Skip to content

Commit

Permalink
Update LAPS Create & Cycle Password Script
Browse files Browse the repository at this point in the history
  • Loading branch information
@PezzaD84
PezzaD84 committed Jul 5, 2023
1 parent 8e54441 commit cff973f
Showing 1 changed file with 159 additions and 21 deletions.
180 changes: 159 additions & 21 deletions LAPS Create & Cycle Password Script
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
#
# Author : Perry Driscoll - https://github.com/PezzaD84
# Created : 31/1/2022
# Updated : 16/2/2023
# Version : v2.2.1
# Updated : 29/6/2023
# Version : v2.2.2
#
############################################################################
# Description:
Expand Down Expand Up @@ -31,13 +31,125 @@
#
############################################################################

############################################################################
# Variables
############################################################################

LAPSLOG="/Library/.LAPS/Logs/LAPS.log"
DEVICE=`hostname`
serial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')

############################################################################
# API Credentials
############################################################################

encryptedcreds="$5"

token=$(curl -s -H "Content-Type: application/json" -H "Authorization: Basic ${encryptedcreds}" -X POST "$6/api/v1/auth/token" | plutil -extract token raw -)

############################################################################
# Error checking
############################################################################

echo "Error checking any previous configuration....."

if [ -f "$LAPSLOG" ]; then
echo "Log found. Checking for previous failures....."

FailCheck=$(cat "$LAPSLOG" | grep -i fail)

if [[ $FailCheck == "" ]]; then
echo "No previous failures detected. Continuing LAPS Configuration....."
else
echo "Previous Failures found. Please investigate existing log files to avoid any future failures."
echo "Cleaning up previous failed deployment....."

############################################################################
# Extension Attribute Reset
############################################################################

############################################################################
# Reset cryptkey
############################################################################

echo "Resetting Encoded LAPS Password....."

cryptID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i CryptKey | tr ':' ' ' | tr ',' ' ' | awk '{print $2}')

curl -s -X "PUT" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
-H "Authorization:Bearer ${token}" \
-d "<computer><extension_attributes><extension_attribute><id>$cryptID</id><name>LAPS CryptKey</name><type>String</type><value></value></extension_attribute></extension_attributes></computer>"

############################################################################
# Reset secret
############################################################################

echo "Resetting LAPS Secret key....."

secretID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i secret | tr ':' ' ' | tr ',' ' ' | awk '{print $2}')

curl -s -X "PUT" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
-H "Authorization:Bearer ${token}" \
-d "<computer><extension_attributes><extension_attribute><id>$secretID</id><name>LAPS Secret</name><type>String</type><value></value></extension_attribute></extension_attributes></computer>"

############################################################################
# Reset rotation switch
############################################################################

echo "Resetting LAPS Rotation switch....."

resetID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i Reset | tr ':' ' ' | tr ',' ' ' | awk '{print $2}')

curl -s -X "PUT" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
-H "Authorization:Bearer ${token}" \
-d "<computer><extension_attributes><extension_attribute><id>$resetID</id><name>LAPS Reset Password</name><type>String</type><value></value></extension_attribute></extension_attributes></computer>"

############################################################################
# LAPS Account Removal
############################################################################

if dscl . -list /Users | grep -x -i "$4"; then
echo "LAPS Account found. Removing account and associated files and folders now....."

echo "Removing $4 from admin users group....."
dseditgroup -o edit -d $4 -t user admin
sleep 2

echo "Removing $4 from the local device....."
dscl . -delete /Users/$4
sleep 2

echo "Removing $4 files and folders....."
rm -rf /Users/$4
sleep 2

stillExists=$(dscl . -list /Users | grep -x -i "$4")

if [[ $stillExists == "" ]]; then
echo "Success - LAPS Account has been removed and reset."
fi
else
echo "LAPS Account not found. Moving on....."
fi

echo "Creating new Log file and moving existing log file to failures folder."
mkdir -p /Library/.LAPS/Logs/Failures
sleep 1
mv "$LAPSLOG" /Library/.LAPS/Logs/Failures/LAPS-FAILURE.log
fi
else
echo "No previous log found. Starting initial setup....."
fi

############################################################################
# Initial Setup
############################################################################

if [ -f "$LAPSLOG" ]; then
echo "Log already exists. Continuing setup....."
Expand All @@ -50,25 +162,23 @@ else

if dscl . -list /Users | grep -x -i "$LAPSaccount"; then
echo "Local admin account already exists with the same name. Please rename your LAPSaccount or delete the local admin account before configuring LAPS."
echo "Local admin account already exists with the same name. Please rename your LAPSaccount or delete the local admin account before configuring LAPS." >> "$LAPSLOG"
osascript -e 'Display dialog "An account with the same name pre-exists on this device.\n\nPlease remove the existing local account or rename the LAPS account.\n\nExisting Account: '$LAPSaccount'" buttons {"Quit"} default button 1 with title "LAPS Setup failure" with icon alias "System:Library:CoreServices:CoreTypes.bundle:Contents:Resources:AlertStopIcon.icns"'
exit 1
fi

echo "Log does not exist. Creating Log now....."
echo "Log does not exist. Creating Log file now....."
mkdir -p /Library/.LAPS/Logs/
mkdir -p /Library/.LAPS/Logs/Failures
touch "$LAPSLOG"
echo "LAPS Log created. Continuing setup....."
echo "LAPS Log created. Continuing setup....."
echo "***** LAPS Account creation `date '+%d/%m/%Y %T'`"
echo "***** LAPS Account creation `date '+%d/%m/%Y %T'`" >> "$LAPSLOG"
fi

