Help

Recording LAPS for macOS password to EA

Cooley26
New Contributor II

Posted on ‎03-29-2021 02:48 PM

I am having trouble with recording the LAPS for macOS passwords to the LAPS EA. Everything works and there is no error, yet the LAPS EA is blank every time. I can see the password if I look at log details so I know the rest of the process works pretty flawlessly. Here is the script I am using:

!/bin/bash

apiUser=""
apiPass=""
apiURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed 's|/$||')
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
extAttName=""LAPS""

LAPS_Password=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath -e "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}' | tail -n +1)

echo $LAPS_Password

I hardcoded the api username and api password to the script.

Here are screenshots of the resulting log and the EA

bccaa7139f3c464fa04555a5372cf285

ded13a7cb9464e5b82b3a12b21b0ded8

0 Kudos
Reply
8 REPLIES 8

dkmansion
New Contributor II

Posted on ‎03-29-2021 03:47 PM

Hi @Cooley26

You need to return/echo the variable wrapped in result tags

echo "<result>$LAPS_Password</result>"

You may need/want to wrap the variable in curly-braces if spaces were present for expansion

echo "<result>${LAPS_Password}</result>"

This article can speak more to it for you...
Creating Extension Attributes Populated by a Custom Script

Reply

Cooley26
New Contributor II

Posted on ‎03-29-2021 08:36 PM

@dkmansion THANK YOU!! I’ll try this in the morning! If it works I owe you bug time!!

0 Kudos
Reply

Cooley26
New Contributor II

Posted on ‎03-30-2021 05:09 AM

@dkmansion Hmmm... Still not working. Now I get this return in the logs: ad336abc97e64753b26d04d77cdd7fcd

0 Kudos
Reply

dkmansion
New Contributor II

Posted on ‎03-30-2021 12:42 PM

Huh. I do know that all our scripts grabbing any kind of value to insert into EAs we have the result as
echo "<result>$variable</result>"

Here's one of mine: just getting local machine /app info:

6e4873c8a147464bbdc35d998c1350c5

If you used the curly brace in my suggestion above, maybe remove that.

Also Ensure that the data type in the EA setting is appropriate for your use.. I hope this helps get you to a result.

0 Kudos
Reply

ncworster
New Contributor III

Posted on ‎06-28-2022 04:52 PM

I've just gotten macOSLAPS running in our environment, so allow me to share my configuration if anyone's still running into issues:

Configuration Profile (note that I'm running in "Local" mode):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>DaysTillExpiration</key>

    <integer>30</integer>

    <key>LocalAdminAccount</key>

    <string>YOURACCOUNT</string>

    <key>PasswordLength</key>

    <integer>14</integer>

    <key>RemovePassChars</key>

    <string>{}[]|</string>

    <key>Method</key>

    <string>Local</string>

    <key>FirstPass</key>

    <string>YOURPASSWORD</string>

</dict>

</plist>

Extension Attribute (echoes password to Jamf for easy retrieval):

#!/bin/bash

#Resets macOSLAPS password

/usr/local/laps/macOSLAPS -resetPassword

#Writes macOSLAPS password to file

/usr/local/laps/macOSLAPS -getPassword

#Retrieves password

password=$(sudo cat /var/root/Library/Application\ Support/macOSLAPS-password | awk '{print $0}')

#Echoes result to Jamf MDM

echo "<result>$password</result>"

Reply

BCPeteo
Contributor III
In response to ncworster

Posted on ‎02-09-2023 08:31 AM

Few things. using 

<key>FirstPass</key><string>YOURPASSWORD</string>

Doesn't that show the password in the profile on the users system?

also using 

password=$(sudo cat /var/root/Library/Application\ Support/macOSLAPS-password | awk '{print $0}')

That means the password is in a text file, so if a user is logged in, they could go to the /var/root/Library/Application\ Support/macOSLAPS-password and get the admin password for the local admin account correct?

 

0 Kudos
Reply

ncworster
New Contributor III
In response to BCPeteo

‎02-10-2023 10:51 AM - edited ‎02-10-2023 11:00 AM

Yup, correct on both counts:

1. Yes, it does show the password in the configuration profile. But that password is temporary anyway and our provisioning model has the technician login first - so by the time the end-user might see this, it has already changed. (Obviously, this wouldn't work in all cases or at all companies.) You could populate that initial password in a myriad of ways, or even generate it to include a variable or random number generator to obfuscate things - but that's not strictly needed in my environment. And just to clarify, this would require not including the "FirstPass" key in the configuration profile and instead writing that value separately, like by using a script leveraging "defaults".

2. Yes, this does store the password in the file which is why I added an "rm" command in the production version to immediately delete it after the EA echo but before the "exit 0" - the file exists for milliseconds. 

EDIT: This is probably a better solution, but I haven't yet investigated further: https://github.com/PezzaD84/macOSLAPS 

Credit to @perryd84 from the thread here: https://community.jamf.com/t5/jamf-pro/macoslaps-by-joshua-miller/m-p/281535#M253790

Reply

Stady
New Contributor II

Posted on ‎04-11-2023 04:31 AM

Hello,

 

I am looking to implement LAPS on MACS using JAMF pro. Can anyone please provide me the step by step instruction to get this accomplished?

Your help is appreciated

0 Kudos
Reply