joshua-d-miller / macOSLAPS

Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
MIT License
385 stars 58 forks source link

Initial Password Override Config Profile Option #83

Closed staze closed 1 year ago

staze commented 1 year ago

I know you mention in the docs that the config profile overrides the CLI option, but we do have a use case where the opposite might be nice (maybe a new CLI option?)

We currently use a script that does this functionality, and stores the current laps password in jamf. Would love to migrate to macOSLAPS, but the migration process would have to happen in tandem with new rollouts. Our default imaging password would remain the same, but migrating to macOSLAPS would require passing the current non-default password to macOSLAPS.

We could likely exclude the key from a config profile for machines that don't have default password, but this gets a little messy with logic.

Thoughts?

joshua-d-miller commented 1 year ago

The -firstPass command line option will accept whatever string you give it so if the password is different on different systems you could pass the -firstPass "Password1" here and -firstPass "Password2" in different policies as long as you know which systems are which of course. I may be misunderstanding what you are trying to accomplish and if so please let me know and I'd be happy to help you think of other options.

staze commented 1 year ago

Howdy!

So the issue is both migration of existing machines, and handling new machines.

So if we set default password in the config, that will work for new machines. For existing machines that use the script method, it would be great if we could have the -firstpass option override what's in the config profile, so we could set the config profile for everything, then use "firstpass" to "initialize". Otherwise, we either would need to roll all machines back to the default password, or have multiple branches of the config profile (also doable) that do/don't include the InitialPass field.

Actually, kinda think of it, including initialpass in the config profile seems... risky given users could find that. So maybe we just use "firstpass" across the board.

joshua-d-miller commented 1 year ago

Hey there,

I was actually going to suggest removing the first password from the configuration profile as judging by your use case it would probably be advantageous to provide the first password using the command line flag. I actually added the command line flag because users were uncomfortable with the password in the configuration profile. I completely understand. Let me know how it works out.

Thanks!

staze commented 1 year ago

Yup, thanks!