Hey everyone! 👋
I wanted to share a project I’ve been working on, now available on GitHub:
🔐 Jamf Automatic Admin Password Generator
This script is designed to securely rotate the password of a local admin account on macOS devices managed by Jamf Pro. It handles everything from password generation to encryption and inventory reporting, making it ideal for IT admins looking to improve endpoint security without manual effort.
✨ Key Features:
-
Generates strong passwords using two random words + creative suffix
-
Applies leet-style substitutions for complexity
-
Mixed casing and ensures minimum 20-character length
-
Updates the local admin password securely
-
Encrypts the password using AES-256-CBC
-
Saves encrypted password to:
/private/var/tmp/encrypted_localadmin_password.txt
-
Triggers jamf recon for inventory update in Jamf Pro
🛠️ Configuration Highlights:
🔍 Extension Attributes:
-
Add a Jamf Extension Attribute to read the encrypted password
-
Optionally, a second EA can decrypt it (use with caution – plaintext exposure!)
🧠 Why Use This?
-
Supports automated, regular password rotation (e.g., via weekly Jamf policy)
-
Helps comply with security best practices and zero trust initiatives
-
Keeps sensitive credentials out of reach by encrypting and restricting access
🔗 GitHub Repo: https://github.com/lucaesse/Jamf-McNuggets/tree/main/Automatic%20Admin%20Password%20Changer
📢 Feedback, issues, or improvements welcome!
Would love to hear how others are handling admin password management in Jamf, or if you have ideas to improve this approach!
Cheers!
Luca
