Jamf Nation Community

p.s.  That administrator LAPS cryptographic issue is described as follows:

Note:

Jamf does not recommend using MDM LAPS for password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon. Rotating a managed local administrator account password from the PreStage enrollment that has become cryptographically enabled with a secure token will result in the login password being changed. However, the new password will not work for cryptographic user authentication purposes.

in the documentation here:  https://learn.jamf.com/en-US/bundle/jamf-pro-documentation-current/page/Automated_Device_Enrollment_...

about 3/4 or so of the way down the article.

Generally speaking, Jamf Pro on Prem and Jamf Cloud would be configured and managed the same. Jamf Cloud adds a few extra features but just grow into them as a feature add and don’t plan to deploy them from the get-go. 

As far as LAPS. We use a security tool for handling local account password rotations, it also has a secure token so it can rotate any accounts password and not just one created a very specific way during device enrollment. Jamf's LAPS is well and good, as is rocket mans, but if you want a truly secure environment you usually need to pay for a purpose-built tool.

If you’re setting up macOS with Jamf and Intune, here are a few best practices to streamline the process and ensure a smooth user experience:

Use DEPNotify for DEP Setup – Instead of relying on the custom Jamf Pro enrollment workflow, DEPNotify makes it much easier to configure and guide users through the setup. It provides a clear, structured UI and helps automate tasks, making the deployment process more efficient and user-friendly.

Avoid User Enrollment if Possible – User enrollment has significant limitations, especially in enforcing policies and deploying managed settings. Instead, go with Automated Device Enrollment (ADE) whenever possible to ensure better control and compliance.

Set Up Compliance in Intune – To ensure the Company Portal app works correctly, create a compliance policy in Intune. This will allow conditional access policies to function properly and keep devices compliant with security requirements. Without this, users may experience issues accessing corporate resources.

Use SCEP for Certificate Deployment – For a seamless certificate distribution process, leverage SCEP (Simple Certificate Enrollment Protocol) with Jamf Proxy. This ensures devices get the necessary certificates securely, reducing manual work and potential security risks.

Enable Firewall via Configuration Profile – It’s crucial to enable the macOS firewall via a configuration profile and restrict two-way communication to only the necessary apps. This improves security while allowing essential services to function correctly without exposing the device to unnecessary risks.

These steps will help create a more secure, automated, and user-friendly macOS deployment. Let me know if you need further details!