jelockwood
commented
1 year ago @joshua-d-miller Ah! Whilst I could not find it in the Wiki, I see that the way you currently do this for Jamf is to have Jamf run an extension attribute script to read the contents of a file that contains the password.
Whilst the file is in the 'hidden' root home directory it is not completely secure and I believe it also contains the password in plain text.
As mentioned some other LAPS solutions store it directly in Jamf by using the Jamf API to write to an extension attribute and furthermore do so with an encryption of the content. (The encryption key is stored in Jamf and also not stored locally on the Mac.)
This approach is a bit more complex to initially write but that should only need doing once and you could look at some other examples for guidance on this. It does however have the benefit of not storing the password in plain text on the Mac at any stage.
dbnewman
joshua-d-miller
@joshua-d-miller As far as I can see your version of macOSLAPS is designed to store the LAPS password in AD and hence should be retrievable by other AD admins. It also according to the documentation may store it locally in a keychain but this seems pointless as you would need a local admin account credential to login to retrieve the local keychain stored credential.
Whilst right now I am working at a site which has a local AD that could be utilised for this my experience is that Macs being bound to AD is an increasingly rare situation.
As I am sure you are aware several other LAPS solutions store the LAPS credential in an MDM - typically Jamf Pro. (Some other more 'modern' MDMs have built-in LAPS capabilities.)
If I am right, is there any possibility of you adding the capability to store the credential in Jamf Pro? (This would be done in an extension attribute using the Jamf API to access it.)