This is a new test build of macOSLAPS with some new features:
Changes in 2.0.0(687):
- Local Only Mode - macOSLAPS now supports the ability to set the Method key to either AD for Active Directory or Local. Local will allow you to use macOSLAPS in a local setting ONLY which will not write to Active Directory. To compensate for this, users can then run after the fact /usr/local/laps/macOSLAPS -getPassword which will write the following files:
- /var/root/Library/Application Support/macOSLAPS-password
- /var/root/Library/Application Support/macOSLAPS-expiration
These files can then be read by your MDM when ran as a root user to report the password and expiration date of the password. When macOSLAPS runs again without the -getPassword key it will delete these files.
- Error Checking Improved - I believe I have improved error checking should something go wrong in either the AD password change or Local password change, then the changes would be reverted and the application would exit.
- Bundle Identifier and Signing Certificate Rotation - A new helper has been placed in the folder /usr/local/laps called macOSLAPS-repair which will be used to change the signing identity of the original binary once it has been given access to the keychain entry. This will allow us to change the signing identity from Mac Developer and a bundle identifier of $(PRODUCT_BUNDLE_IDENTIFIER) to Developer ID Application and edu.psu.macOSLAPS. This is more of an under the hood change but this also allows for a more official signing.
- Universal - This build of macOSLAPS will run on either Apple Silicon or Intel macOS devices.
Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.