This is a new test build of macOSLAPS with some new features:
Changes in 2.0.0(698):
- Local Only Mode - macOSLAPS now supports the ability to set the Method key to either AD for Active Directory or Local. Local will allow you to use macOSLAPS in a local setting ONLY which will not write to Active Directory. To compensate for this, users can then run after the fact /usr/local/laps/macOSLAPS -getPassword which will write the following files:
- /var/root/Library/Application Support/macOSLAPS-password
- /var/root/Library/Application Support/macOSLAPS-expiration
These files can then be read by your MDM when ran as a root user to report the password and expiration date of the password. When macOSLAPS runs again without the -getPassword key it will delete these files.
- Password Grouping - Using the keys PasswordGrouping and PasswordSeparator you can create a password that separates the by groups. This is very similar to Safari-style passwords. Thanks, @MagerValp for the initial code.
- Error Checking Improved - I believe I have improved error checking should something go wrong in either the AD password change or Local password change, then the changes would be reverted and the application would exit.
- Bundle Identifier and Signing Certificate Rotation - A new helper has been placed in the folder /usr/local/laps called macOSLAPS-repair which will be used to change the signing identity of the original binary once it has been given access to the keychain entry. This will allow us to change the signing identity from Mac Developer and a bundle identifier of $(PRODUCT_BUNDLE_IDENTIFIER) to Developer ID Application and edu.psu.macOSLAPS. This is more of an under the hood change but this also allows for a more official signing.
- Universal - This build of macOSLAPS will run on either Apple Silicon or Intel macOS devices.
- ISODate Formatting - Thanks to @MagerValp for his insight on this, the date will now be in ISO8601 format in order for the date to work properly internationally.
- Developer ID Installer Certificate - This package is now signed with a Developer ID Installer
- Expiration Date for Local Method - I received reports that when extracting the expiration date that it was only showing the created date vs. the expiration date. I have gone ahead and resolved this issue but please test to ensure it has been resolved.
Please give this a try and let me know how it fairs in your environment and as always if you have any questions or concerns please be sure to let me know.