LAPS fails on Catalina 2020 MacBook Pro

hyderas
New Contributor II

We have been using LAPS to reset our local admin password on a daily basis using https://github.com/NU-ITS/LAPSforMac
I noticed that now all machines running Catalina fail with the attached error related to permission. Any comments?
34a71c970e574467a992b098e0ed2ac3

29 REPLIES 29

barnesaw
Contributor III

I'm using a slightly different version, a couple forks down the line in production and it is flawless.
link here

hyderas
New Contributor II

Thank you @barnesaw . I will give it a try.

hyderas
New Contributor II

@barnesaw sorry to bother you. Can you please let me know where you have specified the local username in the script? It also asks for the password in the script but I believe we don't have to enter the password. Please see the attached output when I execute this script as a policy. 2ed6c581b9894676af041bc5475a113e

geoff_widdowson
Contributor

@hyderas I'm just going though setting this up myself. There are two scripts being used on https://github.com/caffine247/LAPSforMac page
and this link to another page
https://github.com/caffine247/LAPSforMac/blob/master/original_readme.md
The account is created as part of the 'LAPS Account Creation' script and this lets you add Parameter 6: LAPS Account Shortname Parameter 7: LAPS Account Display Name
you add these on your jamf policy rather than in the script itself. I've not finished the whole process.

hyderas
New Contributor II

Thank you @geoff.widdowson . I will give it a try.

geoff_widdowson
Contributor

@barnesaw I have been trying to get the version you are using working but I can never get the LAPS extention attribute to populate so the runsLAPS script fails. So all I can get is an admin account with the the first password to be created, but then never reset. I have followed the https://github.com/caffine247/LAPSforMac/blob/master/original_readme.md but can't see where I may have gone wrong. Any ideas? @hyderas how do you get on yourself?

chrgra
New Contributor III

I think you need to make two "Extension Attributes" on your Jamf-server, LAPS and oldLAPS so both the old and the new password can be stored.

hyderas
New Contributor II

I am still facing the same problem randomly on some devices @geoff.widdowson

geoff_widdowson
Contributor

@chrgra Thanks that did help, however even now I have a value in LAPS, when the script runs it still says "No Password is stored in LAPS". So it can't read the LAPS extention attribute value. I gave the API account full rights but still no change.

chrgra
New Contributor III

Think you need to run "LAPS Account Creation.sh" so you have one pw in your extended attribute or you can edit the value your self.

geoff_widdowson
Contributor

@chrgra The admin account was created using the script LAPS Account Creation. The password shows in the extention attribute LAPS, only after I created the second extention attribute oldLAPS. I have even edited the oldLAPS to include the same password. Still shows as "No Password is stored in LAPS" when the LAPS script runs.

5144f753674c43bb9a36f3668e727d0c

chrgra
New Contributor III

Hmm you can test this in a terminal
apiUser=xxxx
apiPass=xxxx
apiURL=acme.com
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
xmlString="<?xml version="1.0" encoding="UTF-8"?><computer><extension_attributes><extension_attribute><name>LAPS</name><value>$newPass</value></extension_attribute></extension_attributes></computer>"
extAttName=""LAPS""
oldPass=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}')
echo $oldPass

chrgra
New Contributor III

In Extension Attributes it should look like this:
d31b1d6dbb8b4c79856d1092b21068fa

chrgra
New Contributor III

The result from this command should be the password stored in Jamf curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}')

geoff_widdowson
Contributor

Hi, @chrgra apologies on very late response to you post, had other issues to look at and LDAP is a bit of a side project.
My two extension attributes, LAPS and oldLAPS, look the same as your screenshot. Well they do now, I did have Location in the Recon Display, because that was what the github instruction said.
I might be entering the code into terminal wrong. I ran the first three lines in terminal with my own values for the apiUser, apiPass and apiURL
Everything after that I ran as separate lines verbatim, I didn’t get any error. After the last line $echo $oldPass, nothing was displayed on the return just a blank line and no error.

The result from the code in you last post resulted in an error as I assume I’m typing it wrong.
-bash: syntax error near unexpected token ‘)’

Other than that I also looked at the log for the LAPS policy and the result are odd. The admin account I am creating is called LAPSuser. It shows the password for LAPS is correct up until the end where is then says
Error: LAPS password for LAPSuser is not correct!

