Posted on 02-25-2024 05:55 AM
Hello, we have enabled LAPS from api with the default settings for our local admin account. While the password has been changed for all devices, the admin password is working few times and after that the password is no longer working. We waited for password rotation, still not working. The device is connected to the internet, so it should get the new password. We have tried to change it from API and if we look in device inventory, the password has changed but still not working on the device.
Devices with OS from 13.x to 14.x are effected.
Has anyone encountered this issue?
Regards,
Traian
Posted on 02-26-2024 05:22 AM
I would not be shocked to learn that whatever function Jamf is using to do this was not added until macOS 13. Especially considering its working on macOS 13 and 14.
I do caution you against running anything other than the most current build of macOS. MacOS 12 (and 13) do not receive patches for all known vulnerabilities, and macOS 12 will be retired in about 6 months and get no further updates at all.
Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14, iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13, iOS 16, and so on).
Posted on 02-26-2024 06:43 AM
I have managed to update the device to the latest version of OS, but the issue still persists. What is worth mentioning, we also have a filevault policy. After first password rotation, the policy tried to activate filevault and failed. After that the admin password stopped working.
Posted on 02-28-2024 07:12 AM
Check your settings using this guide:
I found some of our settings were off and had to be adjusted for it to work.
Posted on 03-29-2024 12:55 PM
I have too followed that article but even now still makes no sense
No choice but to raise a ticket with Jamf Support
I can ARD on to the users machine with the LAPS password but when trying to unlock System Settings or run a a local package install it does not work
Posted on 04-01-2024 05:00 AM
There are a couple of scripts on JAMF nation that will assist with the lookup as well. I found one that worked and modified it for use in our environment.
Also keep in mind that once you look up a password, it gets rotated in 60 minutes.
Posted on 04-01-2024 05:32 AM
Could you pass on those links for the scripts please. Don't get me wrong the idea of LAPS is great it's just amending workflows and processes around it that's giving me grief
I have tried to change UIE username to something more like admin username but nothing kicks in to change what it was before to what I want now, is there another way other than enrolling
Posted on 04-01-2024 05:37 AM
Here's one I modified for our use:
https://community.jamf.com/t5/jamf-pro/jamf-laps-tools/td-p/297145
Posted on 04-10-2024 06:48 AM
Hi there,
I'm having the same issue. Essentially, the password will work once for login, then it can be used in a terminal, etc, but after a restart, it fails to let the admin log in. We're currently looking for a solution. Have you had any luck finding one?
Thank you
Posted on 04-10-2024 06:56 AM
Not so far, the problem is with the keyvault that it was activated on the admin account. There seems to be a change to fix if you decrypt the drive, remove anything related to the keyvault, reactivate it. But I am unable to upload a new key in jamf. Still stuck on the issue.
Posted on 05-02-2024 10:00 AM
Has anyone gotten any direction from JAMF around this issue? I'm seeing something similar I believe to @TraianNiculai - We wiped an already enrolled machine(erase volume, reinstall OS) in JAMF, and after a reinstall of the OS and re enrollment in JAMF the LAPS account pw does not work.
Posted on 08-09-2024 04:18 PM
Hi, I believe I’m seeing similar behaviour in our dev environment.
Affected Mac is running Sonoma 14.6.1.
PreStage admin account password gets changed after DEP enrolment & works when logging in/authenticating from another account. However after a third password rotation, the password no longer works (nor does the previous ones).
About to log a ticket with Jamf, just checking to see if anyone in this thread had any updates to add?
Posted on 08-12-2024 12:57 AM
Hi,
From my point of view, this is by design. It is suppose to work like this, but no further investigation was done by us on this. We created a second admin account in order to be able to help users when this was the case, and reinstalled the macbooks when someone has left the company.
Posted on 08-12-2024 01:15 AM
My Pre-Stage local admin account works when logging in, but after the third try or log out and try to log back in, it stops. I end up using the UIE LAPS account, which is fine. There's a design fault on Jamf's side. Had a call with them, but it didn't help.
Posted on 08-12-2024 01:34 AM
Thanks, I appreciate the feedback! 😊
The reason I'm particularly concerned with this behaviour is that our Pre-Stage local admin account is often used to rescue customer accounts with SecureToken issues. In most cases, this account is the only account with a valid SecureToken, so if it gets borked due to LAPS, then the only alternative is personal recovery key to reset password (on FV encrypted Macs). Else customers are looking down the barrel of a re-image (unless I'm overlooking other workflows).
Posted on 08-12-2024 02:30 AM
When FV2 is enabled, I had to get the device into recovery mode, provide the PRK, reset the account password, and then they could log back in. I agree the Pre-Stage account should work regardless, but I've had to adapt. Jamf hasn't been much help with that.