Resolved Profile Manager, change local admin password

[DennisBlah]

Hi all,

I was hoping to find someone who can help me out here.

I manage +/- 1500 OSX clients through Profile Manager and Munki (sort of Jamf, but free)

I'm in the need to change the password of my local administrator user on all devices.

Before I created an 'autoUpdater' with encrypted keys that contain the password. Which on it's turn is being decrypted and executes CLI commands to copy applications and/or run applescripts.

There I could easily change the password.
Now I'm leaving this application since the amount of clients went 'boom' and using ProfileManager with Munki.

I do not want to put the password unencrypted in a payload free package.

Any advice?

 

[TriBruin]

Could you encrypt the password in your script with openssl and then use a decode option in your bash script? While not completely secure (You will still have your encoded password and decryption key in the script), it would, at least, keep people from seeing your password in the open.

Other idea, can you could put the encrypted password in a file on a server and read it from the script.

(And, 1500 devices on Profile Manager. I commend you!)

 

[DennisBlah]

Could you encrypt the password in your script with openssl and then use a decode option in your bash script? While not completely secure (You will still have your encoded password and decryption key in the script), it would, at least, keep people from seeing your password in the open.

Other idea, can you could put the encrypted password in a file on a server and read it from the script.

(And, 1500 devices on Profile Manager. I commend you!)

Hi TriBruin,

As my 'autoUpdater' was using this process. In xCode I used an AES encryption library to encrypt the password with a key.
The actual password was indeed stored on a fileshare. Pulled from, decrypted it, de-scrambled it for username / password and using it to run the CLI and AppleScript with admin privileges.


From your initial response I asume it's not possible with Profile Manager then
So indeed I will have to create a new script and find a good way to manage the password (encryption and decryption)
I got 10 more guys (and lady) that need to be able to perform the password change.

I'll see what I can do, maybe I'll post it here if anyone is interested.

Thanks for your response!

 

[hobowankenobi]

Never used it.....but CreatUserPkg has (so I understand) the ability to update PWs, as well as automate user creation.

UPDATE: Sorry, looks like the project is out of date, and only works up to 10.12.

Possible help here.

 

[DennisBlah]

Hi hobowankenobi,

I did not took lots of time to investigate, but thanks for your link!
Went through to https://github.com/gregneagle/pycreateuserpkg
And it should work
So I'll create a installer package with a script to create the accounts

Thanks!!