MacosLAPS by Joshua Miller

etarasula
New Contributor II

Hi there

 

So this "Seems" to be most recognized LAPS for MacOS - https://github.com/joshua-d-miller/macOSLAPS 

 

Has anyone actually got this up and running? We had spends a few days so far messing with this but were not able to get it working properly, I think we are missing something small but important. 

 

Thanks in advance! 

12 REPLIES 12

SteveC
New Contributor III

I have this running in my environment - what do you have setup so far?

etarasula
New Contributor II

Hello Steve and thank you for replying. 

So far we had done:
1. Created edu.psu.macoslaps.plist file and placed it into /Library/Managed Preferences
File itself looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>LocalAdminAccount</key>
    <string>SomeLocalAdmin</string>
    <key>DaysTillExpiration</key>
    <integer>0</integer>
    <key>PasswordLength</key>
    <integer>12</integer>
    <key>RemoveKeychain</key>
    <true/>
    <key>FirstPass</key>
    <string>FirstPassword</string>
  </dict>
</plist>

However we are not sure if there should be line for Method if its being used by MDM and if there should be one what should it say for the String. 

2. Ran the PKG to install main pieces. PKG came from here - https://github.com/joshua-d-miller/macOSLAPS/releases/download/2.1.0(721)/macOSLAPS-2.1.0.721.pkg

3. Created JAMF extension attribute to collect the info. It is powered by this script:
#!/bin/bash
# Path to macOSLAPS binary
laps=/usr/local/laps/macOSLAPS
if [ -e $laps ] ; then
# Ask macOSLAPS to write out the current password and echo it for the Jamf EA
$laps -getPassword
current_password=$( cat "/var/root/Library/Application Support/macOSLAPS-password" )
expiration_date=$( cat "/var/root/Library/Application Support/macOSLAPS-expiration" )
# Test $current_password to ensure there is a value
if [ -z "$current_password" ]; then
# The $current_password variable is empty, not writing anything
exit 0
else
# We know that $current_password has a value so writing it to Jamf
echo "<result>Password: $current_password
Expiration: $expiration_date</result>"
# Run macOSLAPS a second time to remove the password file from the system
$laps
fi
else
echo "<result>Not Installed</result>"
fi
exit 0

Ok i think this is about all we could dig up on how to get it working. Since it does not i am quite sure something is missing. 

Thanks a ton again :)


 

 

SteveC
New Contributor III

Ah, I am using MacOSLAPS in conjunction with Active Directory.  I'm not familiar with the specifics of operating it otherwise.  Which part isn't working in your setup? Changing the password or retrieving and storing it in Jamf?

etarasula
New Contributor II
Changing the password it seems ;/


[Image]

Eugene Tarasula

Sr. Mobility Support

Tel: +1 (925) 558-5796
EMail: ETarasula@RiminiStreet.com
Web: RiminiStreet.com
NASDAQ: RMNI

[Image]

This message and any attached documents may contain information that is confidential and may constitute inside information. If you are not an intended recipient, you are directed not to read, disclose, distribute or otherwise use this transmission. Delivery of this message is not intended to waive confidentiality. If you have received this email in error, please notify the sender immediately and delete this message from your system. Your privacyis important to us, and you may manage your contact preferences here. Rimini Street, Inc., Worldwide Headquarters: 3993 Howard Hughes Parkway, Las Vegas NV 89169. +1.702.839.9671 www.riministreet.com

etarasula
New Contributor II

OK so seems like i was wrong!

It does seems to change password locally as i cant any longer use the Admin account with the password i knew. 

However what its showing me in JAMF is also not correct and does not allow me to use that either. So i am not sure where its pulling it from or why it does NOT pull right one. 

 

What does your extension attribute looks like? 

BGhilardi
New Contributor II

Good morning,
I’m also trying to implement macoslaps. have you found a solution?

AZAKRAM
New Contributor

I am trying to use this and so far 50% of time it works fine and rest of the time it does not return anything.

When I try to go on those computers and try to run manually it gives me following error.

cfjamfadmin@Jamftestuser-M1 laps % sudo ./macOSLAPS -resetpassword

Error|2022-06-13 10:26:17|macOSLAPS|This machine does not appear to be bound to Active Directory

cfjamfadmin@Jamftestuser-M1 laps % 

I am not connected to AD and don't want Macs to be. So why it gives me this error

As macOSLAPS defaults to AD, is the Method setting set to Local?

etarasula
New Contributor II

I was not able to make this work RELIABLY. When it works it works just fine but at times it just does not. This obviously is a huge issue as one cant rely on the system that is there for emergencies kind of situations but in itself not reliable. 

perryd84
Contributor

I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.

Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.

I've detailed the setup on my github and the scripts are there as well.
https://github.com/PezzaD84/macOSLAPS

Check it out to see if it does what you need.

JennyGarland
New Contributor

@perryd84How are you getting the encrypted creds?

Jenny Garland

Hi @JennyGarland 

I've added a short script to my github as a few people have asked this same question.
https://github.com/PezzaD84/macOSLAPS/blob/main/Encode%20API%20Credentials
Check out that script which will encode your api credentials.