macOSLAPS by Jamf script

MatG
Contributor III

There are a number of of LAPS scripts I've seen.

Joshua Roskos from Jamf has one here which seems to meet our needs
macOSLAPS
https://github.com/kc9wwh/macOSLAPS

Theres been a couple of minor updates for Big Sur by mjgall
https://github.com/kc9wwh/macOSLAPS/pull/2

The bit I'm confused about is this like and what the 9 & 10 params should be.

jamfProPass=$( echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${9}" -k "${10}" )

Any ideas?

2 REPLIES 2

colorenz
New Contributor III

Yes its from the jamf EncryptedStrings script. But I would not use Jamf Pro API Credentials in a Client Side script. I would look for a LAPS version that reads the password with an extension attribute.

https://github.com/mensooree/Encrypted-Script-Parameters

Maybe this is something for you, it has also a "local" mode.

https://github.com/joshua-d-miller/macOSLAPS

Good to read https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/

mpuyet
New Contributor II

that not clear on the script but jamfProPass variable is using an encrypted password  depending of Params 6 - 9 - 10.

  • Param 6 : Encrypted String
  • Param 9 : Salt
  • Param 10 : Passphrase

To generate an encrypted password : 

function GenerateEncryptedString() {
local STRING="${1}"
local SALT=$(openssl rand -hex 8 )
local K=$(openssl rand -hex 12)
local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"
}
GenerateEncryptedString 'yourPasswordtoEncrypt'

This script will generate Encrypted String + Salt + Passphrase for password "yourPasswordtoEncrypt".

You just have to replace "yourPasswordtoEncrypt", and copy datas returned to your script params