Resolved Profile Manager, change local admin password

DennisBlah

macrumors 6502
Original poster
Dec 5, 2013
485
2
The Netherlands
Hi all,

I was hoping to find someone who can help me out here.

I manage +/- 1500 OSX clients through Profile Manager and Munki (sort of Jamf, but free)

I'm in the need to change the password of my local administrator user on all devices.

Before I created an 'autoUpdater' with encrypted keys that contain the password. Which on it's turn is being decrypted and executes CLI commands to copy applications and/or run applescripts.

There I could easily change the password.
Now I'm leaving this application since the amount of clients went 'boom' and using ProfileManager with Munki.

I do not want to put the password unencrypted in a payload free package.

Any advice?
 

TriBruin

macrumors regular
Jul 28, 2008
164
360
Could you encrypt the password in your script with openssl and then use a decode option in your bash script? While not completely secure (You will still have your encoded password and decryption key in the script), it would, at least, keep people from seeing your password in the open.

Other idea, can you could put the encrypted password in a file on a server and read it from the script.

(And, 1500 devices on Profile Manager. I commend you!)
 
  • Like
Reactions: Altemose

DennisBlah

macrumors 6502
Original poster
Dec 5, 2013
485
2
The Netherlands
Could you encrypt the password in your script with openssl and then use a decode option in your bash script? While not completely secure (You will still have your encoded password and decryption key in the script), it would, at least, keep people from seeing your password in the open.

Other idea, can you could put the encrypted password in a file on a server and read it from the script.

(And, 1500 devices on Profile Manager. I commend you!)
Hi TriBruin,

As my 'autoUpdater' was using this process. In xCode I used an AES encryption library to encrypt the password with a key.
The actual password was indeed stored on a fileshare. Pulled from, decrypted it, de-scrambled it for username / password and using it to run the CLI and AppleScript with admin privileges.


From your initial response I asume it's not possible with Profile Manager then :)
So indeed I will have to create a new script and find a good way to manage the password (encryption and decryption)
I got 10 more guys (and lady) that need to be able to perform the password change.

I'll see what I can do, maybe I'll post it here if anyone is interested.

Thanks for your response!
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.