JAMF LAPS Tools

perryd84
Contributor III

Hi all,

I've done a lot of work on creating a LAPS tool of my own which can be found here https://github.com/PezzaD84/macOSLAPS

 

But with the release of 10.49 the JAMF LAPS solution is looking a lot better than initially. So I have created a couple of tools to help configure the LAPS settings and view the LAPS account and password.

Check them out here:
LAPS Configurator tool - https://github.com/PezzaD84/JAMFLAPS-Configurator
View LAPS Credentials - https://github.com/PezzaD84/JAMF-LAPS-UI

Please note these are very early release so there will be changes to come!

All feedback is welcome😁

25 REPLIES 25

mm2270
Legendary Contributor III

I took a look at this. It's good work, thanks for putting it together.

But one piece of advice. You should mention in your notes on github that the solution specifically uses swiftDialog for the UI. I see in your script you have a section where it downloads the latest version of swiftDialog if needed, but you can't assume every environment will be able to do this. For example, I work at a bank, and so, highly regulated environment. Github is blocked for many users (I have access to it, and so do some others), and also we use an authenticated web proxy, for which github is not one of the excluded sites, so all curl commands must be preceded with a --proxy <proxyaddress> string for curl to work at all.

Just some things to think about. As it is, for some people your solution may not work since they may not be able to auto download swiftDialog if it needs to do that. They can always pre-deploy swiftDialog of course to meet that requirement. If it's mentioned in your notes, others will know what they need to do to get it to work.

jamf-42
Valued Contributor II

great point.. with how things are with supply chain attacks.. we don't allow any remote ingest of code or pkg or ..anything ... not matter where or who.. (and im surprised some people think this is acceptable) 

@perryd84 great work though.. I've done a code review all all good.. now to have some time to test.

my only other take is jamf will roll a GUI for this pretty soon ( maybe ) so.. keep that in mind on your dev time on this.. 😎

Lol I'm expecting a gui interface anytime soon so I'm sure to slack off with the development in time. But for now this at least makes using jamf laps a little nicer and more user friendly for some admins.

Thanks for the feedback.

As stated it's very early release and I guess if admins in highly restricted environments need to use apps like swift dialog then these can be pre-deployed in a secure way and the scripts can be tweaked.

The notes on the GitHub pages are very basic at the moment as it is in a very early version and I haven't had a chance to detail every aspect on GitHub yet.

Hopefully the tools were of some use at least regardless of the security hurdles?

jamf-42
Valued Contributor II

much appreciated.. and once tested ill use in live.. I just wish I had the spare time to dev things... 

mm2270
Legendary Contributor III

Yes, all good. You saved me from doing some of this work myself. I've had it on my "to-do" list since Jamf introduced this new LAPS solution. I may make a few modifications to it to fit my environment.

Nice one! Let me know of any changes you make and any additions, I'm always open to new ways of doing things 👍🏻

ArthurKellogg
New Contributor

Thanks for sharing it with us, I really like the LAPS Configurator tool.

And I also would like to help you by sharing https://writinguniverse.com/essay-types/persuasive-essays/ link with you where you can learn and get help to complete your essay assignments on your own.

Thanks for the feedback glad its come of some use to you 😁

perryd84
Contributor III

So after my session at JNUC I've had a lot of great feedback and have now taken some of these points to action. I've now updated my main LAPS solution with a lot of new features which can be found here. https://github.com/PezzaD84/macOSLAPS

Also my JAMF LAPS UI has been updated too with these new features that were requested from JNUC. You can find that here https://github.com/PezzaD84/JAMF-LAPS-UI

 Keep the feedback coming it's really helpful when building these tools.

jobscommasteve
New Contributor III

My noob question for this is, will this impact the existing prestage-configured admin account(s)? 

