Closed ThrashinVictim closed 5 years ago
@liamrpowell how are you creating the PLIST? Are you using the defaults command or are you just placing a PLIST file in /Library/Preferences/?
Thanks for the reply. I am placing the plist file in /Library/Preferences/.
so when placing a PLIST file in that directory you may need to run killall cfprefsd before running LAPS as will not have synchronized yet. The safest thing to do is to either create each preference like so:
defaults write /Library/Preferences/edu.psu.macoslaps LocalAdminAccount "youradmin" defaults write /Library/Preferences/edu.psu.macoslaps PasswordLength -int 12 defaults write /Library/Preferences/edu.psu.macoslaps DaysTillExpiration -int 60
This way the preferences are synchronized right away. The other thing you could do is use Tim Sutton's mcxToProfile which would create a configuration profile out of the PLIST. That would also take effect right away. Lastly and probably the best method would be to create a configuration profile in an MDM such as jamf Pro or Airwatch. I realize you may not have those options but the immediate and easiest solution would be either using the defaults command for each entry in the PLIST or using killall cfprefsd as an admin to synchronize preferences.
Hope this helps
Thanks, I did the defaults write with my settings. But still getting "unable to connect to local directory."
@liamrpowell Do you know if your local admin is a secureToken user?
yes.
@liamrpowell You will need to specify the FirstPass attribute as in order to change the password for a secureToken user we must know the old password. Once the password has been changed once, the new password is always stored in the System.keychain to reference for the next change.
What is the correct syntax to enable that?
You would just need to specify the FirstPass key by either configuration profile or the defaults command so something like:
defaults write /Library/Preferences/edu.psu.macoslaps FirstPass "InitialPasswordOfAccountHere"
Ok, but if I put the password there wouldnt it stay in the edu.psu.macoslaps.plist file?
Yes but this is a burner password that won't mean anything once the utility has run. Most people when they install macOSLAPS which is usually at the time of building the device will run the utility which makes the password random. In efforts to secureToken this was the best method. I am currently exploring other methods to make this even better.
Thanks for the info.
Not sure what I am doing wrong.
Thank you.