+10There are a number of of LAPS scripts I've seen.
Joshua Roskos from Jamf has one here which seems to meet our needs
macOSLAPS
https://github.com/kc9wwh/macOSLAPS
Theres been a couple of minor updates for Big Sur by mjgall
https://github.com/kc9wwh/macOSLAPS/pull/2
The bit I'm confused about is this like and what the 9 & 10 params should be.
jamfProPass=$( echo "${6}" | /usr/bin/openssl enc -aes256 -d -a -A -S "${9}" -k "${10}" )Any ideas?
+7Yes its from the jamf EncryptedStrings script. But I would not use Jamf Pro API Credentials in a Client Side script. I would look for a LAPS version that reads the password with an extension attribute.
https://github.com/mensooree/Encrypted-Script-Parameters
Maybe this is something for you, it has also a "local" mode.
https://github.com/joshua-d-miller/macOSLAPS
Good to read https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/
+4that not clear on the script but jamfProPass variable is using an encrypted password depending of Params 6 - 9 - 10.
To generate an encrypted password :
function GenerateEncryptedString() {
local STRING="${1}"
local SALT=$(openssl rand -hex 8 )
local K=$(openssl rand -hex 12)
local ENCRYPTED=$(echo "${STRING}" | openssl enc -aes256 -a -A -S "${SALT}" -k "${K}")
echo "Encrypted String: ${ENCRYPTED}"
echo "Salt: ${SALT} | Passphrase: ${K}"
}
GenerateEncryptedString 'yourPasswordtoEncrypt'This script will generate Encrypted String + Salt + Passphrase for password "yourPasswordtoEncrypt".
You just have to replace "yourPasswordtoEncrypt", and copy datas returned to your script params
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