Full transcript below:

Executing Policy LAPS for LAPSuser
Running script LAPS...
Script exit code: 1
Script result: LAPSuser is a local user on the Computer
JAMF Binary is /usr/local/bin/jamf
A Password was found in LAPS.
Password stored in LAPS is correct for LAPSuser.
<html>
<head> <title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Conflict</p>
<p>Error: Duplicate serial number</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
The old Password has been stored
Recording new password for LAPSuser into LAPS.
<html>
<head> <title>Status page</title>
</head>
<body style="font-family: sans-serif;">
<p style="font-size: 1.2em;font-weight: bold;margin: 1em 0px;">Conflict</p>
<p>Error: Duplicate serial number</p>
<p>You can get technical details <a href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10">here</a>.<br>
Please continue your visit at our <a href="/">home page</a>.
</p>
</body>
</html>
Verifying LAPS password for LAPSuser.
Error: LAPS password for LAPSuser is not correct!
Error running script: return code was 1.

chrgra
New Contributor III

Hi
Okey, my fault, you need to delete the last ).
You can try to delete some commands from curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}'. Try this instead curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes
I think you have 2 macs stored with the same serial number, don't know if that messing things upp.

geoff_widdowson
Contributor

@chrgra Thanks very much for your help. Most of my testing has been on VM's, so I did have muliple devices in jss with the same serial number. I have done some more testing on a physical device and I can get the password to change. Only issue is I had to manually populate the oldLAPS and LAPS extention attributes on that device, they were both blank. My next step is to get the LAPS account to be FileVault enabled. Given you can't do that at the account creation stage post 10.13, I hope to be able to do it after the creation. Not seen anything posted elsewhere on how to do it?

chrgra
New Contributor III

@geoff.widdowson Greate, hope you get the FV to run.

geoff_widdowson
Contributor

@chrgra I have everything working including FV. The reason I was having problems getting the password to save was I did not have my JSS url set in the LAPS Account Creation script on line 94.

I have FileVault working by adding my own script to the policy: LAPS for LAPSuser – Create Local Account FVE – Manual Trigger

14cce5ed14d14dc8a83b836d6b164691

#!/bin/sh
SECURE_TOKEN_USER=$4
SECURE_TOKEN_USER_PASS=$5
NEW_SECURE_TOKEN_USER=$6
NEW_SECURE_TOKEN_USER_PASS=$7

# Give local admin user secure token using admin user credentials 
/usr/sbin/sysadminctl -adminUser "$SECURE_TOKEN_USER" -adminPassword "$SECURE_TOKEN_USER_PASS" -secureTokenOn "$NEW_SECURE_TOKEN_USER" -password "$NEW_SECURE_TOKEN_USER_PASS"
exitresult=$(/bin/echo $?)

I also updated the LAPS script to include the line below, so that whenever the LAPS account pw is updated the preboot is also updated.

diskutil apfs updatePreboot /

chrgra
New Contributor III

Thats super. God job 🙂

rossmclaren
New Contributor II

@geoff.widdowson

Would you be open to post your working script(s) or link to somewhere you may have them hosted? I have been trying for weeks in vain to get a working LAPS solution for my place!

chrgra
New Contributor III

@rossmclaren You can always try this : https://github.com/NU-ITS/LAPSforMac and you have a lot of forks on that. Mine have a lot of special things soo that one isn't any god to use for you.

geoff_widdowson
Contributor

@rossmclaren I followed the instructions and used scripts from from https://github.com/caffine247/LAPSforMac and on that page it links to an original readme https://github.com/caffine247/LAPSforMac/blob/master/original_readme.md. That original readme explains how to set up everything, groups, policies and extention attributes. The thing is some things are missing (or I could not see them) such as on the LAPS Account Creation script you need to manually update line 94 to your own jss url. You also have to create two extention attributes LAPS and oldLAPS, chrgra above explained that to me and has posted a screenshot on 10/01/2020.

The Filevault policy as written on the github does not work post macOS 10.13, so I made own script as posted above.

user-SPFfGhLSOt
New Contributor

@geoff.widdowson

Hello!

I'm having some trouble with implementing LAPS for our organization & I was hoping to get some of your help.

(1) I have 3 scripts saved in my JSS server:

LAPS Account Creation Script: https://github.com/unl/LAPSforMac/blob/master/LAPS%20Account%20Creation.sh
(Link found in the instructions of the original readme file over here: https://github.com/caffine247/LAPSforMac/blob/master/original_readme.md)

For this script, the only edit I made was to update the apiURL to my JSS url, which is cloud-hosted: "https://__.jamfcloud.com:8443"

LAPS Script (based on the latest commit by caffine247): https://github.com/caffine247/LAPSforMac/blob/master/LAPS.sh
(*allegedly updated for mojave)

For this script, the only edit I made was to update the apiURL to my JSS url, which is cloud-hosted: "https://__.jamfcloud.com:8443"

LAPS Add to FV Script: This is the one you posted above in the thread.

