Refreshing of passwords after expiration in MDMs

[DaveKozl]

Hi Joshua,

Have you thought about making a better trigger on the system side? Due to the fact that when the refresh station is put to sleep every 90 minutes, I did not think about automating it on the MDM side so that it would be more efficient, but launchd after blocking the station blocks triggering actions on the station side. Is there anything better to use than the cyclic Checkin on the station side and the deamon checking the password every specific sequence, so that it can be thrown into the MDM system as much as possible.

[joshua-d-miller]

Hello @DaveKozl,

The LaunchDaemon will run every 90 minutes. If the system is asleep then woken up I believe it will run when the machine awakens. For getting the password into MDM for instance, in Jamf Pro you will need to trigger an inventory update. One way you could approach this is actually remove the LaunchDaemon and trigger macOSLAPS using a Jamf Pro policy that would run an inventory update upon completion. Depending on your setting for Check-In this could be every 15 minutes or every 30 minutes. That might get you the desired effect you are looking for. If you have a different MDM, I would look into how often their custom attributes are updated and then trigger macOSLAPS alongside updating those custom attributes. There will be a new build posted soon that is currently in testing in #macOSLAPS in the MacAdmins Slack that allows the LaunchDaemon to be skipped during install.

Thanks!

[DaveKozl]

Hi, I see that the change is already implemented in the new version, can you specify a parameter during installation so that it is not added during installation?

[joshua-d-miller]

Yes you can use installer choices XML to not include the LaunchDaemon. This is something I'm hoping to add to the wiki over the holiday break for those that do not want to include the LaunchDaemon.