Use a Jamf Pro policy to re-enroll a computer to install a LAPS management account, and then create a launch daemon and script to update inventory immediately.

Re-enroll computers for LAPS.zsh

#!/bin/zsh

:<<ABOUT_THIS_SCRIPT
-------------------------------------------------------------------------------
	
	Written by:William Smith
	Technical Enablement Manager
	Jamf
	[email protected]
	https://gist.github.com/talkingmoose/9f4638932df28c4bebde5dd47be1812a
		
	Originally posted: May 22, 2024
	
	Purpose: Use a Jamf Pro policy to re-enroll a computer to install a LAPS
	management account, and then create a launch daemon and script to update
	inventory immediately.
	
	The launch daemon and script are necessary because re-enrollment destroys
	the original device signature and prevents reporting to the policy when
	complete.
	
	Note: This script works only for using the jamf binary to re-enroll
	computers. It cannot remotely invoke an MDM re-enrollment using:
	
		/usr/bin/profiles renew -type enrollment
	
	because this command requires user interaction.
	
	Although this script re-enrolls a computer using the jamf binary, any
	computers initially enrollled using Automated Device Enrollment will
	continue reporting "Enrollment Method: PreStage enrollment".
	
	Instructions:
	
	1. Create a new script in Jamf Pro named something like "Re-enroll computers for LAPS".
	
	   Paste the entire contents of this script as-is into the Script field.
	
	   Under the Options tab, set the following parameter labels.
	   Parameter 4: Organization Name (e.g., "My Example Company")
	   Parameter 5: Organization Reverse Domain (e.g., "com.example")
	   Parameter 6: Enrollment Invitation (e.g., "124632841331503686010851388828066332132")
	
	2. Use Jamf Pro Computers > Enrollment Invitations to generate a new multiple
	   use Invitation ID and set the expiration for as long as you think you'll
	   need to re-enroll computers to create the account.
	   
	   Copy the Invitation ID for use in the policy later.
	
	3. Create a smart computer group named something like:
	   "All computers with LAPS management account"
	   
	   Set its criteria to:
	   "Managed By is LAPSusername".
	   
	   Replace "LAPSusernme" with the username of your managed local
	   administrator account from User-Initiated Enrollment.
	
	4. Add the script to a new policy named something like "Re-enroll computers
	   for LAPS".
	
	   Set the three script parameters:
	   Organization Name (e.g., "My Example Company")
	   Organization Reverse Domain (e.g., "com.example")
	   Enrollment Invitation (e.g., "124632841331503686010851388828066332132")
	   
	   Enable the policy to trigger at Recurring Check-In with a frequency of
	   Once Per Computer.
	   
	   Scope the policy:
	   Set Target to "All Computers"
	   Set Exclusions to your new smart computer group from step 3.
	
	After a computer checks in and completes the policy, the computer record
	should show a jamf binary account for "Managed Local Administrator Accounts"
	and fall out of scope for the policy.
	
	(Note: The policy logs will never report the policy has completed unless it
	generates an error.)
	
	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/.
	
	"Someone will solve a problem, if he finds the problem interesting."
	— Tim O'Reilly
	
-------------------------------------------------------------------------------
ABOUT_THIS_SCRIPT


# script parameters from the Jamf Pro policy
organizationName="$4"
organizationReverseDomain="$5"
enrollmentInvitation="$6"

#re-enroll the computer

/usr/local/bin/jamf enroll -invitation "$6" -noRecon -noManage -noPolicy

exitStatus="$?"

# if re-enrollment failed, report this to the policy log and exit the script

if [[ "$exitStatus" != 0 ]]; then
	exit "$exitStatus"
fi

# create organization folder if necessary to house the jamf-recon.zsh script

/bin/mkdir -p "/Library/$organizationName"

# create jamf-recon.zsh script

tee "/Library/$organizationName/jamf-recon.zsh" << EOF
#!/bin/zsh

# update Jamf Pro inventory
/usr/local/bin/jamf recon

# delete this script
/bin/rm "/Library/$organizationName/jamf-recon.zsh"

# attempt to delete enclosing directory
/bin/rmdir "/Library/$organizationName"

# delete the launch daemon plist
/bin/rm "/Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist"

# kill the launch daemon process
/bin/launchctl remove "$organizationReverseDomain.jamf-recon"

exit 0
EOF

# set correct ownership and permissions on jamf-recon.zsh script

/usr/sbin/chown root:wheel "/Library/$organizationName/jamf-recon.zsh" && /bin/chmod +x "/Library/$organizationName/jamf-recon.zsh"

# create $organizationReverseDomain.jamf-recon.plist launch daemon

tee /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnvironmentVariables</key>
	<dict>
		<key>PATH</key>
		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
	</dict>
	<key>Label</key>
	<string>$organizationReverseDomain.jamf-recon</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/zsh</string>
		<string>-c</string>
		<string>"/Library/$organizationName/jamf-recon.zsh"</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>1</integer>
</dict>
</plist>
EOF

# set correct ownership and permissions on launch daemon

/usr/sbin/chown root:wheel /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/chmod 644 /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

# start launch daemon after installation

/bin/launchctl bootstrap system /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/launchctl start /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

exit

Running into "Permission Error - The user specified does not have permission to perform the action." Any idea where to start tracking this down?

