search

PezzaD84 / macLAPS

LAPS solution for macOS managed with Jamf
41 stars 9 forks source link

LAPS Decode and extension attributes #15

Closed jelockwood closed 11 months ago

jelockwood commented 11 months ago

@PezzaD84 I have had possibly two unrelated issues in relation to the Secret and CryptKey extension attributes and your scripts.

Firstly your documentation suggests using extension attribute names containing spaces i.e. "LAPS Secret". Whilst Jamf Pro itself is ok with that, trying to write my own shell scripts to access them is very, very hard. Clearly you encountered this yourself as your 'workaround' was to use a grep filter to 'find' the extension attribute by searching for the last half of the name, i.e. ignoring the space.

I have therefore for my own requirements used LAPS_Secret i.e. replacing the space with an underline in each of the two extension attributes. I am inclined to believe this is not the current cause of the problem.

What I believe to be the actual cause is that Jamf Pro has recently been upgraded to version 11.0.1 from 10.x. I suspect this is causing the result to return the value of the extension attributes not in 'field 16' but field 15 as your command of

grep -i CryptKey | tr '"' ' ' | awk '{print $16}'}

If I change this to print $15 it 'fixes' my problem.

PezzaD84 commented 11 months ago

Hi @jelockwood The issue with using an underscore is it turns "LAPS Secret" into one entry and not 2. So the count wouldn't be 16 any more as there will be one less item of data. This is why it breaks and changing 16 to 15 fixes it.

jelockwood commented 11 months ago

Ah! Thanks for the explanation.

I have a script that I am using to link another Jamf related project which automates enforcing macOS updates. This on Apple Silicon Macs requires knowing an admin level account to authorise the upgrade. I therefore need to 'tell' it the LAPS credentials. I use an approach which reads the specific extension attributes and cannot cope with a space in the extension name - hence my substituting the space symbol.

This is your project so I will leave it up to you whether you switch to also avoiding the use of a space in the extension name although I would recommend that. I do suggest adding an entry to your documentation relating to this.

PezzaD84 commented 11 months ago

You could always try using plutil. I've been meaning to re-write all the API calls to use this and move away from using grep and awk. The reason I haven't made the change yet is that the code is just as long and doesn't really have a huge benefit other than making it a little more future proof.