Which account are you using for LAPS? The PreStage or jamf binary (ie user-initiated) account? It is my understanding that only the jamf binary account can have a secure token, but then again I don't grant either of these accounts a token.

Feel free to submit a feature request about the customisable option you mentioned. Might be worth searching first to see if there isn't already one there.

Shannon

It happens to all Local Accounts. It's even worse when the bootstrap token isn’t escrowed, as it prevents the creation of new accounts with a secure token.

Feature Request for JAMF LAPS Scoping is here -> https://ideas.jamf.com/ideas/JPRO-I-1101

If the bootstrap token isn't escrowed the you will have issues so if that's not escrowing then it'd be worth investigating that.

It might be worth looking into an alternative approach for what account has a secure token. Perhaps a non PreStage or jamf binary account that you can grant a token to. Alternatively reach out to Jamf support

I've just granted my jamf binary account a secure token so I'll see what happens in an hour when the LAPS password rotates.

There is also this one related to API: https://ideas.jamf.com/ideas/JPRO-I-188

That said, Jamf supports two LAPS enabled accounts, through the API they get identified as JMF (the standard Jamf account), and MDM (the PreStage enrolment account), per there documentation, only the standard Jamf account (JMF in API) supports accounts with Secure Tokens, the PreStage enrolment account (MDM in API) does not, the latter being an Apple macOS limitation, since password changes to that account are completely handled by Apple Push Notifications network, and all Jamf Pro does is ask the APN network to change the password, while the former (JMF) is completely handled by the jamf binary on the computer, allowing it to change the password securely and maintaining the Secure Token status.

See https://learn.jamf.com/en-US/bundle/technical-paper-laps-current/page/LAPS_Account_Comparison.html

So the password has been rotated and the account still has a secure token. Seems like maybe the bootstrap token you have could be causing this.

It's all a bit of a mess. I've noticed that the Jamf binary account never receives a secure token, while the prestage account might get one. Additionally, our extra local admin recovery account (created because the first two were unreliable) may receive a secure token, but only if we log in at the desktop rather than via SSH. That account can only get a secure token, because we force the bootstrap token to happen.

Sounds like something else is happening breaking the secure token on either of your LAPS accounts. Could be the bootstrap token but not really sure as it's been pretty reliable in my experience. Perhaps its worth reaching out to Jamf Support.

As a test, I turned off LAPS and let it run for several days, everything worked fine. When I turned LAPS back on, a couple of machines became inaccessible, even with the original and JAMF LAPS retrieved passwords. I was planning to dig deeper into the issue, but I've been told we’re moving from JAMF to Intune next year, so not worth the effort.