs/Sources/Admin_sysadminctl/addremoveuser/main.m Line:378
2023-02-16 15:06:40.791 sysadminctl[70436:2815752] Operation is not permitted without secure token unlock.
<dscl_cmd> DS Error: -14090 (eDSAuthFailed)
Authentication for node /Local/Default failed. (-14090, eDSAuthFailed)
LAPS Password has been reset. Resetting EA to default value
<?xml version="1.0" encoding="UTF-8"?><computer><id>2641</id></computer><?xml version="1.0" encoding="UTF-8"?><computer><id>2641</id></computer><?xml version="1.0" encoding="UTF-8"?><computer><id>2641</id></computer>CryptKey and SecretKey Escrowed to Jamf successfully

 

The decrypt log looks fine from what I can tell: Script result: Log already exists. Continuing setup.....
***** LAPS Decryption 16/02/2023 15:21:03 The LAPS Password for ******* was viewed by ****** on ****** Reason for viewing password: TEST No slack URL configured

Hi @tjhall 

From a quick look, this error usually happens when an existing local admin account exists before running LAPS for the first time. For example if you have a local admin called "admin" and then run LAPS to create an account called "admin", it will see this and attempt to reset that account but the passwords will fail.
As I don't know whats been done initially I would recommend setting LAPS to create a brand new local admin account which doesn't share a name with a potential existing account.

This line here, "2023-02-16 15:06:40.791 sysadminctl[70436:2815752] Operation is not permitted without secure token unlock.", would be where it has failed to authenticate to reset the password.

Hope that helps a little? Feel free to message me if you are still stuck👍🏻

Just to add I've updated the script in my github with a version which includes a password validation check. Basically the script will now bomb out if the password is incorrect. This would usually point to a duplicate local admin account with the same name already existing before the LAPS account is created.

One other thing, do you have the LAPS.log to share? If this is the first time its ran and its reporting that "admin has already been created" then that would also indicate that the account existed before LAPS was run.

Hi Perry

Thanks for replying so quickly.

I had a look at the log and I suspect I set it up wrong the first time which presumably meant the local laps admin got created with the incorrect password/API details.

I setup a new user and password (and used your new script), flushed the policies and it now works.

Thanks a million for your help!

No problem at all!

Glad to hear it's working now😃

jjweid
New Contributor

@perryd84 

I just yesterday found your script through this page. I have actually set it all up and it is working on a few test machines (kudos by the way!).

My own mac, when I attempt to decrypt the password, it's blank. Can you point me in the direction to troubleshoot why?

Hi @jjweid 

Thanks for the kudos appreciate it😁

You can check the logs in the jamf policy or the local log in /Library/.laps/logs. If you want you can send the logs to me in a message and I can have a look over them see if anything stands out.