Jamf Script - Automatic Admin Password Generator - Secure, Automated Rotation for macOS

Hey everyone! 👋

I wanted to share a project I’ve been working on, now available on GitHub:
🔐 Jamf Automatic Admin Password Generator

This script is designed to securely rotate the password of a local admin account on macOS devices managed by Jamf Pro. It handles everything from password generation to encryption and inventory reporting, making it ideal for IT admins looking to improve endpoint security without manual effort.

✨ Key Features:

• Generates strong passwords using two random words + creative suffix

• Applies leet-style substitutions for complexity

• Mixed casing and ensures minimum 20-character length

• Updates the local admin password securely

• Encrypts the password using AES-256-CBC

• Saves encrypted password to:
  /private/var/tmp/encrypted_localadmin_password.txt

• Triggers jamf recon for inventory update in Jamf Pro

🛠️️ Configuration Highlights:

• adminUser: The local account to rotate (default: admin)

• encryptionKey: Your custom AES encryption key
  (Important: replace this with a securely stored key specific to your environment)

🔍 Extension Attributes:

• Add a Jamf Extension Attribute to read the encrypted password

• Optionally, a second EA can decrypt it (use with caution – plaintext exposure!)

🧠 Why Use This?

• Supports automated, regular password rotation (e.g., via weekly Jamf policy)

• Helps comply with security best practices and zero trust initiatives

• Keeps sensitive credentials out of reach by encrypting and restricting access

🔗 GitHub Repo: https://github.com/lucaesse/Jamf-McNuggets/tree/main/Automatic%20Admin%20Password%20Changer
📢 Feedback, issues, or improvements welcome!

Would love to hear how others are handling admin password management in Jamf, or if you have ideas to improve this approach!

Cheers!
Luca