Recording LAPS for macOS password to EA

Cooley26
New Contributor II

I am having trouble with recording the LAPS for macOS passwords to the LAPS EA. Everything works and there is no error, yet the LAPS EA is blank every time. I can see the password if I look at log details so I know the rest of the process works pretty flawlessly. Here is the script I am using:

!/bin/bash

apiUser=""
apiPass=""
apiURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed 's|/$||')
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
extAttName=""LAPS""

LAPS_Password=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath -e "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}' | tail -n +1)

echo $LAPS_Password

I hardcoded the api username and api password to the script.

Here are screenshots of the resulting log and the EA

bccaa7139f3c464fa04555a5372cf285

ded13a7cb9464e5b82b3a12b21b0ded8

5 REPLIES 5

dkmansion
New Contributor II

Hi @Cooley26

You need to return/echo the variable wrapped in result tags

echo "<result>$LAPS_Password</result>"

You may need/want to wrap the variable in curly-braces if spaces were present for expansion

echo "<result>${LAPS_Password}</result>"

This article can speak more to it for you...
Creating Extension Attributes Populated by a Custom Script

Cooley26
New Contributor II

@dkmansion THANK YOU!! I’ll try this in the morning! If it works I owe you bug time!!

Cooley26
New Contributor II

@dkmansion Hmmm... Still not working. Now I get this return in the logs: ad336abc97e64753b26d04d77cdd7fcd

dkmansion
New Contributor II

Huh. I do know that all our scripts grabbing any kind of value to insert into EAs we have the result as
echo "<result>$variable</result>"

Here's one of mine: just getting local machine /app info:

6e4873c8a147464bbdc35d998c1350c5

If you used the curly brace in my suggestion above, maybe remove that.

Also Ensure that the data type in the EA setting is appropriate for your use.. I hope this helps get you to a result.

ncworster
New Contributor III

I've just gotten macOSLAPS running in our environment, so allow me to share my configuration if anyone's still running into issues:

Configuration Profile (note that I'm running in "Local" mode):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>DaysTillExpiration</key>

    <integer>30</integer>

    <key>LocalAdminAccount</key>

    <string>YOURACCOUNT</string>

    <key>PasswordLength</key>

    <integer>14</integer>

    <key>RemovePassChars</key>

    <string>{}[]|</string>

    <key>Method</key>

    <string>Local</string>

    <key>FirstPass</key>

    <string>YOURPASSWORD</string>

</dict>

</plist>

Extension Attribute (echoes password to Jamf for easy retrieval):

#!/bin/bash

#Resets macOSLAPS password

/usr/local/laps/macOSLAPS -resetPassword

#Writes macOSLAPS password to file

/usr/local/laps/macOSLAPS -getPassword

#Retrieves password

password=$(sudo cat /var/root/Library/Application\ Support/macOSLAPS-password | awk '{print $0}')

#Echoes result to Jamf MDM

echo "<result>$password</result>"