Jamf Nation Community

etarasula · ‎01-26-2022

Hi there

So this "Seems" to be most recognized LAPS for MacOS - https://github.com/joshua-d-miller/macOSLAPS

Has anyone actually got this up and running? We had spends a few days so far messing with this but were not able to get it working properly, I think we are missing something small but important.

Thanks in advance!

SteveC · ‎01-26-2022

I have this running in my environment - what do you have setup so far?

etarasula · ‎01-26-2022

Hello Steve and thank you for replying.

So far we had done:
1. Created edu.psu.macoslaps.plist file and placed it into /Library/Managed Preferences
File itself looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalAdminAccount</key>
    <string>SomeLocalAdmin</string>
    <key>DaysTillExpiration</key>
    <integer>0</integer>
    <key>PasswordLength</key>
    <integer>12</integer>
    <key>RemoveKeychain</key>
    <true/>
    <key>FirstPass</key>
    <string>FirstPassword</string>
  </dict>
</plist>

However we are not sure if there should be line for Method if its being used by MDM and if there should be one what should it say for the String.

2. Ran the PKG to install main pieces. PKG came from here - https://github.com/joshua-d-miller/macOSLAPS/releases/download/2.1.0(721)/macOSLAPS-2.1.0.721.pkg

3. Created JAMF extension attribute to collect the info. It is powered by this script:
#!/bin/bash
# Path to macOSLAPS binary
laps=/usr/local/laps/macOSLAPS
if [ -e $laps ] ; then
# Ask macOSLAPS to write out the current password and echo it for the Jamf EA
$laps -getPassword
current_password=$( cat "/var/root/Library/Application Support/macOSLAPS-password" )
expiration_date=$( cat "/var/root/Library/Application Support/macOSLAPS-expiration" )
# Test $current_password to ensure there is a value
if [ -z "$current_password" ]; then
# The $current_password variable is empty, not writing anything
exit 0
else
# We know that $current_password has a value so writing it to Jamf
echo "<result>Password: $current_password
Expiration: $expiration_date</result>"
# Run macOSLAPS a second time to remove the password file from the system
$laps
fi
else
echo "<result>Not Installed</result>"
fi
exit 0

Ok i think this is about all we could dig up on how to get it working. Since it does not i am quite sure something is missing.

Thanks a ton again :)

SteveC · ‎01-27-2022

Ah, I am using MacOSLAPS in conjunction with Active Directory. I'm not familiar with the specifics of operating it otherwise. Which part isn't working in your setup? Changing the password or retrieving and storing it in Jamf?

etarasula · ‎01-27-2022

Changing the password it seems ;/

[Image]

Eugene Tarasula

Sr. Mobility Support

Tel: +1 (925) 558-5796
EMail: ETarasula@RiminiStreet.com
Web: RiminiStreet.com
NASDAQ: RMNI

[Image]

This message and any attached documents may contain information that is confidential and may constitute inside information. If you are not an intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. Delivery of this message is not intended to waive confidentiality. If you have received this email in error, please notify the sender immediately and delete this message from your system. Your privacyis important to us, and you may manage your contact preferences here. Rimini Street, Inc., Worldwide Headquarters: 3993 Howard Hughes Parkway, Las Vegas NV 89169. +1.702.839.9671 www.riministreet.com

etarasula · ‎01-28-2022

OK so seems like i was wrong!

It does seems to change password locally as i cant any longer use the Admin account with the password i knew.

However what its showing me in JAMF is also not correct and does not allow me to use that either. So i am not sure where its pulling it from or why it does NOT pull right one.

What does your extension attribute looks like?

BGhilardi · ‎04-11-2022

Good morning,
I’m also trying to implement macoslaps. have you found a solution?

AZAKRAM · ‎06-13-2022

I am trying to use this and so far 50% of time it works fine and rest of the time it does not return anything.

