I've been testing the current macOSLAPS pre-release version (4.0.0 Build 845) and had a bit of a struggle in figuring out how to actually retrieve the password via the new "temporary keychain item" method (since I couldn't find any documentation for it).
Here's a modification for the existing custom attribute script that I've come up with, in case somebody else has a need for it:
## Ask macOSLAPS to write out the current password to the system keychain$LAPS -getPassword > /dev/nullSERVICE_NAME=$(/bin/cat /var/root/.GeneratedLAPSServiceName)CURRENT_PASSWORD=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" -w 2&> /dev/null)CURRENT_EXPIRATION=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" | /usr/bin/grep -Eo "\d{4}-\d{2}-\d{2}.*\d")## Test $current_password to ensure there is a valueif [ -z "$CURRENT_PASSWORD" ]thenecho "ERROR: failed to retrieve password"exit 1else/bin/echo "Password: $CURRENT_PASSWORD | Expiration: $CURRENT_EXPIRATION"## Run macOSLAPS a second time to remove the password export entry from the system keychain$LAPS > /dev/nullfi
I've been testing the current macOSLAPS pre-release version (4.0.0 Build 845) and had a bit of a struggle in figuring out how to actually retrieve the password via the new "temporary keychain item" method (since I couldn't find any documentation for it).
Here's a modification for the existing custom attribute script that I've come up with, in case somebody else has a need for it:
## Ask macOSLAPS to write out the current password to the system keychain
$LAPS -getPassword > /dev/null
SERVICE_NAME=$(/bin/cat /var/root/.GeneratedLAPSServiceName)
CURRENT_PASSWORD=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" -w 2&> /dev/null)
CURRENT_EXPIRATION=$(/usr/bin/security find-generic-password -s "$SERVICE_NAME" | /usr/bin/grep -Eo "\d{4}-\d{2}-\d{2}.*\d")
## Test $current_password to ensure there is a value
if [ -z "$CURRENT_PASSWORD" ]
then
echo "ERROR: failed to retrieve password"
exit 1
else
/bin/echo "Password: $CURRENT_PASSWORD | Expiration: $CURRENT_EXPIRATION"
## Run macOSLAPS a second time to remove the password export entry from the system keychain
$LAPS > /dev/null
fi