MacosLAPS by Joshua Miller

etarasula
New Contributor II

Hi there

 

So this "Seems" to be most recognized LAPS for MacOS - https://github.com/joshua-d-miller/macOSLAPS 

 

Has anyone actually got this up and running? We had spends a few days so far messing with this but were not able to get it working properly, I think we are missing something small but important. 

 

Thanks in advance! 

56 REPLIES 56

SteveC
New Contributor III

I have this running in my environment - what do you have setup so far?

etarasula
New Contributor II

Hello Steve and thank you for replying. 

So far we had done:
1. Created edu.psu.macoslaps.plist file and placed it into /Library/Managed Preferences
File itself looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalAdminAccount</key>
    <string>SomeLocalAdmin</string>
    <key>DaysTillExpiration</key>
    <integer>0</integer>
    <key>PasswordLength</key>
    <integer>12</integer>
    <key>RemoveKeychain</key>
    <true/>
    <key>FirstPass</key>
    <string>FirstPassword</string>
  </dict>
</plist>

However we are not sure if there should be line for Method if its being used by MDM and if there should be one what should it say for the String. 

2. Ran the PKG to install main pieces. PKG came from here - https://github.com/joshua-d-miller/macOSLAPS/releases/download/2.1.0(721)/macOSLAPS-2.1.0.721.pkg

3. Created JAMF extension attribute to collect the info. It is powered by this script:
#!/bin/bash
# Path to macOSLAPS binary
laps=/usr/local/laps/macOSLAPS
if [ -e $laps ] ; then
# Ask macOSLAPS to write out the current password and echo it for the Jamf EA
$laps -getPassword
current_password=$( cat "/var/root/Library/Application Support/macOSLAPS-password" )
expiration_date=$( cat "/var/root/Library/Application Support/macOSLAPS-expiration" )
# Test $current_password to ensure there is a value
if [ -z "$current_password" ]; then
# The $current_password variable is empty, not writing anything
exit 0
else
# We know that $current_password has a value so writing it to Jamf
echo "<result>Password: $current_password
Expiration: $expiration_date</result>"
# Run macOSLAPS a second time to remove the password file from the system
$laps
fi
else
echo "<result>Not Installed</result>"
fi
exit 0

Ok i think this is about all we could dig up on how to get it working. Since it does not i am quite sure something is missing. 

Thanks a ton again :)


 

 

SteveC
New Contributor III

Ah, I am using MacOSLAPS in conjunction with Active Directory.  I'm not familiar with the specifics of operating it otherwise.  Which part isn't working in your setup? Changing the password or retrieving and storing it in Jamf?

etarasula
New Contributor II
Changing the password it seems ;/


[Image]

Eugene Tarasula

Sr. Mobility Support

Tel: +1 (925) 558-5796
EMail: ETarasula@RiminiStreet.com
Web: RiminiStreet.com
NASDAQ: RMNI

[Image]

This message and any attached documents may contain information that is confidential and may constitute inside information. If you are not an intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. Delivery of this message is not intended to waive confidentiality. If you have received this email in error, please notify the sender immediately and delete this message from your system. Your privacyis important to us, and you may manage your contact preferences here. Rimini Street, Inc., Worldwide Headquarters: 3993 Howard Hughes Parkway, Las Vegas NV 89169. +1.702.839.9671 www.riministreet.com

etarasula
New Contributor II

OK so seems like i was wrong!

It does seems to change password locally as i cant any longer use the Admin account with the password i knew. 

However what its showing me in JAMF is also not correct and does not allow me to use that either. So i am not sure where its pulling it from or why it does NOT pull right one. 

 

What does your extension attribute looks like? 

BGhilardi
New Contributor II

Good morning,
I’m also trying to implement macoslaps. have you found a solution?

AZAKRAM
New Contributor

I am trying to use this and so far 50% of time it works fine and rest of the time it does not return anything.

When I try to go on those computers and try to run manually it gives me following error.

cfjamfadmin@Jamftestuser-M1 laps % sudo ./macOSLAPS -resetpassword

Error|2022-06-13 10:26:17|macOSLAPS|This machine does not appear to be bound to Active Directory

cfjamfadmin@Jamftestuser-M1 laps % 

I am not connected to AD and don't want Macs to be. So why it gives me this error

As macOSLAPS defaults to AD, is the Method setting set to Local?

etarasula
New Contributor II

I was not able to make this work RELIABLY. When it works it works just fine but at times it just does not. This obviously is a huge issue as one cant rely on the system that is there for emergencies kind of situations but in itself not reliable. 

perryd84
Contributor II

I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.

Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.

I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS

Check it out to see if it does what you need.

llullo1
New Contributor II

Hello, 

And thank you for putting this together! I just had one quick question, in regards to the EA setup. I have created the EAs according to your instructions, however, I believe I must be missing a setup, because the fields remain blank. Is there anything that I need to be configuring within these EAs? I appreciate your time very much! :) 

 

Hi @llullo1 

The EA's will be empty until the script has run and then they are populated with the LAPS information.

If you have already run the script check the logs as there could be errors with the escrowing of the details which could point towards an issue with the API account.

Feel free to share the logs if you are having issues and I will have a look into it for you.

JennyGarland
New Contributor II

@perryd84How are you getting the encrypted creds?

