Sections
LAPS solution for macOS managed with Jamf
Below is a guide for setting up LAPS for macOS on your Jamf instance. The LAPS solution creates the local admin account, randomises and encodes the password, uploads the encoded password to Jamf and then a self service app is used to decode and show the local admin password to your engineers.
The LAPS Script also includes the ability to redirect notifications to Slack using the WebHooks app. (Thanks Martijn for the idea https://github.com/ons-mart)
To help encode your API credentials there is a small script in this git Encode API Credentials
v2.2.1 now uploaded and available. Check the Change log for changes and improvments.
LAPS v2 uses Swift Dialog the original project can be found here Swift Dialog All credit for swift Dialog goes to the owner and creator please support their project.
If you are liking the work then help me stay awake to carry on writing by buying me a coffee ☕️ https://www.buymeacoffee.com/pezza
Create an Extension Attribute to store the encoded password in the Device inventory. Name this extension attribute "LAPS CryptKey".
Repeat this process for the encoded secret calling it "LAPS Secret" and password reset called "LAPS Reset Password". You will end up with 3 Extension attributes.
Upload both Scripts from the git repositry to your Jamf instance and give them a name to go with their function.
Upload the LAPS pkg file to your JAMF Instance.
Set the parameters in each script and name each $ function to what it does. (each function can be found in the script header)
Creation and password cycle script
Decoder script
Create 4 policies.
- One for Creating the admin and cycling the password. Create this with a trigger of "Ongoing" and a custom trigger "CreateLAPS". Add the Script and pkg.
- One for Running the LAPS Script Monthly using the custom trigger of the previous policy. Enable the "Files and Processes" Payload and then in the "Execute command" option enter "jamf policy -event CreateLAPS"
- One for the self service Decoder app.
- One for cycling the password once its viewed.
In each policy set the script functions with your credentials and URL.
Please note that setting up the main policy in this way with a custom trigger, requires the trigger to be added to a provisioning workflow such as DEP Notify or SwiftDialog, where a script will call this custom trigger to run the policy. If you do not use these types of provisioning workflows then you can set this to trigger at enrollment or check-in. Just be carful that if set to run at check-in this will run the policy and cycle the LAPS account at every check-in.
Creation and password cycle script
Decoder script
Make sure the Decoder script is set as a self service app. You can upload your own Icon and name it how you wish.
Create a smart Group called "LAPS Reset Password" and set the criteria as below. Scope the "Reset Password" Policy to ONLY this group.
The decoder self service policy can be scoped to your Engineers so they can view the local admin password.
The app works as follows:
Enter the device name of which you require the local admin password for
The engineer will then be presented with the password which will disapear after 10seconds
If all is working ok then in the computer inventory record you should see the Extension attributes populated as below. Please note, none of these are the local admin passwords and will not do anything if just copied and pasted.
There are additional extension attributes which can display more information in JAMF. These Extension attributes display the Creation date, the last Cycled date and the last date and time the password was decoded and viewed.
The extension attributes can be found here and then uploaded to JAMF like any other Extension attribute.
The LAPS Script includes a feature to push notifications to a Slack Channel by using a webhook. To enable these features you will need to create a new app in your slack tenent which you can do here by following the step by step guide.
Once the app is created make a note of the webhook URL as you will need to use this in a Jamf variable.
You will need to add a few extra details to your scripts.
For the creation script Parameter 9 should be set up as below.
Script Option
Policy configuration
The decoder script should be set up as below. You can optionally add your service desk to parameter 8 which will enable the "Challenge Request" Button.
Script Options
Policy configuration
If everything is configured correctly you should see the follow notifications in your chosen Slack channel.
If a local account with the same name as the LAPS account exists then the setup process will fail.
In this case it is best practice to remove any local accounts with the existing name or choose a new name for the LAPS account being created.
You might start noticing the decrytped password is not working or the logs show errors such as the following.
2023-02-17 15:15:32.094 sysadminctl[13006:77173] Operation is not permitted without secure token unlock. <dscl_cmd> DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed)
This could be a number of issues, for example, the encoded credentials are incorrect or for some reason they did not escrow to Jamf and have been overwritten with an incorrect password.
In this case it is recommended to reset the existing LAPS configuration using the reset script here LAPS Reset Script (Please make sure you check the script header to know what JAMF Variables need filling out.)