 

@jobscommasteve my LAPS solution doesn't touch existing accounts or the JAMF management accounts. JAMF LAPS however will take control of your Pre-stage and user initiated management accounts. By default since 11.3 JAMF LAPS is enabled by default on user enrolled devices.

vcasiero
New Contributor II

Hi Perry, have tried to implement your solution and everything is working awesome except for one thing.  I have the password to rotate after 5 minutes, but thats not happening.

Thx in advance!

Hi @vcasiero 

Is the password not rotating on a remote machine? Thats unfortunately a limitation of the solution at the moment. The rotation of the password after being viewed, is limited to the device viewing the password. So for example if you gave a Dev user access to the decoder app on their device, the password would rotate after 5min.
I'm currently looking at some of the new DDM features which will hopefully allow devices to call JAMF for a policy update rather than waiting for a check-in.

vcasiero
New Contributor II

The password isnt rotating on my test machine, so it would be the one that I ran the decoder on via self service.  It only rotated after the machine ran the daily "cycle" policy that I setup.

Can you check to see if you can see this LaunchD file after decoding the password /Library/LaunchDaemons/com.LAPS.triggerCycle.plist
If it is there can you share the contents please?

vcasiero
New Contributor II

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.LAPS.triggerCycle.plist</string>
</dict>
</plist>

 

***the timestamp of that file changed to the time when I just decoded the pswd again

vcasiero
New Contributor II

sorry, contents changed:

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.LAPS.triggerCycle.plist</string>
<key>ProgramArguments</key>
<array>
<string>/usr/local/bin/jamf</string>
<string>policy</string>
<string>-event</string>
<string>createLAPS</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>11</integer>
<key>Minute</key>
<integer>10</integer>
</dict>
<key>UserName</key>
<string>root</string>
</dict>
</plist>

vcasiero
New Contributor II

so seems to have run the cycle 5 mins later, but failed:

================================================================= ============ LAPS Account cycled 09/08/2024 11:10:11 ============ ================================================================= Password length has been set to 12 characters A Special character has been set in the password ACCOUNT ACCOUNT has already been created and is a local admin. Resetting local admin password.... No active session for ACCOUNT. Continuing to reset password 2024-08-09 11:10:12.637 sysadminctl[27985:12775769] resetting password for ACCOUNT. (Keychain will not be updated!) 2024-08-09 11:10:12.957 sysadminctl[27985:12775769] SystemConfiguration commitChanges failed. <dscl_cmd> DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed) Password validation failed.

Ah this means the passwords have become out of sync. If the cycle script runs again it will clean it up and reset the password to get it back in sync.

Give the device a couple of runs and let me know how it goes.

vcasiero
New Contributor II

Thanks for your help, things have seemed to calm down and are working as expected.  Had one question, the Reset LAPS script to purge machines of the account.  Is there any way to trigger that silently from Jamf, ie. not have the "are you sure" popup on the local machine.

Thx in advance!

Hi @vcasiero 

Sorry for the delay I've just got back from leave.

If you hash out lines 43-50 this will turn off the prompt and just force wipe the LAPS account.

Some of this reset functionality has been added to the main script now so if there are any failures it should now rectify itself.

perryd84
Contributor III

If anyone is interested I've got another JAMF LAPS tool. Its a menu bar app which displays the LAPS password for the current device. https://github.com/PezzaD84/JAMF-LAPS-Menubar-app

Screenshot 2024-09-05 at 11.38.47.png

GabeShack
Valued Contributor III

We have found an issue where the volume owner on apple silicone machines seem like they work for logins at least with the rotated password, however with things like system updates where a restart is needed, it shows as an incorrect password or failed authentication.  We seem to be having trouble with it allowing other volume owners as well, so I seem to be caught in a loop.  Anyone else seen this on Apple silicon?

Gabe Shackney
Princeton Public Schools

@GabeShack are you using the JAMF LAPS account as a FileVault user? I would not recommend using the JAMF LAPS account or any LAPS account for FileVault as due to the nature of the password being rotated constantly you will run into Keychain and filevault sync issues. Is this the issue you are seeing?