JPass is a Swift CLI tool that makes managing Jamf Pro's LAPS (Local Administrator Password Solution) fast, secure, and scriptable - simplifying the adoption and management of LAPS. This allows administrators to quickly view, set, and rotate local admin passwords without needing to navigate the Jamf Pro web interface for common tasks.
Perform lookups using one of several supported identifiers: Jamf Id, computer name, management id, asset tag, bar code, or serial number. If multiple results are returned, admins are prompted to select a specific host before proceeding.
Quickly and easily retrieve the LAPS password for a given host with flags to copy the password directly to your clipboard or to be printed in a NATO phonetic format for clear verbal communication.
Securely trigger password rotations quickly without exposing the current password.
Set LAPS passwords by either manually providing a password, piping one in via STDIN from your favorite password generator, or by generating it using a built-in passphrase generator capable of creating over 48 Billion unique phrases ranging from 14 to 29 characters long in the format <adverb>-<verb>-<noun> (e.g. radically-baffled-hero, obviously-panicked-volume)
Easily view the history of all viewed or rotated passwords for a host or dig a bit deeper by peeking at its audit trail. Notice an API client was the culprit but not sure which one the id maps to? JPass provides convenience flags to quickly map all API client IDs to their respective display name. No more poking around the JPS GUI to figure out whodunit.
See all pending password rotations with timestamps of the event alongside which computer and LAPS user it applies to. Management IDs mean nothing to you? Pass a convenience flag to map management ids to their respective computer name.
Take the friction out of viewing or configuring your Jamf Pro's LAPS settings. See time values in human-readable format (who knows how many days 7776000 seconds is off hand...) or quickly toggle settings - all modifications prompt for confirmation unless explicitly given via a flag.
Once successfully authenticated, JPass securely caches credentials in your local keychain on a per-user, per-server, per-port basis (here's lookin' at you MSPs 👋) - or don't by explicitly disabling credential caching. Want to remove a specific cached value? JPass caches credentials with human-readable labels in your local keychain. Simply open Keychain Access, select the login keychain, search for JPass, and delete the offending records.
Supports using either a Jamf Pro user or an API client, supporting credential caching for both.
All displayed passwords trigger rotations, all communications happen over HTTPS, JPass triggered rotations utilize HEAD requests (requests only headers to be sent back, meaning the password never leaves the JPS), credentials cached in the local macOS keychain (no iCloud syncing here folks), cached credentials get destroyed upon recieving an unathorized response, and more. All design decisions are made with security in mind.
- Operating System: macOS 14.6 or higher
- Jamf Pro: 10.46.0 or higher
While Swift supports all major operating systems, JPass currently only supports macOS since it leverages macOS-specific APIs to access the local keychain. This may change in the future if there's enough demand.
JPass is a self-contained binary so it can be installed anywhere. The recommended method is:
- Download the latest release
- Run the provided PKG, which will install
jpassto/usr/local/bin/jpass
Now you can run jpass from anywhere in your favorite shell.
JPass supports the following (optional) environment variables:
JPASS_SERVER: Configures the Jamf Pro Server address to be used for all queries.- Specifying the scheme (https://) and port are optional. By default, JPass uses port
443for jamf cloud instances and8443otherwise. If you don't use a standard port, specify your own by appending:<port>to the end of the URL (e.g. your.jps.url:9090) - Can be overriden with the
--server|-soptions
- Specifying the scheme (https://) and port are optional. By default, JPass uses port
JPASS_USER: Configures the Jamf Pro User to be used for all queries- Can be overriden with the
--user|-uoptions. - Cannot be used at the same time as
JPASS_CLIENT_ID
- Can be overriden with the
JPASS_CLIENT_ID: Configures the Jamf Pro API Client to be used for all queries- Can be overriden with the
--client-idoption - Cannot be used at the same time as
JPASS_USER
- Can be overriden with the
JPASS_LOCAL_ADMIN: Configures the local admin account for all queries- Can be overriden with the
--ladmin|-loptions
- Can be overriden with the
JPASS_NO_CACHE: Disables credential caching- Equivalent to the
--no-cacheoption - The value is irrelevant, as long as it's set
- Equivalent to the
To easily configure these values, you can run export <variable>='<value>' in your shell.
