Skip to content

Instantly share code, notes, and snippets.

@talkingmoose

talkingmoose/A few Jamf Pro LAPS example scripts.md

Last active August 5, 2025 19:10
Show Gist options
  • Save talkingmoose/0550abf9ebb9e1267ea82a55556601d8 to your computer and use it in GitHub Desktop.
Save talkingmoose/0550abf9ebb9e1267ea82a55556601d8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
A few Jamf Pro LAPS example scripts.md

Jamf Pro LAPS scripts

Example scripts for managing, administerting, and auditing Jamf Pro LAPS accounts.

Use these as models for creating scripts for your own workflows.

  • Get Jamf Pro LAPS Settings.zsh
  • Configure Jamf Pro LAPS Settings.zsh
  • Get Jamf Pro LAPS Account Information.zsh
  • Get Jamf Pro LAPS Account Password.zsh
  • Get Jamf Pro LAPS Account History.zsh
  • Audit Jamf Pro LAPS Account Access.zsh
  • Set Jamf Pro LAPS Password.zsh

I also have two additional Jamf Pro LAPS scripts you may find useful:

  • Re-enroll computers for LAPS.zsh
    For adding a jamf binary managed LAPS account to existing computers

  • Retrieve LAPS Password.zsh
    A Self Service script for retrieving the Jamf Pro LAPS password for the current computer