@zomburss The script is intended to be run from a Jamf Pro policy. Are you doing that? If so, verify you're not trying to create a LAPS account with a username that already exists.

Getting this output when running a policy with the script from the terminal (using a custom trigger):

Error running script: return code was 3.
Submitting log to https://tt.jamfcloud.com/
Log was not written in the JSS. Will store locally.

I can't find any locally stored log for the script. Where should I look?

@Jorsta That message is expected. As soon as you re-enroll a computer, its device signature changes. The policy is running under the old device signature and can no longer report to Jamf Pro.

That's the reason for the launch daemon and script. They update inventory after re-enrollment under the new device signature.

Does that mean there is no log anyware that I can use for troubleshooting? What goes wrong is that – while he enrollment itself do take place according to the timestamp in the inventory – the management account, configured for user initiated enrollment, is NOT created on the target computer. I guess the returned error code (3) means that the script really encountered some kind of error that otherwise could have been logged.

Correct. If the re-enrollment succeeded, it won’t report back to the policy, but you’ll see the enrollment time in the computer record get updated.

If the management account isn’t getting configured, that’s a different issue. Open Terminal and run this command:

dscl . list /Users

Do you see the management account at the bottom of the list?

No, the account is not there

I'm running through this error:
Running into "Permission Error - The user specified does not have permission to perform the action." Any idea where to start tracking this down?

When I ran:
dscl . list /Users

I see my account that I want to become the account that manages the Mac as well.

Is there a way to utilize this script, while I do see the account in the Mac it is just not managing it?

@Jorsta The script only handles re-enrollment, which is working. The LAPS account is going to be its own issue.

There's not much to it — just enable "Create managed local administrator account" and specify an account name. Make sure you're using a single simple username. And it sounds trite, but I'll say it because I've seen it multiple times before. Make sure you're looking at the correct computer record in Jamf Pro and at the correct physical computer.

You may need to reach out to Jamf Support to troubleshoot.

@sapirmaayan-personal Did you configure the script in Jamf Pro per the instructions?

Yes I know, it should work. I did it right.
But this is, as you say, an issue to discuss with Jamf.

@talkingmoose
I understood my issue and was able to run the script successfully.

This script seems to not be my solution as the local account I'm trying to make a managed local account is not set through the user-nitiated-enrollment settings it is in the Pre-Stage enrollment settings.

Maybe you have a different solution for my issue?

@sapirmaayan-personal You can only deploy the admin account defined in a PreStage enrollment during its initial creation in Setup Assistant. You’d need to wipe and re-enroll the computer to manage it as a LAPS account.

@talkingmoose that sucks!!!
I hoped there would be a way to bypass fully wiping and re-enrolling the Macs.

Thank you!!!!

Does this script run silently or is it something that prompts the user to enter their credentials for the re-enrollment?

Does this script run silently or is it something that prompts the user to enter their credentials for the re-enrollment?

It’s silent to the end user. No interaction.

So the script runs as described above, but I am not seeing the Management Account getting created. Do I need to wait a certain amount of time for it to show? Or should I open a case with Jamf Support?

@sharristonP, the only thing this script does is re-enroll a computer. It had nothing to do with actually creating the account. So, yes, if you find enrolling a computer doesn’t create the management account, then reach out to Jamf Support for assistance.

Hello,
Thank you so much for providing this!
I do get this error and can't really find anything to help me:
Script result: An error occurred while enrolling computer: Invalid Message - The message could not be parsed.
Restoring JAMF.keychain since an error occurred.
Enroll return code: 70
Please let me know what you think.
Thanks!

@iresco A few questions:

1. Are you seeing this on multiple computers or only one?
2. Is your Apple Push Notification service (APNs) certificate currently valid and not expired?
3. Is your Jamf Pro server up-to-date? At least Jamf Pro 11.x something? Shouldn't make a difference, but helps to know your environment is up-to-date.
4. Are you running this as a policy from Jamf Pro and not running his manually? The script is meant to run automatically from a Jamf Pro policy.

I should add there was a PI:
[PI118031] Redeploying the Jamf management framework via the Jamf Pro API now respects the Create managed local administrator account setting (Settings > Global > User-initiated enrollment > Computers) even if the target computer was originally enrolled before the setting was enabled.

That was fixed in the latest version of Jamf 11.11.1, now this script will work to add management accounts.

@talkingmoose Thank you for you answer!

1. Seeing this on one computer (only one that was scoped so far)
2. The APN is valid until July 2025
3. Jamf Pro is currently 11.10.2
4. Yes, from a policy as instructed in your steps

@sharristonP Thank you for specifying! I'll be looking into this too as we are running on 11.10.2 at the moment.

@iresco Nothing about your environment sounds like it should cause a problem. I’m not familiar with the product issue @sharristonP mentioned, but the script isn’t using the Jamf Pro API. Try it on one or two other computers to see if you replicate the problem or can isolate it to just the one computer.

Hi!
It's unfortunately failing with the same error on a couple other laptops.
Thanks for your help though!