MacosLAPS by Joshua Miller

etarasula
New Contributor II

Hi there

 

So this "Seems" to be most recognized LAPS for MacOS - https://github.com/joshua-d-miller/macOSLAPS 

 

Has anyone actually got this up and running? We had spends a few days so far messing with this but were not able to get it working properly, I think we are missing something small but important. 

 

Thanks in advance! 

56 REPLIES 56

perryd84
Contributor III

No categories are more for your own management to find thing and keep things neat. Nice to have I always use categories for keeping track of policies/profiles etc.

Stady
New Contributor II

Hi @perryd84 

I am just thinking how the custom trigger will initiate the LAPS?

How the LAPS process will get initiated? I have scoped 4 machines but none of them is getting pushed so was wondering.

ClaudiaP
New Contributor II

Hi @perryd84, first of all, nice work on putting this LAPS solution together. I have been struggling to find a more secured LAPS solution for MacOS in our company that can replace an old script from 7 years ago which now has multiple problems.

I have gone through your setup, and I have got most of it working except for the most important part; the LAPS password can't be retrieved, neither can't I see the encrypted password information in the Extension Attribute in Jamf for my test device. 

After the LAPS account is created on the device, and the LAPS package in installed successfully, I get the below error:

LAPS Configuration has failed

Cryptkey has not been successfully configured

SecretKey has not been successfully configured 

ClaudiaP_1-1681359849821.png

Any ideas as to what could be causing this issue? I have followed the steps to encrypt the API account password and that's the value I've used in the policy I created, which I though was all I needed to do. 

Any help would be much appreciated 😇.

Thanks!!

perryd84
Contributor III

Hi @ClaudiaP 

So this looks like an authentication issue. I have found that sometimes if a new API account is created the password needs to be reset a couple of times before it can be used in a script. No idea why but it seems to fix this issue.

Another issue could be account permissions. Have a look at this link it details the lowest amount of permission for the API account to work.

Keep me posted how you get on.

ClaudiaP
New Contributor II

Hi @perryd84 

Thanks heaps, I think I was missing the part about the correct account permissions and also resetting the password has fixed the problem :)

I have completed the full configuration and tested it end to end, and it's all working.

this will make the team very happy.

Thanks again 😊!!

Stady
New Contributor II

Hi @ClaudiaP , 

Hope all well. I see it's working for you. Can you help me on below

 

1. How do we push LAPS package to machine? 

2. As we have 4 policies, do we need to scope all these 4 policies to the machines? How about 'Reset LAPS password policy' do we need to scope this policy only to the smart group called "LAPS Reset Password" Or with any other machine? 

Can you please explain each policy to whom to be scoped? 

 

3. The decrypt decoder script policy can be scoped to any helpdesk engineer so it can be scoped to only user specific or computer specific? 

4.My API account has right permission and even I reset the password. 

5.The policy which I pushed to test device the deployment is still in Pending status. Any idea why? 

Your help is appreciated here! ! 

Stady
New Contributor II

Hi @ClaudiaP @perryd84 , 

 

Can anyone of you respond for my query below? 

I am stuck. 

 

Your help is really appreciated here  !  

Hi @ClaudiaP 

Glad to hear its working now 👍🏻

Feel free to drop me a message if you run into any other issues.

skinford
Contributor III

@perryd84, is there a way to use the existing management account instead of having your process create a new one?  I'd really like to utilize my account already in place but use the LAPS functionality for that account.

Hi @skinford 

The current version does not support existing local admin accounts unfortunately. A few customers are using a work around I have provided which removes the existing account and then recreates it using the LAPS script.

There is a beta version of the LAPS tool currently in testing which does take over a local admin account if specified but there are currently issues if Filevault has previously been enabled and also existing keychains.

If you could share that work around to delete and recreate the current account that would be great.

And thank you for your work with LAPS. Appreciate everyone who is working towards a good secure solution.

@perryd84 I guess I may have answered my own question looking again at your GitHub, is the reset script the workaround to deleting the original admin account and recreating it?  If so would you run that instead of the initial Create and Cycle LAPS account script, or am I really off base on this?

Either way, thank you for devoting your time to something worthwhile for the Apple Admin community. 

Hi @skinford 

Not exactly. The reset script is to clean up the LAPS account if it runs into any errors or the password falls out of sync etc.

The work around I have done for other users is to script the removal of the existing account and then have the LAPS script recreate it all. It's something some users have done themselves but I'm happy to help you out if needed?

Thank you, @perryd84 ,

That would be great if you have something that you could share that does that I would appreciate it.  Thank you again!

I've sent you a message👍🏻

I responded a bit ago, thank you!

Kmartin
New Contributor III

Does anyone have issues with using the JAMF Extension Attribute for macosLaps? I noticed the password is written to the EA, but then a day or so later its blank. It seems to be very inconsistent, some days its blank and others it has a password. If I force an inventory, then usually it appears again.