Joshua D Miller MacOSLAPS Versions Save

A mostly bug fixing build of macOSLAPS with a slight new feature.

Temporary Keychain Item

Instead of writing a plain text file to the filesystem, we are now creating a temporary keychain item that the security command has access to read. This means that you can run macOSLAPS -getpassword and it will generate a keychain item with a random UUID. This UUID is still written to disk to a file /var/root/.GeneratedLAPSServiceName which is also hidden. When macOSLAPS runs again the keychain item is removed. Possibly a solution to issue #97

Additional context for Temporary Keychain Item

With this change and depending on the success of this release extension attributes will need rewritten to account for this. The Wiki and examples will be updated.

Agnostic command line flags

You will no longer need to run the command line flags with exact syntax. All command line flags are converted to lowercase and will run accordingly. (Example; You can now run -getPassword -GETPASSWORD or -getpassword and they will all work 👍. Resolves issue #89

Better requirements password building

If you define password requirements we will now select X amount of those characters BEFORE generating the rest of the password. The password is shuffled for good measure as well.

Native Password Verification

We now use Open Directory to natively verify the password. Resolves issue #94

Multiple Packages

Per the request of the LAPS channel in the MacAdmins Slack, there are now multiple packages available all signed and notarized by Apple. If you'd like to continue using just the combined package you can just download the non labeled package.

Deprecations

With this release macOSLAPS-repair will no longer be shipped with the package as it is no longer needed. This was to attempt to help with migration of the signing authority when I departed Penn State. I plan to keep this under my Developer ID for the foreseeable future.

As always please test and report back your results.

A mostly bug fixing build of macOSLAPS with a slight new feature.

Temporary Keychain Item

Instead of writing a plain text file to the filesystem, we are now creating a temporary keychain item that the security command has access to read. This means that you can run macOSLAPS -getpassword and it will generate a keychain item with a random UUID. This UUID is still written to disk to a file /var/root/.GeneratedLAPSServiceName which is also hidden. When macOSLAPS runs again the keychain item is removed. Possibly a solution to issue #97

Additional context for Temporary Keychain Item

With this change and depending on the success of this release extension attributes will need rewritten to account for this. The Wiki and examples will be updated.

Agnostic command line flags

You will no longer need to run the command line flags with exact syntax. All command line flags are converted to lowercase and will run accordingly. (Example; You can now run -getPassword -GETPASSWORD or -getpassword and they will all work 👍. Resolves issue #89

Better requirements password building

If you define password requirements we will now select X amount of those characters BEFORE generating the rest of the password. The password is shuffled for good measure as well.

Native Password Verification

We now use Open Directory to natively verify the password. Resolves issue #94

Multiple Packages

Per the request of the LAPS channel in the MacAdmins Slack, there are now multiple packages available all signed and notarized by Apple. If you'd like to continue using just the combined package you can just download the non labeled package.

As always please test and report back your results.

This is a small release of macOSLAPS that makes the following changes:

Command Line Flags

The following command line flags will NO LONGER require for macOSLAPS to be running as root. Requested in issue #82.

• -version
• -help

Bug Fix

An issue was identified that the versioning for 3.0.3 was not correct and could cause issues. This has been corrected and should resolve issue #87

This is a small release of macOSLAPS that makes the following changes:

Command Line Flags

The following command line flags will NO LONGER require for macOSLAPS to be running as root. Requested in issue #82.

• -version
• -help

New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called

1. -firstPass - When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#")
   • SideNote: The FirstPass key in the configuration profile will take precedence as most people have it configured that way at this time. If you want to specify it in the command line remove the key from the configuration profile.
2. -help - Displays a help menu of ALL available macOSLAPS command line arguments

Password Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:

<key>PasswordRequirements</key>
<dict>
    <key>Lowercase</key>
    <integer>1</integer>
    <key>Uppercase</key>
    <integer>1</integer>
    <key>Number</key>
    <integer>1</integer>
    <key>Symbol</key>
    <integer>1</integer>
</dict>

With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10 times to validate a generated password before exiting out and logging.

Optional LaunchDaemon With this release, you can elect to forgo the use the of the LaunchDaemon and activate macOSLAPS manually from your MDM of choice.

Bug Fixes

• Detection if the output folder for the local method is not available and will be created
• Password verification for local method when attempting to retrieve the password that is logged.
• Determining if the keychain item exists or not when attempting to retrieve the password that is also logged.
• Fix for the error of using the paths.d/laps file by adding /bin/chmod 744 /etc/paths.d/laps to the postinstall
• Local method will now actually change the password first time as there was a bug with detecting the keychain item.

