Seeking Feedback: Implementing LAPS in an Education Environment

Ok so a few questions:

1. Do you have ANY macOS devices where the prestage account matches the binary account?  e.g.: have the same ID and name
2. Does your infosec department have minimums on password complexities?
3. Do your technicians have rights to see the local admin user area in JAMF?

We did this about a month ago (healthcare) and it’s been pretty smooth.  I communicated the how with our service desk and client services for a month and a half before we made the switch.  We also do NOT rotate passwords unless viewed (and it will auto rotate at enrollment automatically).

We did experience a product issue on number 1 above - in that it’s supposed to just error and not affect those devices...but it actually rotated that account without any issues, so that’s a good thing I guess.

Oh and let me throw in a plug for PocketMDM.  It’s like mobile LAPS generator in your pocket!

We moved to MDM LAPS a few months ago. It’s one-check box. But once you commit, you’re committed.

Retrieving the password isn’t too bad. We found using that LAPS password got out of sync sometimes. 

Needed to play around with it when using remote control tools. Just needed to train others and time to get used to it.

But overall, it feels more secure with the password rotation. It’s set and forgotton. 

• Rotation interval - Never

• Rotation after viewing interval - 1 day (I may change to 12 hours)

1. No we don’t have any, i don’t think. I’m still a little confused what you are asking. 
2. Yes, 12 digits, a number, a special character, an uppercase and a lower case
3. No they do not currently have the rights to do that.

What is pocketMDM? 

​@mvu Thank you for sharing your experience. I guess I am just a little nervous to make that jump, because there is no undo button. Is there anything that is difficult, or short comings of setting up LAPS?