Jamf Nation Community

Last year, when I was working on getting moved over to using LAPS instead of using an admin account that we installed using a Jamf Policy, some of my support team members discovered that the password for the Jamf management framework LAPS account was not working on several Macs. We could see in the managed local administrator account history that the password was being rotated on the schedule we set. So, why was the password not working? I recently discovered that the reason for this is that these Macs had been re-enrolled in Jamf Pro for some reason, likely using "sudo profiles renew -type enrollment". This appears to have broken the ability for Jamf Pro to change the account password on the Mac. I tested this idea on my test Mac. I checked the password, saved it, then re-enrolled the Mac. I waited the period of time we have set for rotation. I checked the password in Jamf Pro again, and found that a new password was recorded. I tried that new password on the Mac with the LAPS account. It didn't work. I then tried the password that I had saved earlier. It worked. The logical conclusion is that re-enrolling breaks password rotations on the Jamf management framework LAPS account. This made me want to find a way to check if the password in Jamf Pro matched the password for the LAPS account on all my Macs. I wrote a script that uses the Jamf API to query the password in the Mac's inventory, and then checks if it is valid. I found 30 Macs with invalid passwords, and all of them appeared to have been re-enrolled. Yesterday, while reading posts about LAPS, I found a script written by @talkingmoose that resets the LAPS password. I tried it out and it worked! I know that password rotations for the Jamf management framework LAPS account happen at check-in. I saw that after running the script to reset the password, the new password I set was there when I checked the password in Jamf Pro. I ran "sudo jamf policy" in Terminal. Right after that, the password I set using the script worked. Sorry for this looooonnnnggg post... My question is how can I combine the actions? I want to run this script to reset the LAPS password on all the Macs where the password is invalid, and then immediately get the password changed on the Mac. The script that I wrote that checks if the LAPS password shown in Jamf Pro is valid also adds the Macs that failed the password check to a smart group. I can scope this smart group to the policy that runs the password reset script. Would I just add a "jamf policy" command to the end of the script, or is there a specific command that will trigger Jamf Pro to push the password change to the LAPS account on the Mac? I should add that after I spent about a day working on and testing my script that validates the LAPS password, I also noticed that @talkingmoose had also written a script that does that too! Great work! After all of my researching, I found out that an MDM LAPS account survives a re-enrollment. Its password continues to be rotated properly. For this reason, I'm adding creating an MDM LAPS account to my PreStage. I was overruled when I wanted to do this last year!

Here's the LAPS password reset script written by @talkingmoose. I really appreciate having this script available and I wanted to share it with everyone.