Example scripts for managing, administerting, and auditing Jamf Pro LAPS accounts.
Use these as models for creating scripts for your own workflows.
I also have two additional Jamf Pro LAPS scripts you may find useful:
For adding a jamf binary managed LAPS account to existing computers
Retrieve LAPS Password.zsh
A Self Service script for retrieving the Jamf Pro LAPS password for the current computer
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Audit Jamf Pro LAPS Account Access. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password Audit History | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS Administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "You don’t have to be great to start, but you have to start to be great." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| # report history for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| echo "Getting history for LAPS account \"$aUsername\"" | |
| # get LAPS account history | |
| lapsAccountAuditing=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/audit" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsAccountAuditing" | |
| # extract data from request | |
| echo "${lapsAccountAuditing%???}" | |
| echo | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Configure Jamf Pro LAPS settings. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Management". | |
| Set Privileges to include: | |
| Update Local Admin Password Settings | |
| Under API Clients create a new API client such as "LAPS Manager". | |
| Set API roles to: | |
| LAPS Management | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. UUpdate the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro edit Settings > Global > User-Initiated Enrollment > | |
| Computers. | |
| Select "Create managed local administrator account" and provide | |
| a Username for the LAPS account. | |
| Optionally, hide the managed local administrator account and/or | |
| allow SSH access. | |
| 5. Adjust the LAPS settings JSON variable below. | |
| autoDeployedEnabled (default: false): | |
| Set to "true" only if using a PreStage LAPS account. | |
| Otherwise, the jamf binary LAPS account | |
| passwordRotationTime (default: 3600): | |
| Number of seconds before Jamf Pro will will wait before | |
| rotating the password after viewing it. | |
| autoRotateEnabled (default: false): | |
| Set to "true" to rotate LAPS account passwords regardless | |
| of whether they've been viewed. | |
| autoRotateExpirationTime (default: 7776000): | |
| Number of seconds before Jamf Pro will will automatically rotate | |
| LAPS account passwords regardless of whether they've been viewed. | |
| autoRotateEnabled must be set to "true". | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "A feature undiscovered is a feature missing." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| lapsSettingsJSON='{ | |
| "autoDeployEnabled": false, | |
| "passwordRotationTime": 900, | |
| "autoRotateEnabled": false, | |
| "autoRotateExpirationTime": 31536000 | |
| }' | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Configuring settings." | |
| # set LAPS settings | |
| lapsSettings=$( /usr/bin/curl \ | |
| --data "$lapsSettingsJSON" \ | |
| --header "Content-Type: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request PUT \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/settings" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsSettings" | |
| # extract data from request | |
| echo "${lapsSettings%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password Audit History | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "If you only read the books that everyone else is reading, | |
| you can only think what everyone else is thinking." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| # report history for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| echo "Getting history for LAPS account \"$aUsername\"" | |
| # get LAPS account history | |
| lapsAccountHistory=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/history" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsAccountHistory" | |
| # extract data from request | |
| echo "${lapsAccountHistory%???}" | |
| echo | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account information. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3.Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "Free speech is still free. It’s the volume that costs money." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # extract data from request | |
| echo "${lapsUsernameInformation%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS account password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| View Local Admin Password | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "With the story of your life, you don’t get to write the whole book, | |
| just your character." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="60a32f7d-b734-48bd-a69f-e015cdd28f10" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Getting LAPS usernames." | |
| # get LAPS usernames | |
| lapsUsernameInformation=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/accounts" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # parse LAPS username information for each username | |
| usernames=$( /usr/bin/awk -F '"' '/username/ { print $4 }' <<< "$lapsUsernameInformation" ) | |
| echo "$usernames" | |
| # report password for each available LAPS account | |
| while IFS= read aUsername | |
| do | |
| # get LAPS account password | |
| lapsAccountPassword=$( /usr/bin/curl \ | |
| --header "Accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/account/$aUsername/password" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsUsernameInformation" | |
| # extract data from request | |
| password=$( /usr/bin/awk -F '"' '/password/ { print $4 }' <<< "$lapsAccountPassword" ) | |
| echo "Password for account \"$aUsername\": $password" | |
| done <<< "$usernames" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Get Jamf Pro LAPS settings. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Management". | |
| Set Privileges to include: | |
| Update Local Admin Password Settings | |
| Under API Clients create a new API client such as "LAPS Manager". | |
| Set API roles to: | |