Example: export JPASS_SERVER='your.jps.url'.
To persist these changes between sessions, add your export statements to your shell's rc file (~/.zshrc by default). You can either
manually edit the file with your favorite text editor, or run echo "export <variable>='<value>'" >> ~/.zshrc. Note that you'll need to start a new shell or run source ~/.zshrc for changes to take effect.
Example: echo "export JPASS_SERVER='your.jps.url'" >> ~/.zshrc
All examples assume the above JPass environment variables have been configured. If not, add the options --server|-s <server> and --user|-u <user> to each command.
For expanded/detailed usage, all commands support the --help|-h flag. Alternatively, you can use jpass help <command>.
All subcommands support aliases to reduce the number of keystrokes (typing is hard, I know), such as pen and p for pending. All aliases can be viewed by checking the help text.
Note
<identifier> can be one of the following: Jamf Id, computer name, management id, asset tag, bar code, or serial number. If multiple results are returned, admins are prompted to select a specific host before proceeding.**
-
Retrieve a LAPS password:
jpass get <identifier> [--nato|-n] [--copy|-c]
getis the default command, so this can be reduced tojpass <identifier>.If
--nato|-nis provided, the retrieved password will be printed to STDOUT in addition along with a NATO phonetic pronunciation guide.If
--copy|-cis provided, the retrieved password will be copied directly to your clipboard instead of being printed to STDOUT. -
Rotate LAPS password:
jpass rotate <identifier> ...
-
Set a LAPS password:
jpass set <identifier> ... [--pass|-p <password>] [--generate|-g]
Using
--pass|-pis optional. If not provided, JPass will prompt for the new password.
Warning
If multiple identifiers are provided while explicitly setting the password, each device will be assigned the same password.
The intent here is to allow admins to set a predefined password across multiple computers for extended periods of work before being manually rotated upon completion.
-
Set a LAPS password to a random passphrase:
jpass set <identifier> ... [--generate|-g]
Using the
--generate|-goption will result in JPass assigning a random 14-29 character 3-word phrase for the password in the format<adverb>-<verb>-<noun>, e.g. radically-baffled-hero.If multiple identifiers are provided while using the
--generate|-gflag, each device will be assigned a unique passphrase. -
List LAPS accounts for a host:
jpass accounts <identifier>
-
View audit trail. Includes past passwords, who viewed it, when it was viewed, and when it expired:
jpass audit <identifier> [--map-client|-m]
-
View LAPS history. Includes date created, date last seen, expiration time, and rotational status
jpass history <identifier> [--map-client|-m]
-
View pending rotations
jpass pending [identifier ...] [--map-computers|-m]If one or more
identifiers are provided, pending results will be filtered down to those hosts.If
--map-computers|-mis provided, returned management Ids will be mapped to their respective computer names. -
View global LAPS configuration
jpass config get
-
Modify global LAPS configuration
jpass config set [--enable-auto-deploy|--disable-auto-deploy] [--enable-auto-rotate|--disable-auto-rotate] [--password-rotation-time <password-rotation-time>] [--auto-rotate-expiration-time <auto-rotate-expiration-time>] [--confirm]
If
--confirmisn't provided, JPass will validate the requested changes and prompt for confirmation before proceeding.
Contributions are welcome! To contribute:
- Fork the repository.
- Create a new branch for your feature or bug fix.
- Submit a pull request with a detailed description of your changes.
Created by Corey Oliphant: A Jamf System Administrator and former Jamf Software Engineer/Technical Support Engineer.
MIT License
Copyright (c) 2024 Corey Oliphant
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.