Raw
Audit Jamf Pro LAPS Account Access.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Audit Jamf Pro LAPS Account Access.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Administration".
Set Privileges to include:
View Local Admin Password Audit History
Under API Clients create a new API client such as "LAPS Administrator".
Set API roles to:
LAPS Administration
Enable the API client and copy the Client ID and Client Secret.
3. Update the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro click Computers > Search Inventory and search for a
computer record.
Under Inventory, locate the Jamf Pro Management ID.
Update the management ID variable below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"You don’t have to be great to start, but you have to start to be great."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10"
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Getting LAPS usernames."
# get LAPS usernames
lapsUsernameInformation=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \
--write-out "%{http_code}" )
checkResponseCode "$lapsUsernameInformation"
# parse LAPS username information for each username
usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" )
# report history for each available LAPS account
while IFS= read aUsername
do
echo "Getting history for LAPS account \"$aUsername\""
# get LAPS account history
lapsAccountAuditing=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/audit" \
--write-out "%{http_code}" )
checkResponseCode "$lapsAccountAuditing"
# extract data from request
echo "${lapsAccountAuditing%???}"
echo
done <<< "$usernames"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Configure Jamf Pro LAPS Settings.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Configure Jamf Pro LAPS settings.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Management".
Set Privileges to include:
Update Local Admin Password Settings
Under API Clients create a new API client such as "LAPS Manager".
Set API roles to:
LAPS Management
Enable the API client and copy the Client ID and Client Secret.
3. UUpdate the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro edit Settings > Global > User-Initiated Enrollment >
Computers.
Select "Create managed local administrator account" and provide
a Username for the LAPS account.
Optionally, hide the managed local administrator account and/or
allow SSH access.
5. Adjust the LAPS settings JSON variable below.
autoDeployedEnabled (default: false):
Set to "true" only if using a PreStage LAPS account.
Otherwise, the jamf binary LAPS account
passwordRotationTime (default: 3600):
Number of seconds before Jamf Pro will will wait before
rotating the password after viewing it.
autoRotateEnabled (default: false):
Set to "true" to rotate LAPS account passwords regardless
of whether they've been viewed.
autoRotateExpirationTime (default: 7776000):
Number of seconds before Jamf Pro will will automatically rotate
LAPS account passwords regardless of whether they've been viewed.
autoRotateEnabled must be set to "true".
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"A feature undiscovered is a feature missing."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
lapsSettingsJSON='{
"autoDeployEnabled": false,
"passwordRotationTime": 900,
"autoRotateEnabled": false,
"autoRotateExpirationTime": 31536000
}'
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Configuring settings."
# set LAPS settings
lapsSettings=$( /usr/bin/curl \
--data "$lapsSettingsJSON" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $token" \
--request PUT \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/settings" \
--write-out "%{http_code}" )
checkResponseCode "$lapsSettings"
# extract data from request
echo "${lapsSettings%???}"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Get Jamf Pro LAPS Account History.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Get Jamf Pro LAPS account password.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Administration".
Set Privileges to include:
View Local Admin Password Audit History
Under API Clients create a new API client such as "LAPS Administrator".
Set API roles to:
LAPS administration
Enable the API client and copy the Client ID and Client Secret.
3. Update the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro click Computers > Search Inventory and search for a
computer record.
Under Inventory, locate the Jamf Pro Management ID.
Update the management ID variable below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"If you only read the books that everyone else is reading,
you can only think what everyone else is thinking."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10"
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Getting LAPS usernames."
# get LAPS usernames
lapsUsernameInformation=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \
--write-out "%{http_code}" )
checkResponseCode "$lapsUsernameInformation"
# parse LAPS username information for each username
usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" )
# report history for each available LAPS account
while IFS= read aUsername
do
echo "Getting history for LAPS account \"$aUsername\""
# get LAPS account history
lapsAccountHistory=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/history" \
--write-out "%{http_code}" )
checkResponseCode "$lapsAccountHistory"
# extract data from request
echo "${lapsAccountHistory%???}"
echo
done <<< "$usernames"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Get Jamf Pro LAPS Account Information.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Get Jamf Pro LAPS account information.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Administration".
Set Privileges to include:
View Local Admin Password
Under API Clients create a new API client such as "LAPS Administrator".
Set API roles to:
LAPS administration
Enable the API client and copy the Client ID and Client Secret.
3.Update the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro click Computers > Search Inventory and search for a
computer record.
Under Inventory, locate the Jamf Pro Management ID.
Update the management ID variable below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"Free speech is still free. It’s the volume that costs money."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10"
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Getting LAPS usernames."
# get LAPS usernames
lapsUsernameInformation=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \
--write-out "%{http_code}" )
checkResponseCode "$lapsUsernameInformation"
# extract data from request
echo "${lapsUsernameInformation%???}"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Get Jamf Pro LAPS Account Password.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Get Jamf Pro LAPS account password.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Administration".
Set Privileges to include:
View Local Admin Password
Under API Clients create a new API client such as "LAPS Administrator".
Set API roles to:
LAPS administration
Enable the API client and copy the Client ID and Client Secret.
3. Update the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro click Computers > Search Inventory and search for a
computer record.
Under Inventory, locate the Jamf Pro Management ID.
Update the management ID variable below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"With the story of your life, you don’t get to write the whole book,
just your character."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10"
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Getting LAPS usernames."
# get LAPS usernames
lapsUsernameInformation=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \
--write-out "%{http_code}" )
checkResponseCode "$lapsUsernameInformation"
# parse LAPS username information for each username
usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" )
echo "$usernames"
# report password for each available LAPS account
while IFS= read aUsername
do
# get LAPS account password
lapsAccountPassword=$( /usr/bin/curl \
--header "Accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/password" \
--write-out "%{http_code}" )
checkResponseCode "$lapsUsernameInformation"
# extract data from request
password=$( /usr/bin/awk -F '"' '/password/ { print $4 }' <<< "$lapsAccountPassword" )
echo "Password for account \"$aUsername\": $password"
done <<< "$usernames"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Get Jamf Pro LAPS Settings.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Get Jamf Pro LAPS settings.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Management".
Set Privileges to include:
Update Local Admin Password Settings
Under API Clients create a new API client such as "LAPS Manager".
Set API roles to:
LAPS Management
Enable the API client and copy the Client ID and Client Secret.
3. Update the Jamf Pro URL, Client ID, and Client Secret variables below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"If you find yourself in a hole, stop digging."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Requesting settings."
# request LAPS settings
lapsSettings=$( /usr/bin/curl \
--header "accept: application/json" \
--header "Authorization: Bearer $token" \
--request GET \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/settings" \
--write-out "%{http_code}" )
checkResponseCode "$lapsSettings"
# extract data from request
echo "${lapsSettings%???}"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
Raw
Set Jamf Pro LAPS Password.zsh
#!/bin/zsh
# set -x
:<<ABOUT_THIS_SCRIPT
-----------------------------------------------------------------------
Written by:William Smith
Technical Enablement Manager
Jamf
[email protected]
https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8
Originally posted: June 16, 2024
Purpose: Set Jamf Pro LAPS Password.
Instructions:
1. In Jamf Pro click Settings > System > API roles and clients.
2. Under API Roles create a new API role such as "LAPS Administration".
Set Privileges to include:
Send Local Admin Password Command
Under API Clients create a new API client such as "LAPS Administrator".
Set API roles to:
LAPS Administration
Enable the API client and copy the Client ID and Client Secret.
3. Update the Jamf Pro URL, Client ID, and Client Secret variables below.
4. In Jamf Pro click Computers > Search Inventory and search for a
computer record.
Under Inventory, locate the Jamf Pro Management ID.
Update the management ID variable below.
5. Adjust the password JSON variable below with the LAPS account name
and your temporary password below.
Except where otherwise noted, this work is licensed under
http://creativecommons.org/licenses/by/4.0/
"The beginning of wisdom is to call things by their proper name."
-----------------------------------------------------------------------
ABOUT_THIS_SCRIPT
jamfProURL="https://talkingmoose.jamfcloud.com"
clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a"
clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB"
managementId="fe8252e8-b6a2-431c-8ad7-8a0e61996ae6"
setPasswordJSON='{
"lapsUserPasswordList": [
{
"username": "jamfadmin",
"password": "Jamf12345!"
}
]
}'
function checkResponseCode() {
httpErrorCodes="000 No HTTP code received
200 Request successful
201 Request to create or update object successful
400 Bad request
401 Authentication failed
403 Invalid permissions
404 Object/resource not found
409 Conflict
500 Internal server error"
responseCode=${1: -3}
code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" )
echo "$code"
}
echo "Requesting oauth token."
# request oauth token
oAuthTokenResponse=$( /usr/bin/curl \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id=$clientID" \
--data-urlencode "client_secret=$clientSecret" \
--header "Content-Type: application/x-www-form-urlencoded" \
--request POST \
--silent \
--url "$jamfProURL/api/oauth/token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
# extract token data from response
oAuthToken=${oAuthTokenResponse%???}
# parse token from response
token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" )
echo "Setting password."
# set LAPS settings
setPassword=$( /usr/bin/curl \
--data "$setPasswordJSON" \
--header "Accept: application/json" \
--header "Content-Type: application/json" \
--header "Authorization: Bearer $token" \
--request PUT \
--silent \
--url "$jamfProURL/api/v2/local-admin-password/$managementId/set-password" \
--write-out "%{http_code}" )
checkResponseCode "$setPassword"
echo "Destroying oauth token."
# expire auth token
expireToken=$( /usr/bin/curl \
--header "Authorization: Bearer $token" \
--request POST \
--silent \
--url "$jamfProURL/api/v1/auth/invalidate-token" \
--write-out "%{http_code}" )
checkResponseCode "$oAuthTokenResponse"
exit 0
@talkingmoose
Copy link
Author

