Swift binary that will change a local administrator password to a random generated password. Similar behavior to LAPS for Windows
A mostly bug fixing build of macOSLAPS with a slight new feature.
Instead of writing a plain text file to the filesystem, we are now creating a temporary keychain item that the security
command has access to read. This means that you can run macOSLAPS -getpassword
and it will generate a keychain item with a random UUID. This UUID is still written to disk to a file /var/root/.GeneratedLAPSServiceName
which is also hidden. When macOSLAPS runs again the keychain item is removed. Possibly a solution to issue #97
With this change and depending on the success of this release extension attributes will need rewritten to account for this. The Wiki and examples will be updated.
You will no longer need to run the command line flags with exact syntax. All command line flags are converted to lowercase and will run accordingly. (Example; You can now run -getPassword
-GETPASSWORD
or -getpassword
and they will all work 👍. Resolves issue #89
If you define password requirements we will now select X amount of those characters BEFORE generating the rest of the password. The password is shuffled for good measure as well.
We now use Open Directory to natively verify the password. Resolves issue #94
Per the request of the LAPS channel in the MacAdmins Slack, there are now multiple packages available all signed and notarized by Apple. If you'd like to continue using just the combined package you can just download the non labeled package.
With this release macOSLAPS-repair
will no longer be shipped with the package as it is no longer needed. This was to attempt to help with migration of the signing authority when I departed Penn State. I plan to keep this under my Developer ID for the foreseeable future.
As always please test and report back your results.
A mostly bug fixing build of macOSLAPS with a slight new feature.
Instead of writing a plain text file to the filesystem, we are now creating a temporary keychain item that the security
command has access to read. This means that you can run macOSLAPS -getpassword
and it will generate a keychain item with a random UUID. This UUID is still written to disk to a file /var/root/.GeneratedLAPSServiceName
which is also hidden. When macOSLAPS runs again the keychain item is removed. Possibly a solution to issue #97
With this change and depending on the success of this release extension attributes will need rewritten to account for this. The Wiki and examples will be updated.
You will no longer need to run the command line flags with exact syntax. All command line flags are converted to lowercase and will run accordingly. (Example; You can now run -getPassword
-GETPASSWORD
or -getpassword
and they will all work 👍. Resolves issue #89
If you define password requirements we will now select X amount of those characters BEFORE generating the rest of the password. The password is shuffled for good measure as well.
We now use Open Directory to natively verify the password. Resolves issue #94
Per the request of the LAPS channel in the MacAdmins Slack, there are now multiple packages available all signed and notarized by Apple. If you'd like to continue using just the combined package you can just download the non labeled package.
As always please test and report back your results.
This is a small release of macOSLAPS that makes the following changes:
The following command line flags will NO LONGER require for macOSLAPS to be running as root. Requested in issue #82.
-version
-help
An issue was identified that the versioning for 3.0.3 was not correct and could cause issues. This has been corrected and should resolve issue #87
New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called
-firstPass
- When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#"
)
-help
- Displays a help menu of ALL available macOSLAPS command line argumentsPassword Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:
<key>PasswordRequirements</key>
<dict>
<key>Lowercase</key>
<integer>1</integer>
<key>Uppercase</key>
<integer>1</integer>
<key>Number</key>
<integer>1</integer>
<key>Symbol</key>
<integer>1</integer>
</dict>
With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10
times to validate a generated password before exiting out and logging.
Optional LaunchDaemon With this release, you can elect to forgo the use the of the LaunchDaemon and activate macOSLAPS manually from your MDM of choice.
Bug Fixes
paths.d/laps
file by adding /bin/chmod 744 /etc/paths.d/laps
to the postinstall
Special Thanks
I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps
channel for their feedback and encouragement.
New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called
-firstPass
- When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#"
)
-help
- Displays a help menu of ALL available macOSLAPS command line argumentsPassword Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:
<key>PasswordRequirements</key>
<dict>
<key>Lowercase</key>
<integer>1</integer>
<key>Uppercase</key>
<integer>1</integer>
<key>Number</key>
<integer>1</integer>
<key>Symbol</key>
<integer>1</integer>
</dict>
With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10
times to validate a generated password before exiting out and logging.
As always I sincerely appreciate this community and welcome any feedback you may have.
Bug Fixes
paths.d/laps
file by adding /bin/chmod 744 /etc/paths.d/laps
to the postinstall
Special Thanks
I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps
channel for their feedback and encouragement.
Update March 20 Package was uploaded again as it is now notarized and stapled.
New Command Line Options In macOSLAPS 3.0.0 there are now two new command line options that can be called
-firstPass
- When using this key a password reset will be triggered and the either the FirstPass configuration profile key will be used OR you can specify the FirstPass as a string in the second argument when running macOSLAPS from the command line in quotes (Example: "p938hne(P*JP(*#"
)
-help
- Displays a help menu of ALL available macOSLAPS command line argumentsPassword Requirements New in this version you can set Password Requirements for the generated password. These requirements will allow validation of the password BEFORE it is changed and saved to Keychain (and AD if still using Active Directory). This can be performed by setting the following in config:
<key>PasswordRequirements</key>
<dict>
<key>Lowercase</key>
<integer>1</integer>
<key>Uppercase</key>
<integer>1</integer>
<key>Number</key>
<integer>1</integer>
<key>Symbol</key>
<integer>1</integer>
</dict>
With these settings in the example above your password would need to have 1 lowercase, 1 uppercase, 1 number and 1 symbol. macOSLAPS will try 10
times to validate a generated password before exiting out and logging.
As always I sincerely appreciate this community and welcome any feedback you may have.
Special Thanks
I sincerely appreciate the feedback and helpfulness of the community. Thanks to @franton for the Pre and PostInstall PKG scripts. I once again want to thank the entire MacAdmins community and those especially involved in the #macoslaps
channel for their feedback and encouragement.
Update March 20 Package was uploaded again as it is now notarized and stapled.
Changes in 2.1.0(721):
Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know. This package has been Notarized by Apple.
An extension attribute has been added to the repository for those of you using this with Jamf Pro. You can download that here
NOTE: Unfortunately the certificate used to signed previous versions was revoked by my previous employer. Those using this for the first time will NOT be affected. If you are in a full environment, I'm currently working to resolve the issue going forward for those that have used the product over the users. One thing you can try and report the results to me is this:
sudo codesign --remove-signature /usr/local/laps/macOSLAPS
Changes in 2.1.0(716):
Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.
NOTE: Unfortunately the certificate used to signed previous versions was revoked by my previous employer. Those using this for the first time will NOT be affected. If you are in a full environment, I'm currently working to resolve the issue going forward for those that have used the product over the users. One thing you can try and report the results to me is this:
sudo codesign --remove-signature /usr/local/laps/macOSLAPS
This is a new test build of macOSLAPS with some new features:
Changes in 2.0.0(698):
Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.