GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → ducksrfr → LAPSforMac

ducksrfr / LAPSforMac

Licence: MIT license
Local Administrator Password Solution for Mac

Programming Languages

shell
77523 projects

Labels

macosmacapplepassword-generatorkeychainpasswordmacadminjamfmacadminshigh-sierralaps-passwordhighsierramojavejamfprojamfpro-scriptssysadminctlsecuretoken

Projects that are alternatives of or similar to LAPSforMac

pre-commit-macadmin
Pre-commit hooks for Mac admins.
Stars: ✭ 43 (+48.28%)
Mutual labels:  mac, apple, macadmin, jamf
mac scripts
A collection of scripts used to Manage Mac OS X computers.
Stars: ✭ 38 (+31.03%)
Mutual labels:  apple, macadmin, jamf, macadmins
jamfscripts
Scripts I use non API related
Stars: ✭ 15 (-48.28%)
Mutual labels:  macadmin, jamf, macadmins, jamfpro
PasswordX
Offline password manager for iOS/macOS
Stars: ✭ 26 (-10.34%)
Mutual labels:  mac, password-generator, password
lockd
Generate strong passwords and save them in Keychain. Made with SwiftUI
Stars: ✭ 38 (+31.03%)
Mutual labels:  password-generator, keychain, password
Hackintosh
Hackintosh long-term maintenance model EFI and installation tutorial
Stars: ✭ 6,589 (+22620.69%)
Mutual labels:  apple, highsierra, mojave
Csvkeychain
Import/export between Apple Keychain.app and plain CSV file.
Stars: ✭ 281 (+868.97%)
Mutual labels:  apple, keychain, password
management tools
A collection of scripts and packages to simplify OS X management.
Stars: ✭ 93 (+220.69%)
Mutual labels:  mac, macadmin, macadmins
blade runner
Blade Runner is a Jamf Pro based Python application that automates and implements a framework to offboard, secure erase and document deprecated Mac systems.
Stars: ✭ 24 (-17.24%)
Mutual labels:  mac, macadmin, jamf
disable sip
This script is used in the recovery partition to automatically disable SIP.
Stars: ✭ 26 (-10.34%)
Mutual labels:  mac, macadmin, macadmins
Passwd
A beautiful, cross-platform, encrypted password manager 🔐
Stars: ✭ 82 (+182.76%)
Mutual labels:  mac, password-generator, password
Mac admin
Helpful scripts & configuration profiles for the Mac admin community
Stars: ✭ 139 (+379.31%)
Mutual labels:  mac, apple, macadmin
sudoers manager
A standalone Python script to help administrators manage their sudoers file.
Stars: ✭ 28 (-3.45%)
Mutual labels:  mac, macadmin, macadmins
Macvars
command library for scripting osx
Stars: ✭ 34 (+17.24%)
Mutual labels:  mac, apple, macadmin
cleanup manager
Cleanup Manager helps you clean up folders on your Mac's hard drive.
Stars: ✭ 22 (-24.14%)
Mutual labels:  mac, macadmin, macadmins
kinobi
An external patch definition server for Jamf Pro
Stars: ✭ 76 (+162.07%)
Mutual labels:  macadmin, jamf, jamfpro
moac
Generate passwords and analyze their strength given physical limits to computation
Stars: ✭ 16 (-44.83%)
Mutual labels:  password-generator, password
Passky-Server
API and Database for Passky (password manager)
Stars: ✭ 77 (+165.52%)
Mutual labels:  password-generator, password
mopass
A OpenSource Clientless & Serverless Password Manager
Stars: ✭ 40 (+37.93%)
Mutual labels:  password-generator, password
webpassgen
Simple web-based password generator
Stars: ✭ 111 (+282.76%)
Mutual labels:  password-generator, password
View All Similar Projects ➔

LAPSforMac -- updated compatibility for Mojave and High Sierra

Huge, huge kudos to Phil Redfern and the University of Nebraska for this script. I simply updated the LAPS script to resolve some quirks with the Jamf binary in High Sierra, resulting in odd behavior regarding secureToken and FileVault enablement. I'm using this script to update a local admin account through a Jamf policy, however you can repurpose this script to be used outside of Jamf.

dscl, secureToken, and FileVault

  • The original LAPS script uses $jamf_binary to reset the user password, which in turn utilizes dscl
  • dscl technically performs a successful password reset, however it exhibits the following behavior in macOS 10.13.6 when a Jamf policy executes the LAPS script on an AD-bound machine:

Scenario 1

  • A local admin account with secureToken is currently logged in. The local admin logs out.
  • AD-user logs in
  • A secureToken dialog window appears to request an admin's credentials to enable secureToken for the AD-user
  • secureToken is successfully enabled for the AD-user
  • Run sysadminctl -secureTokenStatus ADUserHere to confirm secureToken is ENABLED
  • A Jamf policy silently changes the local admin user's password in the background using the LAPS script
  • The AD-user logs out to trigger a deferred FileVault enablement, but an error appears stating FileVault could not be enabled
  • Reboot and log in as the local admin user using the new LAPS password
  • Run sysadminctl -secureTokenStatus LocalAdminUserHere to confirm secureToken is ENABLED for the local admin
  • Run sysadminctl -secureTokenStatus ADUserHere and discover secureToken is DISABLED for the AD-user, despite "successfully" gaining a secureToken during the initial AD-user login
  • Attempt to enable FileVault via System Preferences or fdesetup while logged in as the local admin, receive same error
  • Log out of local admin account, deferred FileVault enablement dialog window appears, receive same error
  • So even though sysadminctl says the local admin has a secureToken, dscl somehow strips this attribute from both the local admin & AD-user when the Jamf policy ran the LAPS script.

Scenario 2

  • Before the local admin account is able to sign in for the first time (created via PreStage Enrollment, Setup Assistant, or pkg/script), a Jamf policy silently changes the local admin password in the background using the LAPS script
  • The local admin signs in using the new LAPS password
  • Run sysadminctl -secureTokenStatus LocalAdminUserHere to find that secureToken is DISABLED
  • It appears that because dscl changed the user password before the first login, it somehow strips the secureToken attribute from the first local admin user account signing in
  • If the sole admin account on the machine has no secureToken, there's no way to create an additional user with secureToken, or enable FileVault

Resolution: use sysadminctl

Replace $jamf_binary resetPassword -username $resetUser -password $newPass

with

sysadminctl -adminUser $resetUser -adminPassword $oldPass -resetPasswordFor $resetUser -newPassword $newPass

In addition: because sysadminctl -resetPasswordFor will force the creation of a new Keychain, you can comment out/ignore $jamf_binary resetPassword -updateLoginKeychain -username $resetUser -oldPassword $oldPass -password $newPass

Mojave and Jamf Extended Attributes

In macOS 10.14 and Jamf Pro 10.7 (and later) the policy will fail unless you store the previous LAPS password value in an additional Extended Attribute. This prevents issues verifying the new password is correct, and is stored in Jamf. The script has been updated to create this new EA using the Jamf API.

Sync a mismatched FileVault password in Mojave

  • In Mojave, if a mobile Active Directory user password is changed off of the Mac (Active Directory, Okta, a network-bound Windows PC, etc) the FileVault password will never sync with the new password.
  • Some users report that the Keychain password has diffculy syncing, or odd behavior where a user's password alternates between the old/cached password and the new/network password based on whether the user is connected to the corporate network
  • A simple restart does not resolve the issue
  • If you're using the LAPS script in a Jamf extended attribute, use the Mojave_FileVault_sync.sh script to grab the LAPS value to assist with syncing the new network password with FileVault
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].