admin LAPS password not working

TraianNiculai
New Contributor III

Hello, we have enabled LAPS from api with the default settings for our local admin account. While the password has been changed for all devices, the admin password is working few times and after that the password is no longer working. We waited for password rotation, still not working. The device is connected to the internet, so it should get the new password. We have tried to change it from API and if we look in device inventory, the password has changed but still not working on the device.

 

Devices with OS from 13.x to 14.x are effected.

 

Has anyone encountered this issue?

 

Regards,

Traian

10 REPLIES 10

AJPinto
Honored Contributor III

I would not be shocked to learn that whatever function Jamf is using to do this was not added until macOS 13. Especially considering its working on macOS 13 and 14. 

 

I do caution you against running anything other than the most current build of macOS. MacOS 12 (and 13) do not receive patches for all known vulnerabilities, and macOS 12 will be retired in about 6 months and get no further updates at all.

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13iOS 16, and so on).

About software updates for Apple devices - Apple Support

I have managed to update the device to the latest version of OS, but the issue still persists. What is worth mentioning, we also have a filevault policy. After first password rotation, the policy tried to activate filevault and failed. After that the admin password stopped working.

 

roiegat
Contributor III

Check your settings using this guide:

https://community.jamf.com/t5/tech-thoughts/how-to-securely-manage-local-admin-passwords-with-jamf-p...

I found some of our settings were off and had to be adjusted for it to work.

KMak84
Contributor

I have too followed that article but even now still makes no sense
No choice but to raise a ticket with Jamf Support
I can ARD on to the users machine with the LAPS password but when trying to unlock System Settings or run a a local package install it does not work

roiegat
Contributor III

There are a couple of scripts on JAMF nation that will assist with the lookup as well.  I found one that worked and modified it for use in our environment.

Also keep in mind that once you look up a password, it gets rotated in 60 minutes.

Could you pass on those links for the scripts please. Don't get me wrong the idea of LAPS is great it's just amending workflows and processes around it that's giving me grief

I have tried to change UIE username to something more like admin username but nothing kicks in to change what it was before to what I want now, is there another way other than enrolling 

roiegat
Contributor III

franconiaridge
New Contributor

Hi there, 

    I'm having the same issue.  Essentially, the password will work once for login, then it can be used in a terminal, etc, but after a restart, it fails to let the admin log in.  We're currently looking for a solution.  Have you had any luck finding one?

 

Thank you

Not so far, the problem is with the keyvault that it was activated on the admin account. There seems to be a change to fix if you decrypt the drive, remove anything related to the keyvault, reactivate it. But I am unable to upload a new key in jamf. Still stuck on the issue.

bmack99
Contributor III

Has anyone gotten any direction from JAMF around this issue? I'm seeing something similar I believe to @TraianNiculai - We wiped an already enrolled machine(erase volume, reinstall OS) in JAMF, and after a reinstall of the OS and re enrollment in JAMF the LAPS account pw does not work.