joshua-d-miller
commented
7 years ago Currently, you would need to be bound to use this.
Closed xelprep closed 5 years ago
joshua-d-miller
commented
7 years ago Currently, you would need to be bound to use this.
joshua-d-miller
commented
7 years ago You could however if you are bound call macOSLAPS with NoMAD once you are able to contact Active Directory. Where would you want the passwords stored if you are not using Active Directory?
xelprep
commented
7 years ago The passwords would ideally still be stored in Active Directory, but hopefully without actually needing to bind the Mac to AD via the built-in plugin. From NoMAD's website: "NoMAD allows all the functionality you would want from a Mac bound to Active Directory, without having to actually bind to AD."
Although the more I think about it, without binding the Mac to AD there would likely be no machine record in AD, and therefore no place to store the corresponding unique local admin password. I'll have to dig deeper into NoMAD to be sure, but this might be a fruitless endeavor on my part.
childrss
commented
6 years ago "Where would you want the passwords stored if you are not using Active Directory?"
MunkiReport? (that's a "please" with an implied "pretty" and "I'll beg if I have to" and a cherry on top at the next MacAdmins PSU conference at The Creamery).
Then it wouldn't be dependent on purchasing JAMF, having an AD structure setup (MunkiReport is free/open source).
It'd be nice to have all of your security information all in one spot, currently MunkiReport has Encryption Status as well as Verification (Encrypted as of X date), FileValut Escrow, FirmWare Escrow... basically everything you'd need as a tech on the street (aka "sans laptop") to work a problem. Because it uses Bootstrap MunkiReport is easily used from your iOS or Android phone/device as well as your computer. Logging into AD or a proprietary MDM console to get the data out not so much.
It was recommended on the MunkiReport/MacAdmins Slack that I attempt this approach: https://xkcd.com/356/
joshua-d-miller
commented
5 years ago So technically since we are storing the password in System keychain with secureToken users. You could probably pull that entry if you have the right access and put it in MunkiReport. I'm also toying with always saving the password to System keychain.
joshua-d-miller
commented
5 years ago Newest build: The password is now always saved to System.keychain. MunkiReport could look for macOSLAPS in the System keychain and pull the results if it has the proper access. @childrss
joshua-d-miller
commented
5 years ago @childrss I believe the munkireport-php team is working on a module for macOSLAPS that will either use the installed version or the munkireport-php one based on my python script. Since I don't think there will ever be a need to implement this into NoMAD I'm going to close this issue.
Will this work with NoMAD or does it require the machine to be bound to AD using the built-in plugin?