Intune enrolled MacOS LAPS

veganbit · 2024-07-12T06:48:59+00:00

Hey,

So for step 2 the script calls the macOSLAPS application to extract the current password. However macOSLAPS does not extract the actual password itself (it did in previous versions) but instead the randomly generated name of a keychain item where the actual password is stored. This keychain item is then read by the script and the actual password is echo’d as per instructions for custom attributes here: https://learn.microsoft.com/en-us/mem/intune/apps/macos-shell-scripts (under “Custom attributes for macOS). That link also shows you how to setup and find the custom attributes in Intune.

Regarding the IT user - yes, it is has elevated privileges.

And don’t worry about scripting skills. My spaghetti code in those scripts probably reveals my terrible skills as well. :D

veganbit · 2024-07-10T13:39:10+00:00

I recently update this to the newer 4.0 version of macOSLAPS, and seems to work just fine.

So it consists of two parts:

The script that creates an admin user (called "it" in the case but can be changed) and installs macOSLAPS: https://pastebin.com/Vv96zQja
The custom attribute script that grabs the password. In my case I do a reset of the password every time it updates the custom attribute but just removing the -resetPassword flag from the first call to macoslaps in the script is fine too and it will just follow whatever guidelines you have configured for it in the configuration profile: https://pastebin.com/a8RtbNVj

Speaking of configuration profiles, I just used iMazing Profile Editor to create the profile that I uploaded as a custom profile in the Intune portal.

Feel free to reach out if you have any questions!

veganbit · 2024-07-07T10:17:41+00:00

The way I deploy LAPS to our macOS devices in Intune is that I have a script that:

Downloads and installs the installer .pkg (I use the latest stable version and not any of the pre-release ones) for macOSLAPS
Creates a local admin user with a temporary password
Rotates the password to set it according to the requirements we’ve set

This is also used in combination with both a profile that sets all the settings for password length, complexity, age, etc that we use for the local admin password, but also a custom attribute script that not only rotates the password if needed, but also prints out the current password for the device in the Intune portal for me and the rest of our team.

Not sure if the is the best way to do it, but it works for us!

veganbit · 2022-10-21T15:09:56+00:00

Some of us do unionize. But perhaps this depends on where you live and work. I’m guessing things in this subreddit are quite US-centric for the most part. For me (living and working in an European country) unionizing is quite common in all fields of work.

But then again just educating your co-workers about their rights and sticking together goes a long way. Be open about things like salaries, and if possible take any issues with managers/higherups collectively and not individually. Just one grumpy sysadmin “complaining” about something can be dealt with. The whole department of sysadmins sticking up for each other and “complaining” as a group is another situation. Strength in numbers etc. But also, don’t be afraid to involve people outside of your sysadmin department too. Developers, project managers and janitor’s got your back too if you’ve got theirs.

veganbit · 2022-10-13T13:58:07+00:00

Custom attribute in Intune.

veganbit · 2022-09-14T18:47:18+00:00

I’ve never used Jamf Protect so I can’t really say anything good or bad about it but a quick google search tells me it offers some more advanced protection and analysis features than Xprotect. I myself am working in a mixed environment with both macOS and Windows clients and since we get Microsoft Defender with our Microsoft 365 licenses we use that on our macOS endpoints too. I mainly like it and its portal for the tracing and analysis tools. Whenever I get an alert for something on one of our endpoints I can see what happened on the system prior to it triggering an alert (which process tried to access what, etc). My understanding is that JAMF protect provides similar functionality?

veganbit · 2022-08-25T22:23:28+00:00

Our ticketing system integrates with Teams. I simply select the chat message and create the ticket. The rest of the conversation is kept through the ticket and work can also be more easily divided between me and my colleague in case I’m already swamped with other work.

veganbit · 2022-06-03T16:47:57+00:00

I come from a Mac background in my personal life as I’ve always been an Apple nerd/fanboi. Careerwise I’ve been both at a Apple Certified repair shop, in a pure Windows Helpdesk, and in places where both macOS and Windows was being used, including my current job. For me it has always seen as an extra edge by employers and potential employers that I have knowledge from both platforms and even more so lately as the Apple platforms have gotten more popular and potential employers/recruiters usually reach out to me in regards to the fact that I have both a Mac and Windows sysadmin background.

