security does not have access to view keychain for LAPS password

[taagokoster]

Been testing 4.0.0 build 845, and the documentation mentions that security should have access to view the password in keychain after running a -resetPassword command. But in my case security does not appear to have access to view the password, and at the moment this is prevent storing the password anywhere else.

[joshua-d-miller]

Hello @taagokoster,

When you run the -getpassword flag in 4.0.0 it creates a file with a unique identifier. That unique identifier is a temporary keychain item that allows security to read it and has the LAPS password.

Thanks!

[taagokoster]

Thank you for replying this quick @joshua-d-miller !

Am I doing something wrong? What command should I be using to extract this password using security to succcessfully escrow it to eg Kandji? Testing it locally I get a prompt for my admin creds, and from MDM side the password itself is blank as it can't read it using security.

[taagokoster]

Or is this an expected behaviour and it can only be accessed after giving permissions? If so, any recommendations on how to grab the current password to store in MDM?

[joshua-d-miller]

So the path would be to generate the random keychain item by using macOSLAPS -getpassword then using the security command with the contents of that file to grab the UUID. I believe someone put something together in the MacAdmins Slack. Here is a link as it's one of my issues. https://github.com/joshua-d-miller/macOSLAPS/issues/104. Once I have some more time I plan to document this as it's still a release candidate and then add it to the wiki.

[taagokoster]

Nice! Can confirm, I was able to get that working too. Thank you very much!