Fix the macOS High Sierra Root Issue with JAMF Pro
Update: Apple fixed the issue. A critical flaw has been discovered in macOS High Sierra that lets anyone log in as ‘root’ with an empty password. It’s fixable via this Apple guide.
But, as a System Administrator for hunderds of Macs, doing it automatically is better. So: a quick guide for JAMF Pro.
Could be useful for others:
Find Empty Root
Create an extension attribute that looks for users with empty root passwords. (Source)
#!/bin/bashRESULT=$(sudo dscl . -read /Users/root Password)if \[\[ $RESULT == “Password: \*\*\*\*\*\*\*\*” \]\]; thenecho “<result\>haspasswordresult\>“elif \[\[ $RESULT == “Password: \*” \]\]; thenecho “<result\>nopassword setresult>”elseecho “<result\>unknownresult\>“fi
Scope all vulnerable devices
Create a Smart group that targets devices with nopassword or Unknown + High Sierra
Setting a password for root
Upload this package from Der Flounder.
This package runs a script that sets a random password to the root user + sets its environment to /usr/bin/false
Create a policy that runs the package + does an inventory update for all devices within the smart group.