Jamf Nation Community

MatG · ‎07-05-2021

There are a number of of LAPS scripts I've seen.

Joshua Roskos from Jamf has one here which seems to meet our needs
macOSLAPS
https://github.com/kc9wwh/macOSLAPS

Theres been a couple of minor updates for Big Sur by mjgall
https://github.com/kc9wwh/macOSLAPS/pull/2

The bit I'm confused about is this like and what the 9 & 10 params should be.

jamfProPass=$( echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${9}" -k "${10}" )

Any ideas?

colorenz · ‎07-05-2021

Yes its from the jamf EncryptedStrings script. But I would not use Jamf Pro API Credentials in a Client Side script. I would look for a LAPS version that reads the password with an extension attribute.

https://github.com/mensooree/Encrypted-Script-Parameters

Maybe this is something for you, it has also a "local" mode.

https://github.com/joshua-d-miller/macOSLAPS

Good to read https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/

mpuyet · ‎07-14-2021

that not clear on the script but jamfProPass variable is using an encrypted password depending of Params 6 - 9 - 10.

Param 6 : Encrypted String
Param 9 : Salt
Param 10 : Passphrase

To generate an encrypted password :

function GenerateEncryptedString() {
  local STRING="${1}"
  local SALT=$(openssl rand -hex 8 )
  local K=$(openssl rand -hex 12)
  local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
  echo "Encrypted String: ${ENCRYPTED}"
  echo "Salt: ${SALT} | Passphrase: ${K}"
}
GenerateEncryptedString 'yourPasswordtoEncrypt'

This script will generate Encrypted String + Salt + Passphrase for password "yourPasswordtoEncrypt".

You just have to replace "yourPasswordtoEncrypt", and copy datas returned to your script params

macOSLAPS by Jamf script