Swiftpack.co - Package - joshua-d-miller/macOSLAPS

macOS LAPS (Local Administrator Password Solution)

Swift binary that utilizes Open Directory to determine if the local administrator password has expired as specified by the Active Directory attribute dsAttrTypeNative:ms-Mcs-AdmPwdExpirationTime. If this is the case then a new randomly generated password will be set for the local admin account and a new expiration date will be set. The LAPS password is stored in the Active Directory attribute dsAttrTypeNative:ms-Mcs-AdmPwd. This attribute can only be read by those designated to view the attribute. The computer record can write to this attribute but it cannot read.

Requirements

The following preference keys must be set or the application will use the defaults:

LocalAdminAccount - Local Administrator Account. Default is 'admin'. (In String format)
DaysTillExpiration - Expiration date of random password. Default is 60 Days. (In Integer format)
PasswordLength - Length of randomly generated password. Default is 12. (In Integer format)
RemoveKeyChain - Remove the local admin keychains after password change. (In Boolean format, recommended)   RemovePassChars - Exclude any characters you'd like from the randomly generated password (In String format)
ExclusionSets - Exclude any character set you'd like by specificying a string in an array (Example: "symbols") PreferredDC - Set your preferred Domain Controller to connect to [Useful when you have RODCs] (In String format) FirstPass - Use this key if you are LAPS Admin is a FileVault user. The script will read this key in if there isn't a keyhcain entry in System keychain for macOSLAPS. Once this has been completed, the keychain entry will then be used.

NOTE about FirstPass: macOSLAPS must know at least one password via config profile before we can start the keychain process. Settings this key before running it for the first time when it is your temporary admin password is the best method.

These parameters are set in the location /Library/Preferences/edu.psu.macoslaps.plist or you can use your MDM's Custom Settings to set these values.

NOTE: The Swift binary will most likely only work on macOS 10.10+. If you need to run LAPS on older versions of macOS please use the legacy version of macOSLAPS written in Python here

Exclusions

As pointed out by one of my fellow colleagues, the ' key on macOS cannot be used on Windows without opening the character map to enter it. Since this is very detriment to using a LAPS password from a Windows client I have made this key excluded by default.

Installation Instructions

At this time you can clone the repo or download a zip of the repo or you can use the package created using Packages to install. The package includes a Launch Daemon to run macOSLAPS every 90 minutes.

Usage

macOSLAPS is designed to run in an automated fashion (e.g. triggered by a Launch Daemon or your management tool of choice). It can be invoked manually at the command line by running /usr/local/laps/macOSLAPS as root.

Optional Flags

-resetPassword - generates a new password and writes it to the Active Directory computer record.
-version - prints out the current verison of macOSLAPS.

Logging

The script will also perform logging so that you know when the password is changed and its new expiration date or when the current unchanged password will expire. This file is stored in /Library/Logs/macOSLAPS.log

Feedback

Since this is a binary, it can be signed which means that the code itself will not display when viewing the executable. Please test this new version and report back results.

Local Admin Keychain

By default, the local admin you choose has its keychain deleted since we wouldn't know the randomized password.

Credits

  • Rusty Myers - For helping to determine that Windows has its own time method vs Epoch time
  • Matt Hansen - For critiquing and assisting with generating the random password
  • Allen Clouser and Jody Harpster - For showing me that the ' key cannot be used from a Windows client without character map
  • John Pater - For advising me on the idea of generating 10 random passwords and picking one randomly to further randomize the password
  • Joel Rennich - For taking my questions about Swift and advising me on better ways to utilize Swift. Another special thanks to Joel for advising me on saving the password in the System keychain to deal with secureToken.
  • Peter Szul - For working with me to determine the initial date set by a newly bound computer is invalid and we need to test writing to the Domain Controller with another value for the first run.

Github

link
Stars: 103
Help us keep the lights on

Dependencies

Used By

Total: 0

Releases

1.1.1(223) - Feb 7, 2019

Welcome to the latest release of macOSLAPS. I have highlighted the fixes and new features below: Note: Seems like the package didn't build right so I'm reuploading the pkg. Same version.

Changes in 1.1.1 Build 223:

  • secureToken/FileVault Support
    • With this release, the secureToken admin can be updated. In order to achieve this, we will be now writing the randomized password to the System keychain. To utilize this feature you will need to specify the FirstPass property in your configuration profile with the password that is initially set for the admin user with a secureToken. This will be read in once, then from that point forward, the system keychain entry will be used. Additionally, I have implemented to look for secureToken if macOS is 10.13.x or later. In older version of macOS we will check to make sure the user is a FileVault user so being able to use your LAPS admin on any version of macOS 10.10 or higher should be possible.
  • Preferred Domain Controller
    • You can now specify a domain controller in macOSLAPS by adding the PreferredDC property to your configuration profile. This will then connect to this particular server when performing the password change.
  • Writable DC Check Fixed
    • Thanks to Peter Szul from the MacAdmins Slack, it was determined that when a machine is newly bound that the expiration time is an invalid date of 01/01/0001 12:00:00 AM. Since this will obviously fail, I have gone ahead and implemented an additional check when this happens to try writing a burner password since we will be changing the password anyway.
  • New check version option
    • You can now check the version of macOSLAPS by running /usr/local/laps/macOSLAPS -version

Please test in your environment and please let me know on the #macosLAPS Slack if you run into any issues.

1.0.6(205) - Feb 1, 2019

This is a newly built release candidate for macOSLAPS

Changes in 1.0.6 Build 205:

  • secureToken Support
    • With this release the secureToken admin can be updated. In order to achieve this, we will be now writing the randomized password to the System keychain. To utilize this feature you will need to specify the FirstPass property in your configuration profile with the password that is initially set for the admin user with a secureToken. This will be read in once, then from that point forward, the system keychain entry will be used.
  • Preferred Domain Controller
    • You can now specify a domain controller in macOSLAPS by adding the PreferredDC property to your configuration profile. This will then connect to this particular server when performing the password change.
  • Writable DC Check Fixed
    • Thanks to Peter Szul from the MacAdmins Slack, it was determined that when a machine is newly bound that the expiration time is an invalid date of 01/01/0001 12:00:00 AM. Since this will obviously fail, I have gone ahead and implmented an additional check when this happens to try writing a burner password since we will be changing the password anyway.

Please test in your environment and please let me know on the #macosLAPS Slack if you run into any issues.

1.0.5(78) - Nov 15, 2018

This new build has changed the keychain function to pull the NFSHomeDirectory attribute BEFORE appending the "/Library/Keychains" path since some local admin accounts are not always located in the "/Users" folder this should solve issue #23.

Signing for the package as well as the binary has been changed to The Pennsylvania State University.

1.0.4(62) - Mar 9, 2018

This new build is a small update for the code to Swift 4 and should resolve issue #14. I have also added a check to make sure we can write to the directory by pulling the Expiration Time and then writing it back to the computer record as we should have write access to do so before performing the password change. I have also changed the password change logic to change the local admin password FIRST in Active Directory before changing it locally which should resolve issue #8. Please download and give this a try.

--Updated May 7, 2018 - Fixed a bug that would cause the executable to crash if Active Directory was not available because we are now specifying the direct path. Should address issue #17. Also added the new plist that will make it run every 90 minutes. Fixed small typos and made the Active Directory not available message report as error.

1.0.3 - Nov 16, 2017

A new build of macOSLAPS that should resolve issue #10. Thank you for the request @bartreardon! This also opens up the capability to receive additional command line arguments when running the executable.

The LAPS password can now be reset On Demand by adding the command argument to macOSLAPS -resetPassword