macOSLAPS icon indicating copy to clipboard operation
macOSLAPS copied to clipboard

Published 20 hours ago verified publisher icon joshua-d-miller

macOSLAPS AAD

Open crofmmv opened this issue 3 years ago • 4 comments

Hi we don't have an on prem AD and our macOS are not bound to a domain. the macOS hosts use Jamf Connect for AAD logins but we still have a local admin account, does macOSLAPS work with AAD?

crofmmv avatar Jun 11 '22 20:06 crofmmv

Azure AD is not AD, it doesn't support the extensions needed for a LAPS env.

However, if you use jamf for your MDM, this can write the local password to an extension attribute in Jamf Pro. Not ideal but it is works.

Get Outlook for iOShttps://aka.ms/o0ukef

From: Crawford @.> Sent: Saturday, June 11, 2022 4:14:47 PM To: joshua-d-miller/macOSLAPS @.> Cc: Subscribed @.***> Subject: [joshua-d-miller/macOSLAPS] macOSLAPS AAD (Issue #77)

This message originated from outside the Ithaca College email system.

Hi we don't have an on prem AD and our macOS are not bound to a domain. the macOS hosts use Jamf Connect for AAD logins but we still have a local admin account, does macOSLAPS work with AAD?

— Reply to this email directly, view it on GitHubhttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fjoshua-d-miller%2FmacOSLAPS%2Fissues%2F77&data=05%7C01%7Cjschlimmer%40ithaca.edu%7C84ca97a525f64bf1653e08da4be70895%7Cfa1ac8f65e5448579f0b4aa422c09689%7C0%7C0%7C637905752908885374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=z%2FMEbID3cwwoK7QezNWQ7FmQ7J8jY%2BWIrhTvrTbDW%2BA%3D&reserved=0, or unsubscribehttps://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FASPMLOFYTVW7P6MYJ7T5DMLVOTXTPANCNFSM5YQSLLWQ&data=05%7C01%7Cjschlimmer%40ithaca.edu%7C84ca97a525f64bf1653e08da4be70895%7Cfa1ac8f65e5448579f0b4aa422c09689%7C0%7C0%7C637905752908885374%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=GSZOTfRroqzf5yIvMkmSA%2BQTLZx9dn5xOigsI%2FS5VpY%3D&reserved=0. You are receiving this because you are subscribed to this thread.Message ID: @.***>

joeschlimmer-ic avatar Jun 11 '22 20:06 joeschlimmer-ic

I see thanks for your reply, would macOSLAPS work with an admin account that was created during setup Assistant on an Apple Silicon(M1) device?

crofmmv avatar Jun 11 '22 21:06 crofmmv

So I've got the following so far;

macLAPS pkg deployed macLAPS PList Config we are using the Method Local as we don't have AD.

I can run macLAPS on the device for the first time that has both deployed to it.

both the macOSLAPS password and expiration files are in the /private/bar/root/Library/Application folder but how to I get them up to Jamf Pro?

Regards,

Crawford

crofmmv avatar Jun 16 '22 15:06 crofmmv

Hello @crofmmv,

Those files are temporarily created. The next run will remove them. You would need to create an extension attribute in Jamf to send the password to Jamf. You can see the examples here: https://github.com/joshua-d-miller/macOSLAPS/blob/master/jamf%20Extension%20Attributes/Password:Expiration%20Combined.sh

joshua-d-miller avatar Jun 21 '22 00:06 joshua-d-miller

Hello @crofmmv,

Wanted to check in and see if you feel submitting the password to Jamf is acceptable over Azure AD.

Thanks!

joshua-d-miller avatar Jan 30 '23 02:01 joshua-d-miller