Fix the macOS High Sierra Root Issue with JAMF Pro

Update: Apple fixed the issue. A critical flaw has been discovered in macOS High Sierra that lets anyone log in as 'root' with an empty password. It's fixable via this Apple guide.

But, as a System Administrator for hunderds of Macs, doing it automatically is better. So: a quick guide for JAMF Pro.

Could be useful for others:

Find Empty Root

Create an extension attribute that looks for users with empty root passwords. (Source)

#!/bin/bash
RESULT=$(sudo dscl . -read /Users/root Password)
if [[ $RESULT == "Password: ********" ]]; then
echo "<result>haspassword</result>"
elif [[ $RESULT == "Password: *" ]]; then
echo "<result>nopassword set</result>"
else
echo "<result>unknown</result>"
fi
Screen-Shot-2017-11-29-at-08.19.28.png

Scope all vulnerable devices

Create a Smart group that targets devices with nopassword or Unknown + High Sierra

Screen-Shot-2017-11-29-at-08.19.07.png

Setting a password for root

Upload this package from Der Flounder

This package runs a script that sets a random password to the root user + sets its environment to /usr/bin/false

Fix it

Create a policy that runs the package + does an inventory update for all devices within the smart group.

Screen-Shot-2017-11-29-at-08.20.26.png

The result:

img_0335.jpg