joshua-d-miller
commented
6 years ago I'm in the process of implementing a change made by @neilmartin83 that will allow LAPS to run every 90 minutes like Windows. Will this be helpful to you?
Closed rcharnel closed 6 years ago
joshua-d-miller
commented
6 years ago I'm in the process of implementing a change made by @neilmartin83 that will allow LAPS to run every 90 minutes like Windows. Will this be helpful to you?
neilmartin83
commented
6 years ago How are you deploying it, @rcharnel ? I deploy with Jamf and in the policy, run a script after the pkg installs that sets some default preferences and then calls macOSLAPS with the -resetPassword argument. (we install/run it early in the provisioning process so we see a race condition where our config profile sometimes doesn't get installed in time for the first run).
You could achieve the same with Munki or other deployment tools that allow you to run post-install scripts.
That'll get it to run as soon as it's installed, then you just need a Launch Daemon that triggers it every x minutes - @joshua-d-miller kindly accepted my pull request to update his example here to do that: https://github.com/joshua-d-miller/macOSLAPS/blob/master/edu.psu.macoslaps-check.plist
rcharnel
commented
6 years ago The 90 minutes should work out fine in my case.
I am deploying the package with munki using the same process of calling the -resetPassword argument. although i cant say that has been successful.
I'll go back and double-check when i have time to test, but i usually do sudo MacOSLAPS -resetPassword.
bartreardon
commented
6 years ago @rcharnel the initial run will need to be timed to happen after the machine has been bound to AD otherwise not much will happen. if it's a fresh install, -resetPassword won't be needed as the first run will always perform a password reset. if you regularly wipe and re-bind to the same AD object then you might want to do that, but you can always trigger a reset by expiring the date in AD instead.
rcharnel
commented
6 years ago @bartreardon Thanks for the heads up, although currently i'm deploying to machines already joined to AD.
joshua-d-miller
commented
6 years ago I would think the best solution to password resetting for rebind is to add the -resetpassword. Even if the machine is new and has only been bound for the first time that option sets the value of the expiration time to 1/1/2001 which is the default in AD when a machine is bound so it will force the password change no matter what.
Is it possible to have the application run around these intervals: OnLoad/Startup=> ensures that the application will change the password once it installs rather then if the mac is awake at one of the 3 intervals. Change the launchd to more of a service where it continuously runs in the background and works based on triggers. its more of a thought.
The issues i'm running into is that it doesn't set the laps password the moment it installs and there is too much of a gap where not all the devices would be awake during those specified time periods.