JumpCloud Community

JuergenKlaassen · ‎07-12-2024

Hi Community Folks

You might have heard of Joshua's project called macOSLAPS? If not, check it out here first to get familiar with it.

macOSLAPS (Local Administrator Password Solution)

Swift binary that utilizes Open Directory in order to perform passwords changes for a specified local administrator. The password is randomly generated and can be configured with your own settings. Make the password as long or as short as your want.

Now, how can I make use of this with JumpCloud as my preferred MDM for macOS-Devices and - most importantly - not relying on AD to store and acquire the local admin passwords? I show you how.

1. Deploy macOSLAPS to your fleet

You will have two very easy options here:
- Deploy it as a Custom App which will be hosted by JumpCloud by simply uploading the PKG or

- Deploy it as a 'Self-Hosted' App by directly keying in the URL from the Github-Repo

2. Configure macOSLAPS via a Custom Policy

To configure the app for each device you can create a Custom Policy utilizing the respective and adjusted .mobileconfig:

For reference, my configuration profile looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>DaysTillExpiration</key>
                <integer>1</integer>
                <key>FirstPass</key>
                <string>Passwordpassword01</string>
                <key>LocalAdminAccount</key>
                <string>localadmin</string>
                <key>Method</key>
                <string>Local</string>
                <key>PasswordGrouping</key>
                <integer>5</integer>
                <key>PasswordLength</key>
                <integer>25</integer>
                <key>PasswordRequirements</key>
                <dict>
                    <key>Lowercase</key>
                    <integer>3</integer>
                    <key>Number</key>
                    <integer>3</integer>
                    <key>Uppercase</key>
                    <integer>3</integer>
                </dict>
                <key>PasswordSeparator</key>
                <string>-</string>
                <key>PayloadDisplayName</key>
                <string>macOS LAPS</string>
                <key>PayloadIdentifier</key>
                <string>edu.psu.macoslaps.6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
                <key>PayloadType</key>
                <string>edu.psu.macoslaps</string>
                <key>PayloadUUID</key>
                <string>6187ACD2-4E8D-49A4-801A-E13F346C8287</string>
                <key>PayloadVersion</key>
                <integer>1</integer>
            </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>macOSLAPS Config</string>
        <key>PayloadIdentifier</key>
        <string>com.jumpcloud.mdm.custom-policy.0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
        <key>PayloadRemovalDisallowed</key>
        <true/>
        <key>PayloadUUID</key>
        <string>0c39bfa2-171a-51bf-addd-cfc4fc18a0ab</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
    </dict>
</plist>

3. Retrieval of the current password for your dedicated local admin account

For now I have two options to offer here (and I might work out more options over time, i.e. writing it to the description field or exporting to another vault of choice):
- local retrieval from the KeyChain
- remote retrieval via a JumpCloud Command

local retrieval from the Keychain

This is fairly simple as long as you have the right permissions to access the respective Keychain:

CLI Command:

security find-generic-password -w -s 'macOSLAPS' -a 'LAPS Password'

remote retrieval via a JumpCloud Command

For this approach I came up with a script with inspiration from here:

#!/bin/bash

# Ask macOSLAPS to write out the current password to the system keychain
/usr/local/laps/macOSLAPS -getPassword > /dev/null

# Check if macOSLAPS command was successful
if [ $? -ne 0 ]; then
    echo "ERROR: macOSLAPS command failed."
    exit 1
fi

# Read the service name from the specified location
SERVICE_NAME_FILE="/var/root/.GeneratedLAPSServiceName"
if [ ! -f "$SERVICE_NAME_FILE" ]; then
    echo "ERROR: Service name file not found: $SERVICE_NAME_FILE"
    exit 1
fi

SERVICE_NAME=$(cat "$SERVICE_NAME_FILE")

# Validate service name
if [ -z "$SERVICE_NAME" ]; then
    echo "ERROR: Service name is empty."
    exit 1
fi

# Debugging information
echo "Service name retrieved: $SERVICE_NAME"

# Retrieve the current password using the security command
CURRENT_PASSWORD=$(security find-generic-password -s "$SERVICE_NAME" -w 2>&1)

# Check if the command was successful
if [ $? -ne 0 ]; then
    echo "ERROR: Failed to retrieve password."
    echo "Security command output: $CURRENT_PASSWORD"
    exit 1
fi

# Validate retrieved password
if [ -z "$CURRENT_PASSWORD" ]; then
    echo "ERROR: Retrieved password is empty."
    exit 1
fi

# Output the password
echo "The password is: $CURRENT_PASSWORD"

When you execute this script against a device you will retrieve the password within the Command Result:

As always, thanks for reading and I hope you find this helpful...

-Juergen