# API Credentials

encryptedcreds="$5"

token=$(curl -s -H "Content-Type: application/json" -H "Authorization: Basic ${encryptedcreds}" -X POST "$6/api/v1/auth/token" | plutil -extract token raw -)

############################################################################
# Random password to be used
############################################################################

length=$7

Expand All @@ -91,23 +201,32 @@ else
finalpass=$password
fi

############################################################################
# Random Secret used to Encrypt and Decrypt password
############################################################################

secret=$(openssl rand -base64 32 | cut -c -14 | tr -d \/ | tr -d //)

############################################################################
# Encrypt Random password
############################################################################

cryptkey=$(echo "$finalpass" | openssl enc -aes-256-cbc -md sha512 -a -salt -pass pass:$secret)

############################################################################
# Create local admin
############################################################################

if dscl . read /Groups/admin | grep $4; then
echo "$4 has already been created and is a local admin. Resetting local admin password...."
echo "$4 has already been created and is a local admin. Resetting local admin password...." >> "$LAPSLOG"

TITLE="LAPS Password Reset"

############################################################################
# Reset local admin password
############################################################################

token=$(curl -s -H "Content-Type: application/json" -H "Authorization: Basic ${encryptedcreds}" -X POST "$6/api/v1/auth/token" | grep 'token' | tr -d '"',',' | sed -e 's#token :##' | xargs)
serial=$(system_profiler SPHardwareDataType | awk '/Serial Number/{print $4}')
OLDkey=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" -H 'Accept: application/json' -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep CryptKey | tr '"' ' ' | awk '{print $16}')
OLDsecret=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i SECRET | tr '"' ' ' | awk '{print $16}')
Expand All @@ -126,7 +245,9 @@ if dscl . read /Groups/admin | grep $4; then

rm -rf /Users/$4/Library/Keychains/*

############################################################################
# Check Password reset Extension attribute
############################################################################

resetStatus=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i Reset | tr '"' ' ' | awk '{print $17}')

Expand All @@ -145,16 +266,16 @@ if dscl . read /Groups/admin | grep $4; then
echo "EA to cycle LAPS password has not been specified"
echo "EA to cycle LAPS password has not been specified" >> "$LAPSLOG"
fi

else

echo "$4 does not exist. Creating local admin now"
echo "$4 does not exist. Creating local admin now" >> "$LAPSLOG"

TITLE="LAPS Account Created"

# Create LAPS Account

############################################################################
# Create LAPS Account
############################################################################

sudo sysadminctl \
-addUser $4 \
-fullName $4 \
Expand All @@ -169,8 +290,10 @@ if dscl . read /Groups/admin | grep $4; then
echo "LAPS Account created Successfully" >> "$LAPSLOG"
fi

############################################################################
# Create Setup Assistant suppress plist

############################################################################

echo "<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
Expand Down Expand Up @@ -198,14 +321,19 @@ echo "<?xml version="1.0" encoding="UTF-8"?>
</dict>
</plist>" > /Users/$4/Library/Preferences/com.apple.SetupAssistant.plist

############################################################################
# Set pemissions on setup assistant plist
############################################################################

chown $4: /Users/$4/Library/Preferences/com.apple.SetupAssistant.plist
chmod 644 /Users/$4/Library/Preferences/com.apple.SetupAssistant.plist

fi

############################################################################
# Upload cryptkey to device inventory

############################################################################

cryptID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i CryptKey | tr ':' ' ' | tr ',' ' ' | awk '{print $2}')

curl -s -X "PUT" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" \
Expand All @@ -214,22 +342,30 @@ cryptID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset
-H "Authorization:Bearer ${token}" \
-d "<computer><extension_attributes><extension_attribute><id>$cryptID</id><name>LAPS CryptKey</name><type>String</type><value>$cryptkey</value></extension_attribute></extension_attributes></computer>"

############################################################################
# Upload secret to device inventory

############################################################################

secretID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/ExtensionAttributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i secret | tr ':' ' ' | tr ',' ' ' | awk '{print $2}')

curl -s -X "PUT" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" \
-H "Content-Type: application/xml" \
-H "Accept: application/xml" \
-H "Authorization:Bearer ${token}" \
-d "<computer><extension_attributes><extension_attribute><id>$secretID</id><name>LAPS Secret</name><type>String</type><value>$secret</value></extension_attribute></extension_attributes></computer>"


############################################################################
# Check LAPS details have been escrowed to Jamf
############################################################################
# Grab decryption key for password
############################################################################

cryptkey=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i CryptKey | awk -F '"value":"' '{print $2}' | awk -F '"' '{print $1}')

############################################################################
# Grab secret for decryption
############################################################################

secretkey=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subset/extension_attributes" -H "Accept: application/json" -H "Authorization:Bearer ${token}" | tr '{' '\n' | grep -i Secret | awk -F '"value":"' '{print $2}' | awk -F '"' '{print $1}')

ID=$(curl -s -X GET "$6/JSSResource/computers/serialnumber/$serial" -H 'Accept: application/xml' -H "Authorization:Bearer ${token}" | tr '<' '\n' | grep -m 1 id | tr -d 'id>')
Expand Down Expand Up @@ -263,8 +399,10 @@ secretID=$(curl -s -X "GET" "$6/JSSResource/computers/serialnumber/$serial/subse
RESULT="LAPS Configuration was successful"
fi

############################################################################
# Slack Notification

############################################################################

if [[ $9 == "" ]]; then
echo "No slack URL configured"
else
Expand Down

0 comments on commit cff973f

Please sign in to comment.