admin LAPS password not working

TraianNiculai
New Contributor III

Hello, we have enabled LAPS from api with the default settings for our local admin account. While the password has been changed for all devices, the admin password is working few times and after that the password is no longer working. We waited for password rotation, still not working. The device is connected to the internet, so it should get the new password. We have tried to change it from API and if we look in device inventory, the password has changed but still not working on the device.

 

Devices with OS from 13.x to 14.x are effected.

 

Has anyone encountered this issue?

 

Regards,

Traian

15 REPLIES 15

AJPinto
Honored Contributor III

I would not be shocked to learn that whatever function Jamf is using to do this was not added until macOS 13. Especially considering its working on macOS 13 and 14. 

 

I do caution you against running anything other than the most current build of macOS. MacOS 12 (and 13) do not receive patches for all known vulnerabilities, and macOS 12 will be retired in about 6 months and get no further updates at all.

Note: Because of dependency on architecture and system changes to any current version of Apple operating systems (for example, macOS 14iOS 17, and so on), not all known security issues are addressed in previous versions (for example, macOS 13iOS 16, and so on).

About software updates for Apple devices - Apple Support

I have managed to update the device to the latest version of OS, but the issue still persists. What is worth mentioning, we also have a filevault policy. After first password rotation, the policy tried to activate filevault and failed. After that the admin password stopped working.

 

roiegat
Contributor III

Check your settings using this guide:

https://community.jamf.com/t5/tech-thoughts/how-to-securely-manage-local-admin-passwords-with-jamf-p...

I found some of our settings were off and had to be adjusted for it to work.

KMak84
Contributor

I have too followed that article but even now still makes no sense
No choice but to raise a ticket with Jamf Support
I can ARD on to the users machine with the LAPS password but when trying to unlock System Settings or run a a local package install it does not work

roiegat
Contributor III

There are a couple of scripts on JAMF nation that will assist with the lookup as well.  I found one that worked and modified it for use in our environment.

Also keep in mind that once you look up a password, it gets rotated in 60 minutes.

Could you pass on those links for the scripts please. Don't get me wrong the idea of LAPS is great it's just amending workflows and processes around it that's giving me grief

I have tried to change UIE username to something more like admin username but nothing kicks in to change what it was before to what I want now, is there another way other than enrolling 

roiegat
Contributor III

franconiaridge
New Contributor

Hi there, 

    I'm having the same issue.  Essentially, the password will work once for login, then it can be used in a terminal, etc, but after a restart, it fails to let the admin log in.  We're currently looking for a solution.  Have you had any luck finding one?

 

Thank you

Not so far, the problem is with the keyvault that it was activated on the admin account. There seems to be a change to fix if you decrypt the drive, remove anything related to the keyvault, reactivate it. But I am unable to upload a new key in jamf. Still stuck on the issue.

bmack99
Contributor III

Has anyone gotten any direction from JAMF around this issue? I'm seeing something similar I believe to @TraianNiculai - We wiped an already enrolled machine(erase volume, reinstall OS) in JAMF, and after a reinstall of the OS and re enrollment in JAMF the LAPS account pw does not work.

Adminham
New Contributor III

Hi, I believe I’m seeing similar behaviour in our dev environment.

Affected Mac is running Sonoma 14.6.1.

PreStage admin account password gets changed after DEP enrolment & works when logging in/authenticating from another account. However after a third password rotation, the password no longer works (nor does the previous ones).

About to log a ticket with Jamf, just checking to see if anyone in this thread had any updates to add?

Hi,

 

From my point of view, this is by design. It is suppose to work like this, but no further investigation was done by us on this. We created a second admin account in order to be able to help users when this was the case, and reinstalled the macbooks when someone has left the company.

KMak84
Contributor

My Pre-Stage local admin account works when logging in, but after the third try or log out and try to log back in, it stops. I end up using the UIE LAPS account, which is fine. There's a design fault on Jamf's side. Had a call with them, but it didn't help.

Adminham
New Contributor III

Thanks, I appreciate the feedback! 😊

The reason I'm particularly concerned with this behaviour is that our Pre-Stage local admin account is often used to rescue customer accounts with SecureToken issues. In most cases, this account is the only account with a valid SecureToken, so if it gets borked due to LAPS, then the only alternative is personal recovery key to reset password (on FV encrypted Macs). Else customers are looking down the barrel of a re-image (unless I'm overlooking other workflows).

KMak84
Contributor

When FV2 is enabled, I had to get the device into recovery mode, provide the PRK, reset the account password, and then they could log back in. I agree the Pre-Stage account should work regardless, but I've had to adapt. Jamf hasn't been much help with that.