Example scripts for managing, administerting, and auditing Jamf Pro LAPS accounts.
Use these as models for creating scripts for your own workflows.
I also have two additional Jamf Pro LAPS scripts you may find useful:
For adding a jamf binary managed LAPS account to existing computers
Retrieve LAPS Password.zsh
A Self Service script for retrieving the Jamf Pro LAPS password for the current computer
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Audit Jamf Pro LAPS Account Access. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password Audit History | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS Administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "You don’t have to be great to start, but you have to start to be great." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| # report history for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| echo "Getting history for LAPS account \"$aUsername\"" | |
| # get LAPS account history | |
| lapsAccountAuditing=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/audit" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsAccountAuditing" | |
| # extract data from request | |
| echo "${lapsAccountAuditing%???}" | |
| echo | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Configure Jamf Pro LAPS settings. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Management". | |
| Set Privileges to include: | |
| Update Local Admin Password Settings | |
| Under API Clients create a new API client such as "LAPS Manager". | |
| Set API roles to: | |
| LAPS Management | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. UUpdate the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro edit Settings > Global > User-Initiated Enrollment > | |
| Computers. | |
| Select "Create managed local administrator account" and provide | |
| a Username for the LAPS account. | |
| Optionally, hide the managed local administrator account and/or | |
| allow SSH access. | |
| 5. Adjust the LAPS settings JSON variable below. | |
| autoDeployedEnabled (default: false): | |
| Set to "true" only if using a PreStage LAPS account. | |
| Otherwise, the jamf binary LAPS account | |
| passwordRotationTime (default: 3600): | |
| Number of seconds before Jamf Pro will will wait before | |
| rotating the password after viewing it. | |
| autoRotateEnabled (default: false): | |
| Set to "true" to rotate LAPS account passwords regardless | |
| of whether they've been viewed. | |
| autoRotateExpirationTime (default: 7776000): | |
| Number of seconds before Jamf Pro will will automatically rotate | |
| LAPS account passwords regardless of whether they've been viewed. | |
| autoRotateEnabled must be set to "true". | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "A feature undiscovered is a feature missing." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| lapsSettingsJSON='{ | |
| "autoDeployEnabled": false, | |
| "passwordRotationTime": 900, | |
| "autoRotateEnabled": false, | |
| "autoRotateExpirationTime": 31536000 | |
| }' | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Configuring settings." | |
| # set LAPS settings | |
| lapsSettings=$( /usr/bin/curl \ | |
| --data "$lapsSettingsJSON" \ | |
| --header "Content-Type: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request PUT \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/settings" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsSettings" | |
| # extract data from request | |
| echo "${lapsSettings%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password Audit History | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "If you only read the books that everyone else is reading, | |
| you can only think what everyone else is thinking." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| # report history for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| echo "Getting history for LAPS account \"$aUsername\"" | |
| # get LAPS account history | |
| lapsAccountHistory=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/history" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsAccountHistory" | |
| # extract data from request | |
| echo "${lapsAccountHistory%???}" | |
| echo | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account information. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3.Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "Free speech is still free. It’s the volume that costs money." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # extract data from request | |
| echo "${lapsUsernameInformation%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "With the story of your life, you don’t get to write the whole book, | |
| just your character." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| echo "$usernames" | |
| # report password for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| # get LAPS account password | |
| lapsAccountPassword=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/password" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # extract data from request | |
| password=$( /usr/bin/awk -F '"' '/password/ { print $4 }' <<< "$lapsAccountPassword" ) | |
| echo "Password for account \"$aUsername\": $password" | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS settings. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Management". | |
| Set Privileges to include: | |
| Update Local Admin Password Settings | |
| Under API Clients create a new API client such as "LAPS Manager". | |
| Set API roles to: | |
| LAPS Management | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "If you find yourself in a hole, stop digging." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Requesting settings." | |
| # request LAPS settings | |
| lapsSettings=$( /usr/bin/curl \ | |
| --header "accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/settings" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsSettings" | |
| # extract data from request | |
| echo "${lapsSettings%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Set Jamf Pro LAPS Password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| Send Local Admin Password Command | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS Administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| 5. Adjust the password JSON variable below with the LAPS account name | |
| and your temporary password below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "The beginning of wisdom is to call things by their proper name." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="fe8252e8-b6a2-431c-8ad7-8a0e61996ae6" | |
| setPasswordJSON='{ | |
| "lapsUserPasswordList": [ | |
| { | |
| "username": "jamfadmin", | |
| "password": "Jamf12345!" | |
| } | |
| ] | |
| }' | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Setting password." | |
| # set LAPS settings | |
| setPassword=$( /usr/bin/curl \ | |
| --data "$setPasswordJSON" \ | |
| --header "Accept: application/json" \ | |
| --header "Content-Type: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request PUT \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/set-password" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$setPassword" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
@GabeShack No, it won't turn off LAPS. Once a computer is LAPS managed it stays that way until re-enrollment, even if you turn off LAPS management in Jamf Pro. So, today, you can turn off LAPS first and then use a script to reset your accounts.
Thanks for the response, but I do understand that...Im now trying to make a script that looks up the managementID's of devices in a smart group and then proceeds to loop through them and reset the laps password, but was hoping someone already did this. (smart group of just Apple Silicon that have this laps password). I had turned laps off last week and we are having issues with volume ownership because of this. Now I need to reset the passwords all back to a new one to get around this issue.
@talkingmoose Is this last script for turning off the laps feature but setting a generic password back to the laps admin user account? Per what you stated in your article from last year?
"While Jamf Pro offers a PUT /v2/local-admin-password/{clientManagement}/set-password endpoint, it’s only available to set one computer at a time. The Jamf Pro administrator will need to create a Jamf Pro API script to set every computer password using LAPS. Only after ensuring all passwords are changed to known passwords should the administrator turn off LAPS"