When I try to go on those computers and try to run manually it gives me following error.

cfjamfadmin@Jamftestuser-M1 laps % sudo ./macOSLAPS -resetpassword

Error|2022-06-13 10:26:17|macOSLAPS|This machine does not appear to be bound to Active Directory

cfjamfadmin@Jamftestuser-M1 laps %

I am not connected to AD and don't want Macs to be. So why it gives me this error

wakco · ‎01-15-2023

As macOSLAPS defaults to AD, is the Method setting set to Local?

etarasula · ‎06-13-2022

I was not able to make this work RELIABLY. When it works it works just fine but at times it just does not. This obviously is a huge issue as one cant rely on the system that is there for emergencies kind of situations but in itself not reliable.

perryd84 · ‎07-29-2022

I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.

Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.

I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS

Check it out to see if it does what you need.

llullo1 · ‎04-21-2023

Hello,

And thank you for putting this together! I just had one quick question, in regards to the EA setup. I have created the EAs according to your instructions, however, I believe I must be missing a setup, because the fields remain blank. Is there anything that I need to be configuring within these EAs? I appreciate your time very much! :)

perryd84 · ‎04-22-2023

Hi @llullo1

The EA's will be empty until the script has run and then they are populated with the LAPS information.

If you have already run the script check the logs as there could be errors with the escrowing of the details which could point towards an issue with the API account.

Feel free to share the logs if you are having issues and I will have a look into it for you.

JennyGarland · ‎12-06-2022

@perryd84How are you getting the encrypted creds?

Jenny Garland

perryd84 · ‎12-07-2022

Hi @JennyGarland

I've added a short script to my github as a few people have asked this same question.
https://github.com/PezzaD84/macOSLAPS/blob/main/Encode%20API%20Credentials
Check out that script which will encode your api credentials.

Stady · ‎04-11-2023

Hi Perry,

I followed your script

It has some variable to enter API credentials, JSS URL, LAPS Account name so what are these to be filled up? Can you help?

And also how the decrypt self service password app works, Is it for all users will be deployed?or for specific users?

I am confused.

Stady · ‎04-11-2023

Hi Perry,

I followed your script

It has some variable to enter encrypted API credentials, JSS URL, LAPS Account name so what are these to be filled up? Can you help?

And also how the decrypt self service password app works, Is it for all users will be deployed?or for specific users?

I am confused.

Can you help step by step?

perryd84 · ‎04-11-2023

Hi @Stady

So the encoded API credential is needed for all the API calls in the script and for reading and writing the extension attributes to JAMF. You can encode your API account using the script on my github
The JSS URL is your JAMF URL so for example https://YOURCOMPANY.jamfcloud.com
The LAPS Account name is the name of the local admin account to be created by the script.

The decoding tool can be scoped to who you want. Most people scope it to their helpdesk team or their senior admins to give out the password upon request. Some users scope it to individual users upon request, so for example if a user requests to install an application they are given one time access to the decoding tool to get the password and then it is cycled.

The github page has a step by step guide but please feel free to message me if you get stuck.

Stady · ‎04-11-2023

Thanks Perry for your prompt response.

how I can add this encoded API credentials script to the API credential variable? In the script I see apiuser=APIUSER
apipasswd=APIPASSWORD

so what are these? Can you help me to fill the variables on each policy please step by step?
And also where can I find JAMF JSS URL? any navigation?

LAPS account name is whether any new user we can create and grant the permission?

And also for the LAPS 4 policy do we need to scope to some specific computers? and how about smart Group called "LAPS Reset Password" do we need to scope this as well?

perryd84 · ‎04-11-2023

Hi @Stady I've sent you a private message as its easier to send longer messages there.

Stady · ‎04-11-2023

Thank you perry will check much appreciated.

Stady · ‎04-11-2023

Hi Perry,

I replied you on your private message , there is few things which I need help, Please check and let me know when you get time.

perryd84 · ‎04-11-2023

Hi,

I don't see any private messages? Are you sure it sent?

