Home
In JAMF Create a new standard user and give it the following permissions as a minimum.
API Intergrations: Create,Read,Update
Computer Extension Attributes: Create,Read,Update
Computers: Create,Read,Update
User Extension Attributes: Create,Read,Update
Users: Create,Read,Update
Once the account has been created use the script here to encode your API account for use with the JAMF API Bearer token.
Create an Extension Attribute to store the encoded password in the Computer Management inventory. Name this extension attribute "LAPS CryptKey".
Repeat this process for the encoded secret calling it "LAPS Secret". You will end up with 2 Extension attributes.
Upload both Scripts from the git repository to your Jamf instance and give them a name to go with their function.
Upload the LAPS Branding pkg file to your JAMF Instance. (This step is no longer required since v2.3)
Set the parameters in each script and name each $ function to what it does. (each function can be found in the script header)
Creation and password cycle script
Decoder script
Create 3 policies.
- One for Creating the admin and cycling the password. Create this with a trigger of "Ongoing" and a custom trigger "CreateLAPS". Add the Script and pkg. (PKG no longer required in v2.3)
- One for Running the LAPS Script Daily, Weekly or Monthly (Example is Monthly) using the custom trigger of the previous policy. Enable the "Files and Processes" Payload and then in the "Execute command" option enter "jamf policy -event CreateLAPS"
- One for the self service Decoder app.
Please note that setting up the main policy in this way with a custom trigger, requires the trigger to be added to a provisioning workflow such as DEP Notify or SwiftDialog, where a script will call this custom trigger to run the policy. If you do not use these types of provisioning workflows then you can set this to trigger at enrollment or check-in. Just be carful that if set to run at check-in this will run the policy and cycle the LAPS account at every check-in.
In each policy set the script functions with your credentials and URL. Please note that the JAMF URL should have no trailing / at the end.
Creation and password cycle script
Decoder script
Make sure the Decoder script is set as a self service app. You can upload your own Icon and name it how you wish.
The decoder self service policy can be scoped to your Engineers so they can view the local admin password.
The app works as follows:
Enter the device name or Serial number and a reason as to why you require the local admin password
The engineer will then be presented with the password which will disappear after 10seconds. The password is automatically copied to clipboard.
If all is working ok then in the computer inventory record you should see the Extension attributes populated as below. Please note, none of these are the local admin passwords and will not do anything if just copied and pasted.
There are additional extension attributes which can display more information in JAMF. These Extension attributes display the Creation date, the last Cycled date and the last date and time the password was decoded and viewed.
The extension attributes can be found here and then uploaded to JAMF like any other Extension attribute.
The LAPS Script includes a feature to push notifications to a Slack Channel by using a webhook. To enable these features you will need to create a new app in your slack tenent which you can do here by following the step by step guide.
Once the app is created make a note of the webhook URL as you will need to use this in a Jamf variable.
You will need to add a few extra details to your scripts.
For the creation script Parameter 9 should be set up as below.
Script Option
Policy configuration
The decoder script should be set up as below. You can optionally add your service desk to parameter 8 which will enable the "Challenge Request" Button.
Script Options
Policy configuration
If everything is configured correctly you should see the follow notifications in your chosen Slack channel.
The LAPS Script includes a feature to push notifications to a Teams Channel by using a webhook. To enable these features you will need to follow this guide to create a WebHook for you chosen Teams Channel which you can find here by following the step by step guide.
Once the connection is created make a note of the webhook URL as you will need to use this in a Jamf variable.
You will need to add a few extra details to your scripts. Which you can find in the screenshots in the initial setup guide.
If everything is configured correctly you should see the follow notifications in your chosen Teams channel.
If a local account with the same name as the LAPS account exists then the setup process will fail.
In this case it is best practice to remove any local accounts with the existing name or choose a new name for the LAPS account being created.
You might start noticing the decrytped password is not working or the logs show errors such as the following.
2023-02-17 15:15:32.094 sysadminctl[13006:77173] Operation is not permitted without secure token unlock. <dscl_cmd> DS Error: -14090 (eDSAuthFailed) Authentication for node /Local/Default failed. (-14090, eDSAuthFailed)
This could be a number of issues, for example, the encoded credentials are incorrect or for some reason they did not escrow to Jamf and have been overwritten with an incorrect password.
In this case it is recommended to reset the existing LAPS configuration using the reset script here LAPS Reset Script (Please make sure you check the script header to know what JAMF Variables need filling out.)
If you see this issue in the JAMF Logs or in the local log this is due to the existing password and new password becoming out of sync with the extension attributes. This can happen if the new encoded credentials are not uploaded to JAMF for any reason. This results in the LAPS script trying to unlock the LAPS account with incorrect credentials and failing.
The resolution for this is to simply run the setup again as there are error checking steps to clean up these issues and get you back on track.