talkingmoose commented Jul 26, 2025
edited
Loading

@Mystikal79 Just tested the script in my environment to verify it still works for me. Your computers' macOS versions shouldn't make a difference. The script is only interacting with Jamf Pro. But do make sure your new password meets any password complexity requirements you might've set using a configuration profile, Jamf Connect, or some other tool.

Since you mention trying to reset multiple Macs, I'm wondering if you've altered the script to support multiple management IDs. Maybe something in what you've changed is causing the issue.

Here's what I'd do

On line 58, I'd change the variable name "managementId" to "managementIds" (plural) and provide multiple IDs like this:

managementIds=(62a7f94b-63ea-4da9-a1d1-b6b79f72935a
e56ff883-9aab-4efe-8f78-f6a86d4abfe8
035b1edf-132b-47cb-9b08-1129132770fb)

Then I'd replace lines 107-120 with this:

for anId in $managementIds;
do
	echo "Setting password for management ID $anId."
	
	# set LAPS settings
	setPassword=$( /usr/bin/curl \
	--data "$setPasswordJSON" \
	--header "Accept: application/json" \
	--header "Content-Type: application/json" \
	--header "Authorization: Bearer $token" \
	--request PUT \
	--silent \
	--url "$jamfProURL/api/v2/local-admin-password/$anId/set-password" \
	--write-out "%{http_code}" )
	
	checkResponseCode "$setPassword"
done

For these three IDs I get this feedback from the script:

Requesting oauth token.
200 Request successful
Setting password.
200 Request successful
Setting password.
200 Request successful
Setting password.
200 Request successful
Destroying oauth token.
200 Request successful

@talkingmoose
Copy link
Author

@jlewisasd If the script isn't working consistently, that tells me it's working some of the time. Correct? If the massively long delay you mention is a delay between Jamf Pro being changed and your computer receiving the new password, that's nothing the script can solve for you

That tells me the script is fine. It's not changing between your attempts to use it. You may either have a network issue between your computer running the script and your Jamf Pro server or an issue with the Jamf Pro server itself.

Verify nothing on your network is causing a disruption. The easiest way to do that is use something like a mobile hotspot or take your computer to a local coffee shop outside your company network.

If you still receive any kind of error or delays, you may need to reach out to Jamf for support.

@jlewisasd
Copy link

@jlewisasd If the script isn't working consistently, that tells me it's working some of the time. Correct? If the massively long delay you mention is a delay between Jamf Pro being changed and your computer receiving the new password, that's nothing the script can solve for you

That tells me the script is fine. It's not changing between your attempts to use it. You may either have a network issue between your computer running the script and your Jamf Pro server or an issue with the Jamf Pro server itself.

Verify nothing on your network is causing a disruption. The easiest way to do that is use something like a mobile hotspot or take your computer to a local coffee shop outside your company network.

If you still receive any kind of error or delays, you may need to reach out to Jamf for support.

I found if I added sudo jamf policy at the end of the script it made the update a lot more responsive, we also did have another script that we were deploying that was was not terminating properly, so I am not 100% sure what it was that fixed it for us since I have seen even after adding the jamf policy command it doesn't always update completely, but running it a second time does update it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment