macLAPS icon indicating copy to clipboard operation
macLAPS copied to clipboard
verified publisher icon PezzaD84

Time to trigger password cycle not overriding the default .plist settings?

Open ecomatt opened this issue 11 months ago • 5 comments

Hi I'm using this amazing script to create an admin account and then cycle the password. What im struggling with is the ability to set the cycle time after viewing (decoding)

Ive set $6 Time to trigger password cycle (in minutes) to say 3hours, on the decode script. But the com.laps.triggercycle.plist launch daemon is set to H16 M15?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.LAPS.triggerCycle.plist</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/jamf</string>
		<string>policy</string>
		<string>-event</string>
		<string>createLAPS</string>
	</array>
	<key>RunAtLoad</key>
	<false/>
	<key>StartCalendarInterval</key>
	<dict>
		<key>Hour</key>
		<integer>16</integer>
		<key>Minute</key>
		<integer>15</integer>
	</dict>
	<key>UserName</key>
	<string>root</string>
</dict>
</plist>

Any thoughts would be greatly appreciated. Thanks again for such a great set of scripts that actually work.

ecomatt avatar Feb 04 '25 16:02 ecomatt

Sorry think I figured it out. I hadn't added the 'createLAPS' custom trigger for the 'jamf policy -event createLAPS' Also now see that the H and M is a 14hour clock not a timer.

is there a way to increase the 10seconds to 15 when displaying the password. I tried adding the --timer "15" \ but it didn't like it?

Thanks

ecomatt avatar Feb 04 '25 17:02 ecomatt

Hi @ecomatt

Glad to hear you figured out the issues. The timer key should work as you have it. Line 241 with the timer key should just be changed to whichever amount of seconds you want.

Kind regards,

Perry

PezzaD84 avatar Feb 05 '25 13:02 PezzaD84

Thanks I'll give it a go.

Is it possible to modify the create admin part of the script to allow it to create a hidden admin account?

ecomatt avatar Feb 05 '25 13:02 ecomatt

eg I use this script to create hidden admin accounts

#!/bin/bash
#Creates 'jamfadmin' user
dscl . -create /Users/jamfadmin
dscl . -create /Users/jamfadmin UserShell /bin/bash
dscl . -create /Users/jamfadmin RealName "JSupport" 
dscl . -create /Users/jamfadmin UniqueID "401"
dscl . -create /Users/jamfadmin PrimaryGroupID 20
dscl . -create /Users/jamfadmin NFSHomeDirectory /var/jamfadmin
dscl . -passwd /Users/jamfadmin •••password•••

#Creates home folder
mkdir /var/jamfadmin
chown -R JSupport /var/jamfadmin

#Makes 'jamfadmin' a local admin
dscl . -append /Groups/admin GroupMembership jamfadmin

#Hide user
defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES

ecomatt avatar Feb 05 '25 13:02 ecomatt

You could add a line in the script to hide the account or you could create the user with an underscore before its name.

PezzaD84 avatar Feb 06 '25 14:02 PezzaD84