Use a Jamf Pro policy to re-enroll a computer to install a LAPS management account, and then create a launch daemon and script to update inventory immediately.

Re-enroll computers for LAPS.zsh

#!/bin/zsh

:<<ABOUT_THIS_SCRIPT
-------------------------------------------------------------------------------
	
	Written by:William Smith
	Technical Enablement Manager
	Jamf
	[email protected]
	https://gist.github.com/talkingmoose/9f4638932df28c4bebde5dd47be1812a
		
	Originally posted: May 22, 2024
	
	Purpose: Use a Jamf Pro policy to re-enroll a computer to install a LAPS
	management account, and then create a launch daemon and script to update
	inventory immediately.
	
	The launch daemon and script are necessary because re-enrollment destroys
	the original device signature and prevents reporting to the policy when
	complete.
	
	Note: This script works only for using the jamf binary to re-enroll
	computers. It cannot remotely invoke an MDM re-enrollment using:
	
		/usr/bin/profiles renew -type enrollment
	
	because this command requires user interaction.
	
	Although this script re-enrolls a computer using the jamf binary, any
	computers initially enrollled using Automated Device Enrollment will
	continue reporting "Enrollment Method: PreStage enrollment".
	
	Instructions:
	
	1. Create a new script in Jamf Pro named something like "Re-enroll computers for LAPS".
	
	   Paste the entire contents of this script as-is into the Script field.
	
	   Under the Options tab, set the following parameter labels.
	   Parameter 4: Organization Name (e.g., "My Example Company")
	   Parameter 5: Organization Reverse Domain (e.g., "com.example")
	   Parameter 6: Enrollment Invitation (e.g., "124632841331503686010851388828066332132")
	
	2. Use Jamf Pro Computers > Enrollment Invitations to generate a new multiple
	   use Invitation ID and set the expiration for as long as you think you'll
	   need to re-enroll computers to create the account.
	   
	   Copy the Invitation ID for use in the policy later.
	
	3. Create a smart computer group named something like:
	   "All computers with LAPS management account"
	   
	   Set its criteria to:
	   "Managed By is LAPSusername".
	   
	   Replace "LAPSusernme" with the username of your managed local
	   administrator account from User-Initiated Enrollment.
	
	4. Add the script to a new policy named something like "Re-enroll computers
	   for LAPS".
	
	   Set the three script parameters:
	   Organization Name (e.g., "My Example Company")
	   Organization Reverse Domain (e.g., "com.example")
	   Enrollment Invitation (e.g., "124632841331503686010851388828066332132")
	   
	   Enable the policy to trigger at Recurring Check-In with a frequency of
	   Once Per Computer.
	   
	   Scope the policy:
	   Set Target to "All Computers"
	   Set Exclusions to your new smart computer group from step 3.
	
	After a computer checks in and completes the policy, the computer record
	should show a jamf binary account for "Managed Local Administrator Accounts"
	and fall out of scope for the policy.
	
	(Note: The policy logs will never report the policy has completed unless it
	generates an error.)
	
	Except where otherwise noted, this work is licensed under
	http://creativecommons.org/licenses/by/4.0/.
	
	"Someone will solve a problem, if he finds the problem interesting."
	— Tim O'Reilly
	
-------------------------------------------------------------------------------
ABOUT_THIS_SCRIPT


# script parameters from the Jamf Pro policy
organizationName="$4"
organizationReverseDomain="$5"
enrollmentInvitation="$6"

#re-enroll the computer

/usr/local/bin/jamf enroll -invitation "$6" -noRecon -noManage -noPolicy

exitStatus="$?"

# if re-enrollment failed, report this to the policy log and exit the script

if [[ "$exitStatus" != 0 ]]; then
	exit "$exitStatus"
fi

# create organization folder if necessary to house the jamf-recon.zsh script

/bin/mkdir -p "/Library/$organizationName"

# create jamf-recon.zsh script

tee "/Library/$organizationName/jamf-recon.zsh" << EOF
#!/bin/zsh

# update Jamf Pro inventory
/usr/local/bin/jamf recon

# delete this script
/bin/rm "/Library/$organizationName/jamf-recon.zsh"

# attempt to delete enclosing directory
/bin/rmdir "/Library/$organizationName"

# delete the launch daemon plist
/bin/rm "/Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist"

# kill the launch daemon process
/bin/launchctl remove "$organizationReverseDomain.jamf-recon"

exit 0
EOF

# set correct ownership and permissions on jamf-recon.zsh script

/usr/sbin/chown root:wheel "/Library/$organizationName/jamf-recon.zsh" && /bin/chmod +x "/Library/$organizationName/jamf-recon.zsh"

# create $organizationReverseDomain.jamf-recon.plist launch daemon

tee /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>EnvironmentVariables</key>
	<dict>
		<key>PATH</key>
		<string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
	</dict>
	<key>Label</key>
	<string>$organizationReverseDomain.jamf-recon</string>
	<key>ProgramArguments</key>
	<array>
		<string>/bin/zsh</string>
		<string>-c</string>
		<string>"/Library/$organizationName/jamf-recon.zsh"</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
	<key>StartInterval</key>
	<integer>1</integer>
</dict>
</plist>
EOF

# set correct ownership and permissions on launch daemon

/usr/sbin/chown root:wheel /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/chmod 644 /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

# start launch daemon after installation

/bin/launchctl bootstrap system /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist && /bin/launchctl start /Library/LaunchDaemons/$organizationReverseDomain.jamf-recon.plist

exit

I'm having an issue with the script - it is functioning for the creation of the management acct however it is assigning the asset in JAMF to me. I'm assuming this has to do with the invitation enrollment. We are using this script to re-enroll all our assets so they will have the LAPS acct, I'm assuming I do not have tho provide all the users email addresses in the organization to accomplish that.

Any help would be greatly appreciated.

@simonep69 You don't need to provide a real email address when creating enrollment invitation. All you're after is the enrollment invitation itself (the string of characters that looks like "124632841331503686010851388828066332132").

As far as I recall, the enrollment invitation isn't associated to any specific user. You may have an unrelated process that's associating you to the computer.

I can confirm that happens in our environment as well. Usually fix it by running something like jamf recon -username $LocalUserName afterwards

I am seeing a odd issue with running this script, I recently changed my local admin account in the User-initiated enrollment tab in settings, Computer tab, "Create local administrator account" from localadmin1 to localadmin2, and when I wipe devices it gets the new localadmin2 account during the enrollment, but if I run this script to already in production devices, it gets the localadmin1 account I even deleted the computer object out of Jamf disabled the local admin account setting, wiped the device, reenrolled the device, and then renamed the local admin account setting back to localadmin2 and then reran the script and it still gets localadmin, I am not seeing anything in the script that specifies that account so I am not sure why its still using the old account and not the new one even though its set in settings.

I am seeing a odd issue with running this script, I recently changed my local admin account in the User-initiated enrollment tab in settings, Computer tab, "Create local administrator account" from localadmin1 to localadmin2, and when I wipe devices it gets the new localadmin2 account during the enrollment, but if I run this script to already in production devices, it gets the localadmin1 account I even deleted the computer object out of Jamf disabled the local admin account setting, wiped the device, reenrolled the device, and then renamed the local admin account setting back to localadmin2 and then reran the script and it still gets localadmin, I am not seeing anything in the script that specifies that account so I am not sure why its still using the old account and not the new one even though its set in settings.

I figured out the issue, I had to recreate the Invitation ID once that was recreated my new account started getting created.