Reset local admin password every 6 months

mcsoellner
New Contributor III

Hi everyone,

On all of our mac computer, we have the same local admin account with same password. We would like to have the password change every 6 months and have a randomly generated password. I know I can do this with a policy; however, we would like the password to be different on every machine and we would like to view the password like how we would with the filevault encrypt key. I hope this makes sense.

Does anyone have any suggestions?

7 REPLIES 7

cbrewer
Valued Contributor II

You could probably write a script that generates a random password, sets that password on your admin account and then writes the password to an extension attribute. Or you may be able to build that entire workflow into the extension attribute itself.

Cornoir
Contributor II

You might want to look at this LAPS solution:
https://github.com/unl/LAPSforMac

You could probably tweak it to run every 6 months. The LAPS password displays as an EA and I have setup a FieldTechs account that only has access to show the computer info for our IT dept.

Kedgar
Contributor

@Cornoir that is super freaking cool... thanks for that link!!!!!!

Cornoir
Contributor II

Kedgar also be aware that 90% of the work is done on the JSS, I hardly if ever touched the client Macs in the field.

kendalljjohnson
Contributor II

If you are AD bound and using LAPS for your Windows computers, check out Joshua Miller's project. Instead of having the password in plain text as a EA, it writes it back to AD in the same AD Attribute that your Windows computers do and is accessible via LAPS UI. I use the older python script version with the variables set within a JAMF policy, but it's also available as a Swift project.

macOSLAPS

Cornoir
Contributor II

kendalljjohnson,
I looked at macOSLAPS before and since it utilizes Open Directory I did not use it as we do not have Open Directory setup where I am at, otherwise writing back to AD is a good option to have.

cbrewer
Valued Contributor II

@Cornoir

Adding some clarification to this thread. You do NOT need to run Open Directory to use macOSLAPS. The client side application uses some opendirectory functions that are already part of macOS.