search

joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
387 stars 58 forks source link

macOSLAPS AAD #77

Closed crofmmv closed 9 months ago

crofmmv commented 2 years ago

Hi we don't have an on prem AD and our macOS are not bound to a domain. the macOS hosts use Jamf Connect for AAD logins but we still have a local admin account, does macOSLAPS work with AAD?

joeschlimmer-ic commented 2 years ago

Azure AD is not AD, it doesn't support the extensions needed for a LAPS env.

However, if you use jamf for your MDM, this can write the local password to an extension attribute in Jamf Pro. Not ideal but it is works.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Crawford @.> Sent: Saturday, June 11, 2022 4:14:47 PM To: joshua-d-miller/macOSLAPS @.> Cc: Subscribed @.***> Subject: [joshua-d-miller/macOSLAPS] macOSLAPS AAD (Issue #77)

This message originated from outside the Ithaca College email system.

Hi we don't have an on prem AD and our macOS are not bound to a domain. the macOS hosts use Jamf Connect for AAD logins but we still have a local admin account, does macOSLAPS work with AAD?

— Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjoshua-d-miller%2FmacOSLAPS%2Fissues%2F77&data=05%7C01%7Cjschlimmer%40ithaca.edu%7C84ca97a525f64bf1653e08da4be70895%7Cfa1ac8f65e5448579f0b4aa422c09689%7C0%7C0%7C637905752908885374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=z%2FMEbID3cwwoK7QezNWQ7FmQ7J8jY%2BWIrhTvrTbDW%2BA%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FASPMLOFYTVW7P6MYJ7T5DMLVOTXTPANCNFSM5YQSLLWQ&data=05%7C01%7Cjschlimmer%40ithaca.edu%7C84ca97a525f64bf1653e08da4be70895%7Cfa1ac8f65e5448579f0b4aa422c09689%7C0%7C0%7C637905752908885374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GSZOTfRroqzf5yIvMkmSA%2BQTLZx9dn5xOigsI%2FS5VpY%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

crofmmv commented 2 years ago

I see thanks for your reply, would macOSLAPS work with an admin account that was created during setup Assistant on an Apple Silicon(M1) device?

crofmmv commented 2 years ago

So I've got the following so far;

macLAPS pkg deployed macLAPS PList Config we are using the Method Local as we don't have AD.

I can run macLAPS on the device for the first time that has both deployed to it.

both the macOSLAPS password and expiration files are in the /private/bar/root/Library/Application folder but how to I get them up to Jamf Pro?

Regards,

Crawford

joshua-d-miller commented 2 years ago

Hello @crofmmv,

Those files are temporarily created. The next run will remove them. You would need to create an extension attribute in Jamf to send the password to Jamf. You can see the examples here: https://github.com/joshua-d-miller/macOSLAPS/blob/master/jamf%20Extension%20Attributes/Password:Expiration%20Combined.sh

joshua-d-miller commented 1 year ago

Hello @crofmmv,

Wanted to check in and see if you feel submitting the password to Jamf is acceptable over Azure AD.

Thanks!