(2) I've set up two extension attributes under Computer Management

  • LAPS (Enabled, String, General, Text Field (Input Type), Extension Attributes (Recon Display)
  • oldLAPS (Enabled, String, General, Text Field (Input Type), Extension Attributes (Recon Display)

(3) I've set up 5 policies

Policy 1: "01 LAPS for edusysadmin - Create Local Account - Manual Trigger"
- Trigger: Custom createLAPSaccount-edusysadmin
- Execution Frequency: Ongoing

  • Script: LAPS Add to FV Script:
  • Parameter 4: Name of local admin account (has secure token)
  • Parameter 5: Password of above local admin account
  • Parameter 6: edusysadmin (name of LAPS admin that I'm intending to create)
  • Parameter 7: Password of the above LAPS admin

+Local Accounts
- Create New Account
- Username: edusysadmin
- Password: Password to the above account
- Home Directory: /Users/edusysadmin
- Allow user to administer computer (ticked)

Policy 2: "02 LAPS for edusysadmin - Create Local Account FVE - Manual Trigger"

Everything here is the same as Policy with the exception of:
- Custom Event: createLAPSaccountFVE-edusysadmin
- Local Accounts: Enable user for FV2 is enabled

Policy 3: "03 LAPS for edusysadmin - Manual Trigger"

  • Trigger: Custom: runsLAPS (once a day)
  • Scripts: LAPS Script (latest commit for mojave)
  • API Username: <new jamf acc>
  • API password: Password to the above jamf acc
  • LAPS Account Shortname: edusysadmin

Policy 4: "04 LAPS for edusysadmin"

  • Trigger: Recurring Check-in
  • Execution Frequency: Ongoing
  • Scripts: LAPS Script
  • Scripts: LAPS Script (latest commit for mojave)
  • API Username: <new jamf acc>
  • API password: Password to the above jamf acc
  • LAPS Account Shortname: edusysadmin

Behaviour

(1) I managed to create a new local admin account with "edusysadmin" on the machine. I can see it under Users & it's also showing up on Jamf Inventory after I did a sudo jamf recon on Terminal.

(2) Your FV script is also successful at granting that user "edusysadmin" a secure token.

(3) Policy 4: LAPS for edusysadmin failed to run:

Here's what the logs said:

Executing Policy 04 LAPS for edusysadmin Running script [Sys Config] LAPS Script... Script exit code: 1 Script result: Unable to find the user record Error: is not a local user on the Computer! Error running script: return code was 1.

If you can point me in the right direction, I'd be greatly appreciated!

Thank you, @geoff.widdowson !

geoff_widdowson
Contributor

@user-SPFfGhLSOt Hi. You said the only change you made to the LAPS script was to add you JSS url. What about the Hard Coded lines 48 to 51 details at the top of the script? On my script these are the same as the variables in the policy.

HARDCODED VALUES SET HERE

apiUser="LAPS.api"
apiPass="ap1Us3r"
resetUser="LAPSuser"

user-SPFfGhLSOt
New Contributor

Hey geoff.widdowson,

I updated the hardcoded values & re-tried the entire workflow on a virtual machine.

(1) edusysadmin user was created by the script.
(2) edusysadmin also has securetoken enabled.

The script appears to fail when LAPS for edusysadmin runs.

Executing Policy 04 LAPS for edusysadmin
Running script [Sys Config] LAPS Script...
Script exit code: 1
Script result: edusysadmin is a local user on the Computer
JAMF Binary is /usr/local/bin/jamf
No Password is stored in LAPS.
======== Aborting LAPS Update ========
Error running script: return code was 1.

Now the error seems to have changed.

EDIT: Even after saving the password for LAPS user in the LAPS field, the script threw up the same error as above.

geoff_widdowson
Contributor

@user-SPFfGhLSOt I think I know what the issue is as it happened to me (exact same error). You can't use a VM, if you have other enroled devices with the same serial number, such as the host mac you are running the vm. Test on a non-vm and you should see it works. Depending on the Vm software you are using you can change the serial number of the vm before you enrol. I use Parallels and was reading a jamf nation post on this a few days ago, but have not tried it yet.

user-SPFfGhLSOt
New Contributor

@geoff.widdowson I used vmware & changed the serial though. I'll try it on an actual machine & report the findings.

Thanks!

we get machines from time to time that do not receive a LAPS password. Is there a way to force it?