3 weeks ago
Hey guys,
This past summer I updated a couple computer labs from Monterey to Sonoma and I was able to login with it.
I tried to login to one of the MacBook Airs this week and it's not accepting my password. I grabbed another laptop from the lab and same thing. This has never been an issue in the past and I know I am entering the correct password. The account is created in the PreStage Enrollment.
I did some looking into this to see if anyone else is having this issue. It sounds to me like it could be a LAPS issue.
I watched a couple of JNUC videos about LAPS and read a post about "How to Securely Manage Local Admin Passwords with Jamf Pro and LAPS". I never turned it on and I checked my Computer Management->Security settings and my jamfinstance/API and it looks like it's still off.
Anyone else have this issue or have any ideas?
Thanks!
3 weeks ago
Check your computer's inventory record.
If it was enabled for LAPS, then you'll see it listed under the General settings > Managed Local Administrator Accounts.
If the account isn't LAPS managed, then something else is happening.
3 weeks ago
Sorry, do you mean here (see screenshot)?
Thanks for your reply.
3 weeks ago
Once a computer is LAPS managed, it stays LAPS managed even it you turn off the feature. Turning it off only affects computers going forward.
Check the computer's inventory record under General settings > Managed Local Administrator Accounts.
3 weeks ago
Thanks for that. I go there and then click on View accounts and passwords and it takes me to Local Users Accounts. I see Username Source & Password. Under password is View. When I click that it says: Rotating after viewing. Viewing the password will cause the password to rotate in 1 hour.
Does that mean LAPS is on? Every setting I see in Jamf, it is not on. I never turned it on myself.
3 weeks ago
Yes, that's right. LAPS is enabled for that account.
Regardless of how it happened, you can either erase and re-enroll the computer, which is pretty heavy-handed, or use a policy to delete the account on affected computers and recreate it.
3 weeks ago
I feared as much. I'm afraid that if I erase and re-enroll it will just be LAPS enabled again. I haven't made any changes. Especially not to turn it on.
The laptops are leased, and will be replaced next summer. Any tips on where to look to make sure it's not on? Again any setting I've looked at it's not on. So I'm confounded why this is happening.
If I delete the account and recreate it won't I run into a Secure Token issue?
Thank you for your help :).