| LAPS Management | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "If you find yourself in a hole, stop digging." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Requesting settings." | |
| # request LAPS settings | |
| lapsSettings=$( /usr/bin/curl \ | |
| --header "accept: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request GET \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/settings" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$lapsSettings" | |
| # extract data from request | |
| echo "${lapsSettings%???}" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
| #!/bin/zsh | |
| # set -x | |
| :<<ABOUT_THIS_SCRIPT | |
| ----------------------------------------------------------------------- | |
| Written by:William Smith | |
| Technical Enablement Manager | |
| Jamf | |
| [email protected] | |
| https://gist.github.com/talkingmoose/0550abf9ebb9e1267ea82a55556601d8 | |
| Originally posted: June 16, 2024 | |
| Purpose: Set Jamf Pro LAPS Password. | |
| Instructions: | |
| 1. In Jamf Pro click Settings > System > API roles and clients. | |
| 2. Under API Roles create a new API role such as "LAPS Administration". | |
| Set Privileges to include: | |
| Send Local Admin Password Command | |
| Under API Clients create a new API client such as "LAPS Administrator". | |
| Set API roles to: | |
| LAPS Administration | |
| Enable the API client and copy the Client ID and Client Secret. | |
| 3. Update the Jamf Pro URL, Client ID, and Client Secret variables below. | |
| 4. In Jamf Pro click Computers > Search Inventory and search for a | |
| computer record. | |
| Under Inventory, locate the Jamf Pro Management ID. | |
| Update the management ID variable below. | |
| 5. Adjust the password JSON variable below with the LAPS account name | |
| and your temporary password below. | |
| Except where otherwise noted, this work is licensed under | |
| http://creativecommons.org/licenses/by/4.0/ | |
| "The beginning of wisdom is to call things by their proper name." | |
| ----------------------------------------------------------------------- | |
| ABOUT_THIS_SCRIPT | |
| jamfProURL="https://talkingmoose.jamfcloud.com" | |
| clientID="b36a0245-f238-4c54-ac8a-6e4170f7ad6a" | |
| clientSecret="ve5ffjUAIGjs4X-OjsT_KeyqVAv7HR_Em4hXWYHT12mp791DY7RGqHFEdyhtjZsB" | |
| managementId="fe8252e8-b6a2-431c-8ad7-8a0e61996ae6" | |
| setPasswordJSON='{ | |
| "lapsUserPasswordList": [ | |
| { | |
| "username": "jamfadmin", | |
| "password": "Jamf12345!" | |
| } | |
| ] | |
| }' | |
| function checkResponseCode() { | |
| httpErrorCodes="000 No HTTP code received | |
| 200 Request successful | |
| 201 Request to create or update object successful | |
| 400 Bad request | |
| 401 Authentication failed | |
| 403 Invalid permissions | |
| 404 Object/resource not found | |
| 409 Conflict | |
| 500 Internal server error" | |
| responseCode=${1: -3} | |
| code=$( /usr/bin/grep "$responseCode" <<< "$httpErrorCodes" ) | |
| echo "$code" | |
| } | |
| echo "Requesting oauth token." | |
| # request oauth token | |
| oAuthTokenResponse=$( /usr/bin/curl \ | |
| --data-urlencode "grant_type=client_credentials" \ | |
| --data-urlencode "client_id=$clientID" \ | |
| --data-urlencode "client_secret=$clientSecret" \ | |
| --header "Content-Type: application/x-www-form-urlencoded" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/oauth/token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| # extract token data from response | |
| oAuthToken=${oAuthTokenResponse%???} | |
| # parse token from response | |
| token=$( /usr/bin/plutil -extract access_token raw - <<< "$oAuthToken" ) | |
| echo "Setting password." | |
| # set LAPS settings | |
| setPassword=$( /usr/bin/curl \ | |
| --data "$setPasswordJSON" \ | |
| --header "Accept: application/json" \ | |
| --header "Content-Type: application/json" \ | |
| --header "Authorization: Bearer $token" \ | |
| --request PUT \ | |
| --silent \ | |
| --url "$jamfProURL/api/v2/local-admin-password/$managementId/set-password" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$setPassword" | |
| echo "Destroying oauth token." | |
| # expire auth token | |
| expireToken=$( /usr/bin/curl \ | |
| --header "Authorization: Bearer $token" \ | |
| --request POST \ | |
| --silent \ | |
| --url "$jamfProURL/api/v1/auth/invalidate-token" \ | |
| --write-out "%{http_code}" ) | |
| checkResponseCode "$oAuthTokenResponse" | |
| exit 0 |
@jlewisasd If the script isn't working consistently, that tells me it's working some of the time. Correct? If the massively long delay you mention is a delay between Jamf Pro being changed and your computer receiving the new password, that's nothing the script can solve for you
That tells me the script is fine. It's not changing between your attempts to use it. You may either have a network issue between your computer running the script and your Jamf Pro server or an issue with the Jamf Pro server itself.
Verify nothing on your network is causing a disruption. The easiest way to do that is use something like a mobile hotspot or take your computer to a local coffee shop outside your company network.
If you still receive any kind of error or delays, you may need to reach out to Jamf for support.
I found if I added sudo jamf policy at the end of the script it made the update a lot more responsive, we also did have another script that we were deploying that was was not terminating properly, so I am not 100% sure what it was that fixed it for us since I have seen even after adding the jamf policy command it doesn't always update completely, but running it a second time does update it.
@jlewisasd If the script isn't working consistently, that tells me it's working some of the time. Correct? If the massively long delay you mention is a delay between Jamf Pro being changed and your computer receiving the new password, that's nothing the script can solve for you
That tells me the script is fine. It's not changing between your attempts to use it. You may either have a network issue between your computer running the script and your Jamf Pro server or an issue with the Jamf Pro server itself.
Verify nothing on your network is causing a disruption. The easiest way to do that is use something like a mobile hotspot or take your computer to a local coffee shop outside your company network.
If you still receive any kind of error or delays, you may need to reach out to Jamf for support.