07-12-2024 04:37 AM - edited 07-12-2024 08:56 PM
Hi Community Folks
You might have heard of Joshua's project called macOSLAPS? If not, check it out here first to get familiar with it.
Swift binary that utilizes Open Directory in order to perform passwords changes for a specified local administrator. The password is randomly generated and can be configured with your own settings. Make the password as long or as short as your want.
Now, how can I make use of this with JumpCloud as my preferred MDM for macOS-Devices and - most importantly - not relying on AD to store and acquire the local admin passwords? I show you how.
You will have two very easy options here:
- Deploy it as a Custom App which will be hosted by JumpCloud by simply uploading the PKG or
- Deploy it as a 'Self-Hosted' App by directly keying in the URL from the Github-Repo
To configure the app for each device you can create a Custom Policy utilizing the respective and adjusted .mobileconfig:
For reference, my configuration profile looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>DaysTillExpiration</key>
<integer>1</integer>
<key>FirstPass</key>
<string>Passwordpassword01</string>
<key>LocalAdminAccount</key>
<string>localadmin</string>
<key>Method</key>
<string>Local</string>
<key>PasswordGrouping</key>
<integer>5</integer>
<key>PasswordLength</key>
<integer>25</integer>
<key>PasswordRequirements</key>
<dict>
<key>Lowercase</key>
<integer>3</integer>
<key>Number</key>
<integer>3</integer>
<key>Uppercase</key>
<integer>3</integer>
</dict>
<key>PasswordSeparator</key>
<string>-</string>
<key>PayloadDisplayName</key>
<string>macOS LAPS</string>
<key>PayloadIdentifier</key>
<string>edu.psu.macoslaps.6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
<key>PayloadType</key>
<string>edu.psu.macoslaps</string>
<key>PayloadUUID</key>
<string>6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>macOSLAPS Config</string>
<key>PayloadIdentifier</key>
<string>com.jumpcloud.mdm.custom-policy.0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadUUID</key>
<string>0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
For now I have two options to offer here (and I might work out more options over time, i.e. writing it to the description field or exporting to another vault of choice):
- local retrieval from the KeyChain
- remote retrieval via a JumpCloud Command
This is fairly simple as long as you have the right permissions to access the respective Keychain:
CLI Command:
security find-generic-password -w -s 'macOSLAPS' -a 'LAPS Password'
For this approach I came up with a script with inspiration from here:
#!/bin/bash
# Ask macOSLAPS to write out the current password to the system keychain
/usr/local/laps/macOSLAPS -getPassword > /dev/null
# Check if macOSLAPS command was successful
if [ $? -ne 0 ]; then
echo "ERROR: macOSLAPS command failed."
exit 1
fi
# Read the service name from the specified location
SERVICE_NAME_FILE="/var/root/.GeneratedLAPSServiceName"
if [ ! -f "$SERVICE_NAME_FILE" ]; then
echo "ERROR: Service name file not found: $SERVICE_NAME_FILE"
exit 1
fi
SERVICE_NAME=$(cat "$SERVICE_NAME_FILE")
# Validate service name
if [ -z "$SERVICE_NAME" ]; then
echo "ERROR: Service name is empty."
exit 1
fi
# Debugging information
echo "Service name retrieved: $SERVICE_NAME"
# Retrieve the current password using the security command
CURRENT_PASSWORD=$(security find-generic-password -s "$SERVICE_NAME" -w 2>&1)
# Check if the command was successful
if [ $? -ne 0 ]; then
echo "ERROR: Failed to retrieve password."
echo "Security command output: $CURRENT_PASSWORD"
exit 1
fi
# Validate retrieved password
if [ -z "$CURRENT_PASSWORD" ]; then
echo "ERROR: Retrieved password is empty."
exit 1
fi
# Output the password
echo "The password is: $CURRENT_PASSWORD"
When you execute this script against a device you will retrieve the password within the Command Result:
As always, thanks for reading and I hope you find this helpful...
-Juergen
12-04-2024 02:10 PM
Hi, Joshua's macOSLAPS no longer seems to work since macOS 15.1. Others have reported similarly here: LAPS for macOS : r/Intune.
Have you been able to get it to work?
New to the site? Take a look at these additional resources:
Ready to join us? You can register here.