macOS and LAPS Help

mhclark
New Contributor

I'm hoping someone has gone through this process and has some ideas. We are an on-prem Jamf Pro shop. We are looking at implementing some things with out macOS devices as part of our new security process. 

I've tried doing the LAPS scripts that have been put out by Josh Miller, and PezzaD84 on Github. I've also tried setup up and configuring the new built in LAPS in 10.46. I've run into various issues with those options and figured I need some help. We have our setup as mostly set and forget, so I'm not well versed in Jamf as others might be.
The built in API LAPS option might work, but we don't have any computers that are currently enrolled with prestage. The test machine I'm using was manually enrolled. 

The scripts from Perry seemed the most robust choice with password encryption etc. but seem to not be fully configured right on my end. 

I'm wondering if some of the issue is since we are running on a Windows server, since that's or core infrastructure, and not a macOS based server. I sort of go the scripts to work, but they failed generating the password, and I think pulling down the app or scripts. I haven't been able to get the scripts in the policy to retrigger either.

Anyone that has some clearer directions for a Windows based implementation out there?

3 REPLIES 3

jamf-42
Valued Contributor

scripts in jamf run on the Mac endpoint. running jamf on a windows server has no impact or bearing on this. 

API calls to jamf would need to be run from a Mac or something with the correct bash / sh / zh shell. 

Share links to LAPS scripts, so we know the exact one you are referring to

mhclark
New Contributor

The scripts etc. I've been using are primarily this one: https://github.com/PezzaD84/macOSLAPS
I've followed the majority of the directions, and the portion of the script runs that created a specified new admin account, but it kicked back errors creating the password etc. and I'm not well versed enough on these to know were to look/troubleshoot. Also this one has a package to upload, and the directions for using a Windows file share as a Distribution point are a bit sparse. I found one set of instructions that went about adding the cert and enabling IIS for HTTPS access to the share, which did seem to work, but I haven't gotten to where I can test pulling the package again.

I've also done the steps listed here: https://community.jamf.com/t5/tech-thoughts/how-to-securely-manage-local-admin-passwords-with-jamf-p...

But we currently one have 1 device for testing that's already been enrolled manually, so I don't think we can test these settings without nuking that system.

trevoredwards
New Contributor III

I can't speak to the set of scripts you linked, but I've recently used this HCS guide for setting LAPS up in our test environment and haven't had any issues: https://hcsonline.com/support/white-papers/how-to-configure-local-administrator-password-solution-la...