Skip to content

Instantly share code, notes, and snippets.

@shurkin18

shurkin18/laps-initialize.sh

Last active October 3, 2023 21:45
Show Gist options
  • Save shurkin18/50ae6e9da329a9332592df19e10744bb to your computer and use it in GitHub Desktop.
Save shurkin18/50ae6e9da329a9332592df19e10744bb to your computer and use it in GitHub Desktop.
Download ZIP
JAMF UAPI LAPS initialization script which will set LAPS Computer Extension Attribute to a desired password
Raw
laps-initialize.sh
#!/bin/bash
#################################################################################################################
# This script can be used together with: https://gist.github.com/shurkin18/b8de3de44b184f1f8802b860639a9b4d
#################################################################################################################
# Please note: this script requires jq JSON parser to be installed on the mac, otherwise the script won't work
# You can install jq JSON parser using brew by running this script, which will install brew and jq automatically (non-interactive):
# https://gist.github.com/shurkin18/62ec34967794a32f9d63615db881ab5c
#
# There is also an alternative way of running jq JSON parser, without installing the whole brew suite
# You can download the jq binary here: https://techstoreon.com/files/jq-osx-amd64
# Pre-load it to each mac via the policy and store it somewhere (in /var for example) and just point your script to it
# every time jq needs to be used > jq="/usr/local/jq/jq-osx-amd64" and simply use jq as $jq
#
# NOTE: Can add a check if jq is present to the top of the script and then download/install it with a policy to ensure the script will work
# if [ ! -f "$jq" ]; then
# <<<DOWNLOAD/INSTALL WITH THE POLICY jq BINARY>>
#################################################################################################################
# This script will set the LAPS computer extension attribute on JSS to a desired password you set under
# "currentlocaladminpass" variable, please note: it should match current local administrator password of the mac
#
# Setup:
# 1) Update the following variables as needed: "apiUser", "apiPass", "apiURL", "currentlocaladminpass", "lapsextattrib"
# 2) Create a string/textfield Computer Extension Attribute on JSS, which should match: "lapsextattrib" variable
# 3) "currentlocaladminpass" must match local mac's administrator password, which can be either set manualy if computer is
# not in DEP or pre-set at PreStage enrollment, which should fully automate everything
# 4) The policy with this script should trigger at Enrollment Complete and run only Once per computer
# 5) This script will only initialize LAPS, for the password to be reset on regular basis - you also need to add
# an ongoin policy per desired frequencey with this script: https://gist.github.com/shurkin18/b8de3de44b184f1f8802b860639a9b4d
#
#################################################################################################################
# server connection information
apiUser="API USERNAME"
apiPass="API PASSWORD"
apiURL="API URL"
#variables which need to be updated depending on what your company uses:
currentlocaladminpass="DEFAULT INITIAL LOCAL ADMINISTRATOR PASSWORD"
lapsextattrib="LAPS"
################################################################
# DO NOT TOUCH BELOW UNLESS YOU KNOW WHAT YOU ARE DOING! #######
################################################################
# created base64-encoded credentials
encodedCredentials=$( printf "$username:$password" | /usr/bin/iconv -t ISO-8859-1 | /usr/bin/base64 -i - )
# generate an auth token
authToken=$( /usr/bin/curl "$apiURL/uapi/auth/tokens" \
--silent \
--request POST \
--header "Authorization: Basic $encodedCredentials" )
# parse authToken for token, omit expiration
token=$( /usr/bin/awk -F \" '{ print $4 }' <<< "$authToken" | /usr/bin/xargs )
#///////////////////////
#Start the UAPI scripts#
# Check if js JSON parser is present on the mac and if not - exit out of the script immediately
if [ -z $(which jq) ]; then
echo "jq JSON parser is not installed on the machine, unable to run the script, please install it using brew or any other method."
exit 1
fi
udid=`system_profiler -detailLevel full SPHardwareDataType | grep "Hardware UUID" | cut -f2 -d : | sed 's/^ *//g'`
#echo "udid is: $udid"
#Determine JSS ID of the machine using new UAPI via correct syntax
idraw=`curl --request GET \
--url "$apiURL/uapi/v1/computers-inventory?section=GENERAL&page=0&page-size=100&sort=id%3Aasc&filter=udid%3D%3D$udid" \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" | sed -n '4 p'`
#echo "idraw is $idraw"
#Extract the computer ID from raw data from JSS UAPI
#echo "idraw is: $idraw"
id="$(echo -e "$idraw" | cut -d '"' -f4)"
#echo "id is: $id"
#Determine current LAPS extension attribute definitionId
lapsdefid=`curl --request GET \
--url "$apiURL/uapi/v1/computers-inventory?section=GENERAL&page=0&page-size=100&sort=id%3Aasc&filter=udid%3D%3D$udid" \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" | jq | grep '"name": "LAPS"' -B1 | awk -F '"' '/definitionId/ { print $4 }'`
#echo "lapsdefid is: $lapsdefid"
#Update LAPS extension attribute by definitionId with currentlocaladminpass
curl --request PATCH \
--url "$apiURL/uapi/v1/computers-inventory-detail/$id" \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--header "Content-Type: application/json" \
--data '
{
"general":
{
"extensionAttributes":
[
{
"definitionId" : "'$lapsdefid'",
"values" : ["'$currentlocaladminpass'"]
}
]
}
}
'
#End of the UAPI scripts#
#\\\\\\\\\\\\\\\\\\\\\
# expire the auth token
/usr/bin/curl "$apiURL/uapi/auth/invalidateToken" \
--silent \
--request POST \
--header "Authorization: Bearer $token"
exit 0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment