Managing Local administrator account using jamf
Local Administrator Password Solution (LAPS) provides management of local account passwords. Passwords are stored in jamf pro, so only eligible users can read it or request its reset.
Step 1: Download the pkg file from https://github.com/joshua-d-miller/macOSLAPS/releases
Step 2: Download the json from https://github.com/kdrwygvh/JSON-Schema-for-Jamf-Pro-Applications-and-Settings-MDM-Payload/blob/master/macOSLAPS/edu.psu.macoslaps.json
Step 3: Download Extension attributes from https://github.com/joshua-d-miller/macOSLAPS/blob/master/macOSLAPS_EA.sh
Uploading the pkg file
- Login to jamf portal --> Navigate to All settings --> Computer Management --> Packages --> New
- Upload the package downloaded from Step 1
Crating a Policy
This policy will be responsible for deploying the pkg file and resetting the local admin account password
- Login to jamf portal --> Navigate to Computers --> Policies --> New
- Enter the name
- Navigate to Packages and browse to the pkg file
- Configure Maintenance
- Navigate to Files and Process pane and execute the command /usr/local/laps/macOSLAPS
Select required frequency for running the policy and scope it to the devices
Creating a Configuration Profile
- Login to jamf portal --> Navigate to Computers --> Configuration Profiles --> New
- Enter the name and navigate to Application & Custom Settings pane --> Select External Applications --> Add
- Source : custom schema
- Preference Domain : edu.psu.macoslaps
- Click on Add Schema and paste the json content downloaded. Once the schema is updated, click on Edit schema and select the required options
Note: Its mandatory that you need to select the “local admin” username that exists in all the devices (We are using pre-stage enrollment to create local admin account). Also, provide the same password in the configuration profile. If there is any mismatch in the password or username, then the solution will not work.
-
- Navigate to Scope and target the deployment to required devices
Creating Extension Attribute
- Go to Settings --> Computer management --> Extension Attributes
- Create a new and paste the script downloaded from step 3
Verification
- Login to jamf portal --> Navigate to Computers --> Select the computer --> Inventory --> General
Resetting the Password
- Login to jamf portal --> Navigate to Computers --> Policies --> New
- Enter the name
- Configure Maintenance
- Navigate to Files and Process pane and execute the command /usr/local/laps/macOSLAPS -resetPassword
5. Scope it to required devices
0 Comments
No Comments