+4We are looking for Laps implementation for our MacOS. we utilize jamf pro and jamf connect.
our Macbook is binded to jamf connect.
I had a look of MacOSLAPS however this solution require AD integration.
is there another reliable laps solution that doesnt need AD integration?
we do have intune subscription (but we only use that for our windows devices)
+9MacOSLAPS is not reliant on AD integration. It is just an option
We have it configured in various environments with no AD Server.
Look at their Jamf extension attributes to capture and record the LAPS details.
+4MacOSLAPS is not reliant on AD integration. It is just an option
We have it configured in various environments with no AD Server.
Look at their Jamf extension attributes to capture and record the LAPS details.
thanks for the confirmation
+7Technically if your users are local admins , you dont need a secondary admin account which will make the device more secure , plus there is more overhead because you would want to make the laps admin account with secure token access. Just my 2 cents.....
+9@TheITGuy69 could you elaborate why it's needed to have laps for admin account with securetoken granted?
+7@TheITGuy69 could you elaborate why it's needed to have laps for admin account with securetoken granted?
sorry, i need to change my notification settings so i can reply quicker.
What happens when you have a filevault issue? or the users password doesnt work with filevault even though it should especially after a recent password reset and it doesnt sync properly. The laps account although an admin wont be able to unlock filevault. and its a headache to manage to make sure it can be securetoken granted.
We are moving away from this scenario, as long as the primary account of the device is an admin with securetoken or filevault acess , and you have the filevault key escrowed in jamf , you dont need the laps account. if anything should happen you can provide the user with the filevault key to log into recovery and their local password.
+9True, we used to have all our accounts as admin and there wasn't a need to have a "IT localadmin" account at all cuz we were counting on using FV recovery key to reset the end user accounts's password but recently we're trying to change this scenario, the plan is to demote our accounts to standard and have a localadmin account "without having secure token" with laps solution in place to make it more secure.
+7True, we used to have all our accounts as admin and there wasn't a need to have a "IT localadmin" account at all cuz we were counting on using FV recovery key to reset the end user accounts's password but recently we're trying to change this scenario, the plan is to demote our accounts to standard and have a localadmin account "without having secure token" with laps solution in place to make it more secure.
Just curious what your end game is for this scenario. you can create an admin account adhoc via a script at anytime and remove the account when done.
+9as far as I know you can't deploy a new Mac with just a standard account on it, you have to have admin account on it as well in our case it would be a managed admin account created by Jamf.
+4Technically if your users are local admins , you dont need a secondary admin account which will make the device more secure , plus there is more overhead because you would want to make the laps admin account with secure token access. Just my 2 cents.....
our users is not local admin
+4as far as I know you can't deploy a new Mac with just a standard account on it, you have to have admin account on it as well in our case it would be a managed admin account created by Jamf.
is this true? can someone confirm this?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.