Special Thanks I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps channel for their feedback and encouragement.

New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called

1. -firstPass - When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#")
   • SideNote: The FirstPass key in the configuration profile will take precedence as most people have it configured that way at this time. If you want to specify it in the command line remove the key from the configuration profile.
2. -help - Displays a help menu of ALL available macOSLAPS command line arguments

Password Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:

<key>PasswordRequirements</key>
<dict>
    <key>Lowercase</key>
    <integer>1</integer>
    <key>Uppercase</key>
    <integer>1</integer>
    <key>Number</key>
    <integer>1</integer>
    <key>Symbol</key>
    <integer>1</integer>
</dict>

With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10 times to validate a generated password before exiting out and logging.

As always I sincerely appreciate this community and welcome any feedback you may have.

Bug Fixes

• Detection if the output folder for the local method is not available and will be created
• Password verification for local method when attempting to retrieve the password that is logged.
• Determining if the keychain item exists or not when attempting to retrieve the password that is also logged.
• Fix for the error of using the paths.d/laps file by adding /bin/chmod 744 /etc/paths.d/laps to the postinstall

Special Thanks I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps channel for their feedback and encouragement.

Update March 20 Package was uploaded again as it is now notarized and stapled.

New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called

1. -firstPass - When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#")
   • SideNote: The FirstPass key in the configuration profile will take precedence as most people have it configured that way at this time. If you want to specify it in the command line remove the key from the configuration profile.
2. -help - Displays a help menu of ALL available macOSLAPS command line arguments

Password Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:

<key>PasswordRequirements</key>
<dict>
    <key>Lowercase</key>
    <integer>1</integer>
    <key>Uppercase</key>
    <integer>1</integer>
    <key>Number</key>
    <integer>1</integer>
    <key>Symbol</key>
    <integer>1</integer>
</dict>

With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10 times to validate a generated password before exiting out and logging.

As always I sincerely appreciate this community and welcome any feedback you may have.

Special Thanks I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps channel for their feedback and encouragement.

Update March 20 Package was uploaded again as it is now notarized and stapled.

Changes in 2.1.0(721):

• Local Only Mode - macOSLAPS now supports the ability to set the Method key to either AD for Active Directory or Local. Local will allow you to use macOSLAPS in a local setting ONLY which will not write to Active Directory. To compensate for this, users can then run after the fact /usr/local/laps/macOSLAPS -getPassword which will write the following files:
  • /var/root/Library/Application Support/macOSLAPS-password
  • /var/root/Library/Application Support/macOSLAPS-expiration These files can then be read by your MDM when ran as a root user to report the password and expiration date of the password. When macOSLAPS runs again without the -getPassword key it will delete these files.
• Password Grouping - Using the keys PasswordGrouping and PasswordSeparator you can create a password that separates the by groups. This is very similar to Safari-style passwords. Thanks, @MagerValp for the initial code.
• Error Checking Improved - I believe I have improved error checking should something go wrong in either the AD password change or Local password change, then the changes would be reverted and the application would exit.
• Bundle Identifier and Signing Certificate Rotation - A new helper has been placed in the folder /usr/local/laps called macOSLAPS-repair which will be used to change the signing identity of the original binary once it has been given access to the keychain entry. This will allow us to change the signing identity from Mac Developer and a bundle identifier of $(PRODUCT_BUNDLE_IDENTIFIER) to Developer ID Application and edu.psu.macOSLAPS. This is more of an under the hood change but this also allows for a more official signing.
• Universal - This build of macOSLAPS will run on either Apple Silicon or Intel macOS devices.
• ISODate Formatting - Thanks to @magervalp for his insight on this, the date will now be in ISO8601 format in order for the date to work properly internationally.
• Developer ID Installer Certificate - This package is now signed with a Developer ID Installer
• Expiration Date for Local Method - I received reports that when extracting the expiration date that it was only showing the created date vs. the expiration date. I have gone ahead and resolved this issue but please test to ensure it has been resolved.

Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know. This package has been Notarized by Apple.