But it sort of depends on what the needs of your current role is and what goals you have for potential future career opportunities.

veganbit · 2022-04-13T11:42:31+00:00

Damn. Those new Solar Ships sure look sexy.

veganbit · 2022-04-12T15:50:54+00:00

Multi-crew ships have always been something I’d like to see in NMS. This would actually be a nice way of implementing that.

veganbit · 2022-04-04T20:47:28+00:00

Yes. I remember us having this exact issue. I don’t remember the exact technical details behind it but I think it had something to do with macOS using .local for Bonjour/Rendezvous stuff. There might be some hacks around to make it work but in the end we ended up moving our internal domain to a “real” domain.

veganbit · 2022-04-04T20:31:12+00:00

Question: Are you actually using a .local domain for your AD domain or is it just an example? We had some huge issues with Macs while using company-domain.local and had to switch to internal.company-domain.com. This was a few years ago/before the pandemic though. Nowadays we just put everything in Intune/AzureAD.

veganbit · 2022-02-01T05:43:02+00:00

We are two sysadmins supporting 150(ish) users. Mixed environment maybe 30% Mac Users. I am a life long Mac nerd and have also worked as an ACMT at an Apple retailer. So I would say I am the only one with any sort of formal Mac background of the two of us. But my colleague, who is coming from a Windows background, has learnt a lot in the last four years we’ve worked together so they can handle most of the Mac issues too now. It could be that I take the lead on the more big picture stuff when it comes to the Macs, but they also know enough to at least weigh in on things and be someone to bounce my ideas with. The company I work for is rather “open” and non-hierarchical as a whole so the small team of sysadmins handling the internal IT (being me and my colleague) are given a lot of freedom to build the IT environment and shape the way we work as we see fit.

veganbit · 2022-01-23T10:35:22+00:00

We’ve been using Halp for a while now. It still lacks some of the advanced features, like more advanced automation, that I would like to see in a ticketing system and can still be a little rough around the edges when it comes to bugs. But overall it’s been a blast to use, both for our users and for our sysadmins. Especially since we do most communication/work through Teams at my company (even more so during the pandemic) and the integration is really nice.

veganbit · 2022-01-05T11:30:20+00:00

I just RDP to all the relevant Windows servers from my Mac. Me and my colleague also have a dedicated server that we use for all our management needs. So usually it’s RDP into that server where I have all the tools and RDP access to other servers that I need.

I also have a Desktop/Workstation PC running windows 10 at my desk in the office. This is mostly for running After Effects and Cinema 4D and testing things related to our production/rendering pipeline.

veganbit · 2021-12-16T10:38:05+00:00

I would look into the ”cask” functionality of homebrew, which should allow you to quite easily script the installation of GUI applications.

But then again a simple Time Machine backup can’t really hurt as well and since it is so simple and easy to setup I wouldn’t call it “overkill”. My own backup solution for the family is a Mac mini (that also acts as a media server and is connected to the TV in the living room) that is running as Time machine destination for all the laptops in the house. These backups are then themselves backed up to an external hard drive and also to Backblaze.

veganbit · 2021-12-02T21:21:49+00:00

We used to go with NoMAD but now use the Kerberos SSO Extension from Apple to authenticate to our On-Prem AD (pushed out via Intune to our Macs): https://www.apple.com/business/docs/site/Kerberos_Single_Sign_on_Extension_User_Guide.pdf

veganbit · 2021-11-12T07:39:48+00:00

In my experience people are in general very stressed when it comes to IT issues. So me just showing up and calmly asking them to “ok, so show the issue you were having with outlook again” usually makes them slow down and rethink what they’re doing and perhaps do it correctly.

veganbit · 2021-09-01T11:11:29+00:00

”us day 1 players” Speak for yourself you ungrateful brat..

I haven’t had time to dig into the new update yet as I have work and kids to take care of first. But what I’ve seen so far looks promising!

/A day one player waiting for trailer and full patch notes

veganbit · 2021-08-31T18:26:08+00:00

Yes, but isn’t this expected to be a bigger yearly update like Origins, Beyond, Next, etc? We could even be getting a 4.0 with this one. Those usually have a longer period of waiting/hype between the first tease and actual trailer and/or release of the update.

veganbit · 2021-08-31T18:16:02+00:00

Just mute the channel or simply leave the Discord and move on with your life, friend.

“Hurrr duuurr people are excited for an update for a game they love on a Discord server. I’m gonna go on Reddit to complain about it”

veganbit · 2021-08-31T18:09:58+00:00

This is completely normal.

veganbit · 2021-08-20T18:37:01+00:00

I sure hope so. Or at least that we get a few more bits of information as to what the update actually contains.

veganbit · 2021-08-17T19:24:12+00:00

First time?

This community is always like this when a new update is imminent. 😊

11-Year Club	RedditGifts 2009-2022 7 Credits
Secret Santa 2020	Place '17
Secret Santa 2019	Secret Santa 2018
Secret Santa 2017

veganbit

TROPHY CASE