Jenny Garland

Hi @JennyGarland 

I've added a short script to my github as a few people have asked this same question.
https://github.com/PezzaD84/macOSLAPS/blob/main/Encode%20API%20Credentials
Check out that script which will encode your api credentials.

Stady
New Contributor II

Hi Perry,

I followed your script

It has some variable to enter API credentials, JSS URL, LAPS Account name  so what are these to be filled up? Can you help?

And also how the decrypt self service password app works, Is it for all users will be deployed?or for specific users?

I am confused.

Stady
New Contributor II

Hi Perry,

I followed your script

It has some variable to enter encrypted API credentials, JSS URL, LAPS Account name  so what are these to be filled up? Can you help?

And also how the decrypt self service password app works, Is it for all users will be deployed?or for specific users?

I am confused.

Can you help step by step?

Hi @Stady 

  • So the encoded API credential is needed for all the API calls in the script and for reading and writing the extension attributes to JAMF. You can encode your API account using the script on my github 
  • The JSS URL is your JAMF URL so for example https://YOURCOMPANY.jamfcloud.com
  • The LAPS Account name is the name of the local admin account to be created by the script.

The decoding tool can be scoped to who you want. Most people scope it to their helpdesk team or their senior admins to give out the password upon request. Some users scope it to individual users upon request, so for example if a user requests to install an application they are given one time access to the decoding tool to get the password and then it is cycled.

The github page has a step by step guide but please feel free to message me if you get stuck.

Stady
New Contributor II

Thanks Perry for your prompt response. 

how I can add this encoded API credentials script to the API credential variable? In the script I see apiuser=APIUSER
apipasswd=APIPASSWORD

so what are these? Can you help me to fill the variables on each policy please step by step?
And also where can I find JAMF JSS URL? any navigation?

LAPS account name is whether any new user we can create and grant the permission?

And also for the LAPS 4 policy  do we need to scope to some specific computers? and how about smart Group called "LAPS Reset Password" do we need to scope this as well?

Hi @Stady I've sent you a private message as its easier to send longer messages there.

Stady
New Contributor II

Thank you perry will check much appreciated.

Stady
New Contributor II

Hi Perry,

I replied you on your private message , there is few things which I need help, Please check and let me know when you get time.

Hi,

I don't see any private messages? Are you sure it sent?

Stady
New Contributor II
Yes I Did

This is the ask


Any idea how to run the encoded API script to get the random string of
text.
Do we have to run on cmd Or any other way?
I use windows machine. Please suggest.

And also for JAMF API user it can be any user which we create on JAMF right
and giving the right permission by following this link right -
https://github.com/pezzaD84/macOSLAPS/issues/2

Stady
New Contributor II

Hi Perry, 

 

Thanks for all your prompt response. I appreciate your assistance. 

 

Quick one below

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right? 

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped? 

 

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name? 

 

Your help is appreciated here! ! 

Stady
New Contributor II

Hi @perryd84 , 

 

Did you get chance to look on this? 

Stady
New Contributor II

Hi @perryd84

 

Also to add to the above question - the policy which I pushed to test device id 

Stady
New Contributor II

Hi @perryd84 

 

Also to add to the above question - the policy which I pushed to test device the deployment is still in Pending status. Any idea why? 

Hi @Stady 

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.

 

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped? 
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.

 

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.

 

Hope this helps?

Stady
New Contributor II

Thanks @perryd84 

Also how about last policy Reset LAPS password policy. Whom to scope this policy? 

Yes sorry the Reset policy should be scoped to the Reset Password smart group as detailed on the github setup instructions.

Stady
New Contributor II

Hi @perryd84 

My policies are in pending state for more than 4 days. Can you help me out? 

Is there any logs I can check? 

Hi @Stady 

What are your current triggers and scope? Can you take a screen shot and share it here or in a message?

Stady
New Contributor II

Hi @perryd84 

Here is the screenshots with scope and triggers, Currently no categories assigned, Do I need to assign the categories to applications or something else, Please let me know or else any other thing?

I added all the scripts and LAPS.pkg from this link

https://github.com/PezzaD84/macOSLAPS

Stady_3-1682514250075.jpegStady_4-1682514266834.jpeg

 

Stady_5-1682514279485.jpeg

Script also not assigned to any category it is showing None so let me know

Stady_6-1682514324031.jpeg

 

 

 

 

 

Hi @Stady 

So if you run sudo jamf policy -event createLAPS on one of the 4 scoped devices does it run?

If so then this shows its working but the monthly trigger hasn't kicked off for some reason.

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

Stady
New Contributor II

Hi @perryd84 

I need to check that on one of the machine by running this command sudo jamf policy -event createLAPS

Currently no categories assigned, hope thats fine?

I have 4 machines under scope but all of them shows pending status.

How can I achieve this below? can you provide step by step instructions for the below?

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

You could also add the enrollment trigger so that it runs at enrollment which is another way of achieving the same method of using a build script if you don't have one.

Stady
New Contributor II

Hi @perryd84 

How do I add the enrollment trigger so that it runs at enrollment?

Under general > triggers, you need to tick "enrollment complete"

Stady
New Contributor II

Thanks @perryd84 

I will check.

What about the categories? Do I need to assign any categories for the policies or scripts?