cancel
Showing results for 
Search instead for 
Did you mean: 
Disclaimer
JUMPCLOUD EXPRESSLY DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, CONDITIONS, AND LIABILITIES OF ANY KIND ARISING FROM OR RELATED TO THIRD-PARTY SOFTWARE, SCRIPTS, REPOSITORIES, AND APIS. JUMPCLOUD IS NOT REQUIRED TO SUPPORT ANY SUCH THIRD-PARTY MATERIALS AND ALL RISKS RELATED TO THIRD-PARTY MATERIALS ARE YOUR RESPONSIBILITY. PLEASE ALSO REVIEW THE JUMPCLOUD TOS.

[macOS] How to manage and make use of macOSLAPS by Joshua D Miller via JumpCloud

JuergenKlaassen
Rising Star III
Rising Star III

Hi Community Folks

You might have heard of Joshua's project called macOSLAPS? If not, check it out here first to get familiar with it.

macOSLAPS (Local Administrator Password Solution)

Swift binary that utilizes Open Directory in order to perform passwords changes for a specified local administrator. The password is randomly generated and can be configured with your own settings. Make the password as long or as short as your want.

Now, how can I make use of this with JumpCloud as my preferred MDM for macOS-Devices and - most importantly - not relying on AD to store and acquire the local admin passwords? I show you how. 


1. Deploy macOSLAPS to your fleet

You will have two very easy options here:
- Deploy it as a Custom App which will be hosted by JumpCloud by simply uploading the PKG or
SCR-20240712-oevh.png

- Deploy it as a 'Self-Hosted' App by directly keying in the URL from the Github-Repo
SCR-20240712-ofiq.png

2. Configure macOSLAPS via a Custom Policy

To configure the app for each device you can create a Custom Policy utilizing the respective and adjusted .mobileconfig:

SCR-20240712-oftd.png

For reference, my configuration profile looks like this: 

 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>DaysTillExpiration</key>
                <integer>1</integer>
                <key>FirstPass</key>
                <string>Passwordpassword01</string>
                <key>LocalAdminAccount</key>
                <string>localadmin</string>
                <key>Method</key>
                <string>Local</string>
                <key>PasswordGrouping</key>
                <integer>5</integer>
                <key>PasswordLength</key>
                <integer>25</integer>
                <key>PasswordRequirements</key>
                <dict>
                    <key>Lowercase</key>
                    <integer>3</integer>
                    <key>Number</key>
                    <integer>3</integer>
                    <key>Uppercase</key>
                    <integer>3</integer>
                </dict>
                <key>PasswordSeparator</key>
                <string>-</string>
                <key>PayloadDisplayName</key>
                <string>macOS LAPS</string>
                <key>PayloadIdentifier</key>
                <string>edu.psu.macoslaps.6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
                <key>PayloadType</key>
                <string>edu.psu.macoslaps</string>
                <key>PayloadUUID</key>
                <string>6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>macOSLAPS Config</string>
        <key>PayloadIdentifier</key>
        <string>com.jumpcloud.mdm.custom-policy.0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadUUID</key>
        <string>0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>

 

3. Retrieval of the current password for your dedicated local admin account

For now I have two options to offer here (and I might work out more options over time, i.e. writing it to the description field or exporting to another vault of choice): 
- local retrieval from the KeyChain
- remote retrieval via a JumpCloud Command

local retrieval from the Keychain

This is fairly simple as long as you have the right permissions to access the respective Keychain:

SCR-20240712-ogrg.jpeg

CLI Command:

 

security find-generic-password -w -s 'macOSLAPS' -a 'LAPS Password' 

 

remote retrieval via a JumpCloud Command

 For this approach I came up with a script with inspiration from here

 

#!/bin/bash

# Ask macOSLAPS to write out the current password to the system keychain
/usr/local/laps/macOSLAPS -getPassword > /dev/null

# Check if macOSLAPS command was successful
if [ $? -ne 0 ]; then
    echo "ERROR: macOSLAPS command failed."
    exit 1
fi

# Read the service name from the specified location
SERVICE_NAME_FILE="/var/root/.GeneratedLAPSServiceName"
if [ ! -f "$SERVICE_NAME_FILE" ]; then
    echo "ERROR: Service name file not found: $SERVICE_NAME_FILE"
    exit 1
fi

SERVICE_NAME=$(cat "$SERVICE_NAME_FILE")

# Validate service name
if [ -z "$SERVICE_NAME" ]; then
    echo "ERROR: Service name is empty."
    exit 1
fi

# Debugging information
echo "Service name retrieved: $SERVICE_NAME"

# Retrieve the current password using the security command
CURRENT_PASSWORD=$(security find-generic-password -s "$SERVICE_NAME" -w 2>&1)

# Check if the command was successful
if [ $? -ne 0 ]; then
    echo "ERROR: Failed to retrieve password."
    echo "Security command output: $CURRENT_PASSWORD"
    exit 1
fi

# Validate retrieved password
if [ -z "$CURRENT_PASSWORD" ]; then
    echo "ERROR: Retrieved password is empty."
    exit 1
fi

# Output the password
echo "The password is: $CURRENT_PASSWORD"

 

When you execute this script against a device you will retrieve the password within the Command Result: 

SCR-20240712-ogam.png

 

As always, thanks for reading and I hope you find this helpful...

-Juergen 

 

1 REPLY 1

PTCruiserGT
Novitiate I

Hi, Joshua's macOSLAPS no longer seems to work since macOS 15.1.  Others have reported similarly here: LAPS for macOS : r/Intune.

Have you been able to get it to work?

You Might Like

New to the site? Take a look at these additional resources:

Community created scripts:

Our new Radical Admin blog:

Keep up with Product News:

Read our community guidelines

Ready to join us? You can register here.