Skip to content

Home

Jump to bottom
Joshua D. Miller edited this page Dec 30, 2021 · 8 revisions

Getting Started with macOSLAPS

Overview

Swift binary that is installed on local macOS clients to perform randomization of a local administrator password on the device. Adds the functionality of LAPS for Windows to macOS clients.

Where to Download

A package installer is available under Releases

Setup

Please see Active Directory Setup or Local / MDM Setup for information on configuring macOSLAPS for these environments.

Requirements

  • Operating System
    • macOS 10.12+ is required for this binary to function. If you need to run LAPS on older macOS clients it is recommended that you use the original project macOSLAPS-Legacy
  • Active Directory
    • Local Administrator Account - The name of the local administrator account you want to manage
    • Writable Domain Controller - Allows the computer to write the password and expiration to Active Directory
    • Connecting to AD via On Premise or VPN - Since we are using Active Directory you will need to be able to talk to your Domain
  • Local
    • Local Administrator Account - The name of the local administrator account you want to manage
    • MDM - Needed as a location to store the password besides locally

Installing

To install macOSLAPS, download the PKG file under Releases and install it on your macOS devices either manually or using your favorite deployment software. The following files are installed by the package:

File Location Purpose
macosLAPS /usr/local/laps Main Binary
macOSLAPS-repair /usr/local/laps Performas Certificate Rotation if needed
laps /private/etc/paths.d Allows macOSLAPS to be called via terminal without typing full file path
edu.psu.macoslaps-check.plist /Library/LaunchDaemons Launch Daemon that allows the macOSLAPS binary to run every 90 minutes

Configure

To configure macOSLAPS for your environment please see the Configuration Keys Wiki Page.

Troubleshooting and Verifying

macOSLAPS includes built in logging that will log all events of the binary as it runs to the file /Library/Logs/macOSLAPS.log

Credits and Contributions

  • Rusty Myers - Collaborator in determine there is a difference between Windows time and Epoch time.
  • Matt Hansen - Collaborator in constructing the mechanism for generating a random password
  • Per Olofsson - Collaborator in constructing the new ISODate format for international dates and PasswordGrouping
  • Allen Clouser and Jody Harpster - Collaborators in testing and determining the ' key is not on a Windows keyboard and thus is removed by default
  • John Pater - Security Collaborator that came up with the idea of generating 10 passwords and then randomly choosing 1 of them
  • Joel Rennich - Security and OpenDirectory Contributor for assisting by taking questions and providing sample code for Changing the password in Active Directory and Saving the Password in the System keychain
  • Peter Szul - Quality Assurance Contributor whom determined that we need to test we can write to Active Directory before doing so.
  • The MacAdmins Community - This project would not exist if it wasn't for everyone in the MacAdmins community who are all so friendly and willing to provide testing, insight and feedback on macOS management.

Discussion

There is a #macOSLAPS channel on the MacAdmins Slack where you can ask questions and provide feedback.

Clone this wiki locally