Recording LAPS for macOS password to EA

Cooley26
New Contributor II

I am having trouble with recording the LAPS for macOS passwords to the LAPS EA. Everything works and there is no error, yet the LAPS EA is blank every time. I can see the password if I look at log details so I know the rest of the process works pretty flawlessly. Here is the script I am using:

!/bin/bash

apiUser=""
apiPass=""
apiURL=$(/usr/bin/defaults read /Library/Preferences/com.jamfsoftware.jamf.plist jss_url | sed 's|/$||')
udid=$(/usr/sbin/system_profiler SPHardwareDataType | /usr/bin/awk '/Hardware UUID:/ { print $3 }')
extAttName=""LAPS""

LAPS_Password=$(curl -s -f -u $apiUser:$apiPass -H "Accept: application/xml" $apiURL/JSSResource/computers/udid/$udid/subset/extension_attributes | xpath -e "//extension_attribute[name=$extAttName]" 2>&1 | awk -F'<value>|</value>' '{print $2}' | tail -n +1)

echo $LAPS_Password

I hardcoded the api username and api password to the script.

Here are screenshots of the resulting log and the EA

bccaa7139f3c464fa04555a5372cf285

ded13a7cb9464e5b82b3a12b21b0ded8

8 REPLIES 8

dkmansion
New Contributor II

Hi @Cooley26

You need to return/echo the variable wrapped in result tags

echo "<result>$LAPS_Password</result>"

You may need/want to wrap the variable in curly-braces if spaces were present for expansion

echo "<result>${LAPS_Password}</result>"

This article can speak more to it for you...
Creating Extension Attributes Populated by a Custom Script

Cooley26
New Contributor II

@dkmansion THANK YOU!! I’ll try this in the morning! If it works I owe you bug time!!

Cooley26
New Contributor II

@dkmansion Hmmm... Still not working. Now I get this return in the logs: ad336abc97e64753b26d04d77cdd7fcd

dkmansion
New Contributor II

Huh. I do know that all our scripts grabbing any kind of value to insert into EAs we have the result as
echo "<result>$variable</result>"

Here's one of mine: just getting local machine /app info:

6e4873c8a147464bbdc35d998c1350c5

If you used the curly brace in my suggestion above, maybe remove that.

Also Ensure that the data type in the EA setting is appropriate for your use.. I hope this helps get you to a result.

ncworster
New Contributor III

I've just gotten macOSLAPS running in our environment, so allow me to share my configuration if anyone's still running into issues:

Configuration Profile (note that I'm running in "Local" mode):

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

    <key>DaysTillExpiration</key>

    <integer>30</integer>

    <key>LocalAdminAccount</key>

    <string>YOURACCOUNT</string>

    <key>PasswordLength</key>

    <integer>14</integer>

    <key>RemovePassChars</key>

    <string>{}[]|</string>

    <key>Method</key>

    <string>Local</string>

    <key>FirstPass</key>

    <string>YOURPASSWORD</string>

</dict>

</plist>

Extension Attribute (echoes password to Jamf for easy retrieval):

#!/bin/bash

#Resets macOSLAPS password

/usr/local/laps/macOSLAPS -resetPassword

#Writes macOSLAPS password to file

/usr/local/laps/macOSLAPS -getPassword

#Retrieves password

password=$(sudo cat /var/root/Library/Application\ Support/macOSLAPS-password | awk '{print $0}')

#Echoes result to Jamf MDM

echo "<result>$password</result>"

Few things. using 

<key>FirstPass</key><string>YOURPASSWORD</string>

Doesn't that show the password in the profile on the users system?

also using 

password=$(sudo cat /var/root/Library/Application\ Support/macOSLAPS-password | awk '{print $0}')

That means the password is in a text file, so if a user is logged in, they could go to the /var/root/Library/Application\ Support/macOSLAPS-password and get the admin password for the local admin account correct?

 

ncworster
New Contributor III

Yup, correct on both counts:

1. Yes, it does show the password in the configuration profile. But that password is temporary anyway and our provisioning model has the technician login first - so by the time the end-user might see this, it has already changed. (Obviously, this wouldn't work in all cases or at all companies.) You could populate that initial password in a myriad of ways, or even generate it to include a variable or random number generator to obfuscate things - but that's not strictly needed in my environment. And just to clarify, this would require not including the "FirstPass" key in the configuration profile and instead writing that value separately, like by using a script leveraging "defaults".

2. Yes, this does store the password in the file which is why I added an "rm" command in the production version to immediately delete it after the EA echo but before the "exit 0" - the file exists for milliseconds. 

EDIT: This is probably a better solution, but I haven't yet investigated further: https://github.com/PezzaD84/macOSLAPS 

Credit to @perryd84 from the thread here: https://community.jamf.com/t5/jamf-pro/macoslaps-by-joshua-miller/m-p/281535#M253790

Stady
New Contributor II

Hello,

 

I am looking to implement LAPS on MACS using JAMF pro. Can anyone please provide me the step by step instruction to get this accomplished?

Your help is appreciated