Stady · ‎04-11-2023

Yes I Did

This is the ask

Any idea how to run the encoded API script to get the random string of
text.
Do we have to run on cmd Or any other way?
I use windows machine. Please suggest.

And also for JAMF API user it can be any user which we create on JAMF right
and giving the right permission by following this link right -
https://github.com/pezzaD84/macOSLAPS/issues/2

Stady · ‎04-13-2023

Hi Perry,

Thanks for all your prompt response. I appreciate your assistance.

Quick one below

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped?

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?

Your help is appreciated here! !

Stady · ‎04-13-2023

Hi @perryd84 ,

Did you get chance to look on this?

Stady · ‎04-13-2023

Hi @perryd84,

Also to add to the above question - the policy which I pushed to test device id

Stady · ‎04-13-2023

Hi @perryd84

Also to add to the above question - the policy which I pushed to test device the deployment is still in Pending status. Any idea why?

perryd84 · ‎04-14-2023

Hi @Stady

1. Do the LAPS package has to be deployed to the test machines and also if ready need to deploy to all computers right?
Yes this needs to be deployed for the decoder app to run.

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset APS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password"

Can you please explain each policy to whom to be scoped?
The policies can be scoped to "All computers" except for the decoder app which your would scope to helpdesk/admin users. The main LAPS script policy is controlled by a custom trigger so it will only ever run when this trigger is called. This would also explain why you are seeing the policy as pending as it is waiting for the custom trigger to be called.

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to users name or computers name?
If you have LDAP integration or have imported JAMF users then you can scope to users but most of the time its best to scope to devices.

Hope this helps?

Stady · ‎04-14-2023

Thanks @perryd84

Also how about last policy Reset LAPS password policy. Whom to scope this policy?

perryd84 · ‎04-14-2023

Yes sorry the Reset policy should be scoped to the Reset Password smart group as detailed on the github setup instructions.

Stady · ‎04-26-2023

Hi @perryd84

My policies are in pending state for more than 4 days. Can you help me out?

Is there any logs I can check?

perryd84 · ‎04-26-2023

Hi @Stady

What are your current triggers and scope? Can you take a screen shot and share it here or in a message?

Stady · ‎04-26-2023

Hi @perryd84

Here is the screenshots with scope and triggers, Currently no categories assigned, Do I need to assign the categories to applications or something else, Please let me know or else any other thing?

I added all the scripts and LAPS.pkg from this link

https://github.com/PezzaD84/macOSLAPS

Script also not assigned to any category it is showing None so let me know

perryd84 · ‎04-26-2023

Hi @Stady

So if you run sudo jamf policy -event createLAPS on one of the 4 scoped devices does it run?

If so then this shows its working but the monthly trigger hasn't kicked off for some reason.

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

Stady · ‎04-26-2023

Hi @perryd84

I need to check that on one of the machine by running this command sudo jamf policy -event createLAPS

Currently no categories assigned, hope thats fine?

I have 4 machines under scope but all of them shows pending status.

How can I achieve this below? can you provide step by step instructions for the below?

Usually I would have the custom trigger added to a build script running swiftDialog or DEPNotify which would run the initial LAPS setup when a device is first provisioned. If you don't use something like this then you can launch the policy by creating another policy which runs the custom trigger or run it manually from terminal with the command above.

perryd84 · ‎04-26-2023

You could also add the enrollment trigger so that it runs at enrollment which is another way of achieving the same method of using a build script if you don't have one.

Stady · ‎04-26-2023

Hi @perryd84

How do I add the enrollment trigger so that it runs at enrollment?

perryd84 · ‎04-26-2023

Under general > triggers, you need to tick "enrollment complete"

Stady · ‎04-26-2023

Thanks @perryd84

I will check.

What about the categories? Do I need to assign any categories for the policies or scripts?

Jamf Nation Community

MacosLAPS by Joshua Miller