Posted on 01-26-2022 11:38 AM
Hi there
So this "Seems" to be most recognized LAPS for MacOS - https://github.com/joshua-d-miller/macOSLAPS
Has anyone actually got this up and running? We had spends a few days so far messing with this but were not able to get it working properly, I think we are missing something small but important.
Thanks in advance!
Posted on 04-26-2023 07:51 AM
No categories are more for your own management to find thing and keep things neat. Nice to have I always use categories for keeping track of policies/profiles etc.
Posted on 04-26-2023 07:56 AM
Hi @perryd84
I am just thinking how the custom trigger will initiate the LAPS?
How the LAPS process will get initiated? I have scoped 4 machines but none of them is getting pushed so was wondering.
Posted on 04-12-2023 09:30 PM
Hi @perryd84, first of all, nice work on putting this LAPS solution together. I have been struggling to find a more secured LAPS solution for MacOS in our company that can replace an old script from 7 years ago which now has multiple problems.
I have gone through your setup, and I have got most of it working except for the most important part; the LAPS password can't be retrieved, neither can't I see the encrypted password information in the Extension Attribute in Jamf for my test device.
After the LAPS account is created on the device, and the LAPS package in installed successfully, I get the below error:
LAPS Configuration has failed
Cryptkey has not been successfully configured
SecretKey has not been successfully configured
Any ideas as to what could be causing this issue? I have followed the steps to encrypt the API account password and that's the value I've used in the policy I created, which I though was all I needed to do.
Any help would be much appreciated 😇.
Thanks!!
Posted on 04-13-2023 01:29 AM
Hi @ClaudiaP
So this looks like an authentication issue. I have found that sometimes if a new API account is created the password needs to be reset a couple of times before it can be used in a script. No idea why but it seems to fix this issue.
Another issue could be account permissions. Have a look at this link it details the lowest amount of permission for the API account to work.
Keep me posted how you get on.
Posted on 04-13-2023 05:51 PM
Hi @perryd84
Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)
I have completed the full configuration and tested it end to end, and it's all working.
this will make the team very happy.
Thanks again 😊!!
Posted on 04-13-2023 11:26 PM
Hi @ClaudiaP ,
Hope all well. I see it's working for you. Can you help me on below
1. How do we push LAPS package to machine?
2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset LAPS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password" Or with any other machine?
Can you please explain each policy to whom to be scoped?
3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to only user specific or computer specific?
4.My API account has right permission and even I reset the password.
5.The policy which I pushed to test device the deployment is still in Pending status. Any idea why?
Your help is appreciated here! !
Posted on 04-14-2023 01:31 AM
Posted on 04-14-2023 01:11 AM
Hi @ClaudiaP
Glad to hear its working now 👍🏻
Feel free to drop me a message if you run into any other issues.
Posted on 07-26-2023 11:35 AM
@perryd84, is there a way to use the existing management account instead of having your process create a new one? I'd really like to utilize my account already in place but use the LAPS functionality for that account.
Posted on 07-27-2023 01:21 AM
Hi @skinford
The current version does not support existing local admin accounts unfortunately. A few customers are using a work around I have provided which removes the existing account and then recreates it using the LAPS script.
There is a beta version of the LAPS tool currently in testing which does take over a local admin account if specified but there are currently issues if Filevault has previously been enabled and also existing keychains.
Posted on 07-27-2023 02:48 AM
If you could share that work around to delete and recreate the current account that would be great.
And thank you for your work with LAPS. Appreciate everyone who is working towards a good secure solution.
Posted on 07-27-2023 06:27 AM
@perryd84 I guess I may have answered my own question looking again at your GitHub, is the reset script the workaround to deleting the original admin account and recreating it? If so would you run that instead of the initial Create and Cycle LAPS account script, or am I really off base on this?
Either way, thank you for devoting your time to something worthwhile for the Apple Admin community.
Posted on 07-27-2023 06:34 AM
Hi @skinford
Not exactly. The reset script is to clean up the LAPS account if it runs into any errors or the password falls out of sync etc.
The work around I have done for other users is to script the removal of the existing account and then have the LAPS script recreate it all. It's something some users have done themselves but I'm happy to help you out if needed?
Posted on 07-27-2023 06:39 AM
Thank you, @perryd84 ,
That would be great if you have something that you could share that does that I would appreciate it. Thank you again!
Posted on 07-27-2023 06:43 AM
I've sent you a message👍🏻
Posted on 07-27-2023 08:12 AM
I responded a bit ago, thank you!
09-21-2023 01:56 PM - edited 09-21-2023 01:57 PM
Does anyone have issues with using the JAMF Extension Attribute for macosLaps? I noticed the password is written to the EA, but then a day or so later its blank. It seems to be very inconsistent, some days its blank and others it has a password. If I force an inventory, then usually it appears again.