An extension attribute has been added to the repository for those of you using this with Jamf Pro. You can download that here

NOTE: Unfortunately the certificate used to signed previous versions was revoked by my previous employer. Those using this for the first time will NOT be affected. If you are in a full environment, I'm currently working to resolve the issue going forward for those that have used the product over the users. One thing you can try and report the results to me is this:

sudo codesign --remove-signature /usr/local/laps/macOSLAPS

Changes in 2.1.0(716):

• Local Only Mode - macOSLAPS now supports the ability to set the Method key to either AD for Active Directory or Local. Local will allow you to use macOSLAPS in a local setting ONLY which will not write to Active Directory. To compensate for this, users can then run after the fact /usr/local/laps/macOSLAPS -getPassword which will write the following files:
  • /var/root/Library/Application Support/macOSLAPS-password
  • /var/root/Library/Application Support/macOSLAPS-expiration These files can then be read by your MDM when ran as a root user to report the password and expiration date of the password. When macOSLAPS runs again without the -getPassword key it will delete these files.
• Password Grouping - Using the keys PasswordGrouping and PasswordSeparator you can create a password that separates the by groups. This is very similar to Safari-style passwords. Thanks, @MagerValp for the initial code.
• Error Checking Improved - I believe I have improved error checking should something go wrong in either the AD password change or Local password change, then the changes would be reverted and the application would exit.
• Bundle Identifier and Signing Certificate Rotation - A new helper has been placed in the folder /usr/local/laps called macOSLAPS-repair which will be used to change the signing identity of the original binary once it has been given access to the keychain entry. This will allow us to change the signing identity from Mac Developer and a bundle identifier of $(PRODUCT_BUNDLE_IDENTIFIER) to Developer ID Application and edu.psu.macOSLAPS. This is more of an under the hood change but this also allows for a more official signing.
• Universal - This build of macOSLAPS will run on either Apple Silicon or Intel macOS devices.
• ISODate Formatting - Thanks to @magervalp for his insight on this, the date will now be in ISO8601 format in order for the date to work properly internationally.
• Developer ID Installer Certificate - This package is now signed with a Developer ID Installer
• Expiration Date for Local Method - I received reports that when extracting the expiration date that it was only showing the created date vs. the expiration date. I have gone ahead and resolved this issue but please test to ensure it has been resolved.

Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.

NOTE: Unfortunately the certificate used to signed previous versions was revoked by my previous employer. Those using this for the first time will NOT be affected. If you are in a full environment, I'm currently working to resolve the issue going forward for those that have used the product over the users. One thing you can try and report the results to me is this:

sudo codesign --remove-signature /usr/local/laps/macOSLAPS

This is a new test build of macOSLAPS with some new features:

Changes in 2.0.0(698):

• Local Only Mode - macOSLAPS now supports the ability to set the Method key to either AD for Active Directory or Local. Local will allow you to use macOSLAPS in a local setting ONLY which will not write to Active Directory. To compensate for this, users can then run after the fact /usr/local/laps/macOSLAPS -getPassword which will write the following files:
  • /var/root/Library/Application Support/macOSLAPS-password
  • /var/root/Library/Application Support/macOSLAPS-expiration These files can then be read by your MDM when ran as a root user to report the password and expiration date of the password. When macOSLAPS runs again without the -getPassword key it will delete these files.
• Password Grouping - Using the keys PasswordGrouping and PasswordSeparator you can create a password that separates the by groups. This is very similar to Safari-style passwords. Thanks, @MagerValp for the initial code.
• Error Checking Improved - I believe I have improved error checking should something go wrong in either the AD password change or Local password change, then the changes would be reverted and the application would exit.
• Bundle Identifier and Signing Certificate Rotation - A new helper has been placed in the folder /usr/local/laps called macOSLAPS-repair which will be used to change the signing identity of the original binary once it has been given access to the keychain entry. This will allow us to change the signing identity from Mac Developer and a bundle identifier of $(PRODUCT_BUNDLE_IDENTIFIER) to Developer ID Application and edu.psu.macOSLAPS. This is more of an under the hood change but this also allows for a more official signing.
• Universal - This build of macOSLAPS will run on either Apple Silicon or Intel macOS devices.
• ISODate Formatting - Thanks to @magervalp for his insight on this, the date will now be in ISO8601 format in order for the date to work properly internationally.
• Developer ID Installer Certificate - This package is now signed with a Developer ID Installer
• Expiration Date for Local Method - I received reports that when extracting the expiration date that it was only showing the created date vs. the expiration date. I have gone ahead and resolved this issue but please test to ensure it has been resolved.

Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.