We want to start a cadence of changing our localadmin password and I'm torn on the best way to do it, hoping to get some insight.
Currently we have a Management Account setup in User-Initiated Enrollment, if I change the password there I'm afraid that only new Macs that we enroll will get the new password on the localadmin account.
I've thought about creating a Policy to create an admin account and we can manage the passwords that way then create a short term Policy to remove the current localadmin account. However, I'm reading that creating a Policy for an admin account and enabling it for FileVault has issues with APFS.
What might be the best option to go? Ideally I would like to go with the Policy option since in theory we could enable it for FileVault out of the gate.