admin LAPS password not working

I would not be shocked to learn that whatever function Jamf is using to do this was not added until macOS 13. Especially considering its working on macOS 13 and 14. 

I do caution you against running anything other than the most current build of macOS. MacOS 12 (and 13) do not receive patches for all known vulnerabilities, and macOS 12 will be retired in about 6 months and get no further updates at all.

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14, iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13, iOS 16, and so on).

---

About software updates for Apple devices - Apple Support

I have managed to update the device to the latest version of OS, but the issue still persists. What is worth mentioning, we also have a filevault policy. After first password rotation, the policy tried to activate filevault and failed. After that the admin password stopped working.

Check your settings using this guide:

https://community.jamf.com/t5/tech-thoughts/how-to-securely-manage-local-admin-passwords-with-jamf-pro-and/ba-p/289969

I found some of our settings were off and had to be adjusted for it to work.

I have too followed that article but even now still makes no sense
No choice but to raise a ticket with Jamf Support
I can ARD on to the users machine with the LAPS password but when trying to unlock System Settings or run a a local package install it does not work

There are a couple of scripts on JAMF nation that will assist with the lookup as well.  I found one that worked and modified it for use in our environment.

Also keep in mind that once you look up a password, it gets rotated in 60 minutes.

Could you pass on those links for the scripts please. Don't get me wrong the idea of LAPS is great it's just amending workflows and processes around it that's giving me grief

I have tried to change UIE username to something more like admin username but nothing kicks in to change what it was before to what I want now, is there another way other than enrolling 

Here's one I modified for our use:
https://community.jamf.com/t5/jamf-pro/jamf-laps-tools/td-p/297145

Hi there, 

    I'm having the same issue.  Essentially, the password will work once for login, then it can be used in a terminal, etc, but after a restart, it fails to let the admin log in.  We're currently looking for a solution.  Have you had any luck finding one?

Thank you

Not so far, the problem is with the keyvault that it was activated on the admin account. There seems to be a change to fix if you decrypt the drive, remove anything related to the keyvault, reactivate it. But I am unable to upload a new key in jamf. Still stuck on the issue.

Has anyone gotten any direction from JAMF around this issue? I'm seeing something similar I believe to @TraianNiculai - We wiped an already enrolled machine(erase volume, reinstall OS) in JAMF, and after a reinstall of the OS and re enrollment in JAMF the LAPS account pw does not work.

Hi, I believe I’m seeing similar behaviour in our dev environment.

Affected Mac is running Sonoma 14.6.1.

PreStage admin account password gets changed after DEP enrolment & works when logging in/authenticating from another account. However after a third password rotation, the password no longer works (nor does the previous ones).

About to log a ticket with Jamf, just checking to see if anyone in this thread had any updates to add?

Hi,

From my point of view, this is by design. It is suppose to work like this, but no further investigation was done by us on this. We created a second admin account in order to be able to help users when this was the case, and reinstalled the macbooks when someone has left the company.

My Pre-Stage local admin account works when logging in, but after the third try or log out and try to log back in, it stops. I end up using the UIE LAPS account, which is fine. There's a design fault on Jamf's side. Had a call with them, but it didn't help.

Thanks, I appreciate the feedback! 😊

The reason I'm particularly concerned with this behaviour is that our Pre-Stage local admin account is often used to rescue customer accounts with SecureToken issues. In most cases, this account is the only account with a valid SecureToken, so if it gets borked due to LAPS, then the only alternative is personal recovery key to reset password (on FV encrypted Macs). Else customers are looking down the barrel of a re-image (unless I'm overlooking other workflows).

When FV2 is enabled, I had to get the device into recovery mode, provide the PRK, reset the account password, and then they could log back in. I agree the Pre-Stage account should work regardless, but I've had to adapt. Jamf hasn't been much help with that.