- Jamf Nation Community
- Products
- Jamf Pro
- Jamf LAPS - Admin Account (MDM-Enablement)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Jamf LAPS - Admin Account (MDM-Enablement)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 07:45 AM
Hello Everyone,
In preparation for the JAMF Laps rollout and the depreciation of the MacOS admin account static PWs, I was hoping to get some headway on converting all the local admin accounts that have been created upon enrollment to be MDM-enabled. We have 125 machines that are enrolled but the local admin account is not MDM-enabled, from my understanding of the JAMF Pro documentation, am I going to need to unenroll and reenroll all of the machines on our JAMF Pro instance(125 machines)?
Is there a command that i can push via Policy to make all the local admin accounts MDM-enabled? It seems like a lot more foot work having to pretty much touch all machines again, (as we just did this for JAMF Connect recently).
Aside from that, as we have a good amount of extra machines that just sit in a cabinet, how are we to account for Machines that don't check-in with JAMF? Would a policy that runs "sudo jamf-recon" upon start-up suffice? What about if a device does not check in anymore with JAMF due to a variety of reason? Would we need to reimage the computer or would the last password that JAMF has in store work for that ADMIN account?
Any help would be appreciated.
Reply
16 REPLIES 16
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 01:26 PM
From what I understand, reading the documentation and talking to Jamf support, any admin account created during the PreStage enrollment is eligible for LAPS.
For devices that haven't checked in for some time, LAPS should apply to them on the next check-in. If a device will no longer check in with Jamf even when online, you'll need to determine the cause and fix that before LAPS will be enabled. Without knowing a specific cause it's hard to say what steps you would need to take.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 01:42 PM
So if i were to go into the JAMF Setting and enable the "MDM-Enabled" setting for the admin account, that should in theory make all admin accounts MDM-Enabled for the devices that we have already enrolled?
I would test this but we do not have a testing Server as we are on the Cloud.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 01:59 PM
No, checking that box would not change already deployed accounts. The admin account does not need to be MDM enabled for LAPS. Here's the explanation from Jamf on MDM enabled accounts:
"
MDM-enabled local user accounts allow you to manage the following user-specific settings on computers:
-
Deploy user-level configuration profiles.
-
Receive the EDU profile via the user channel for managed classes.
For more information, see Classes."
MDM-Enabled Local User Accounts - Jamf Pro Documentation 11.1.0 | Jamf
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 02:16 PM
Just a suggestion. If you are on Cloud, email success@jamf.com and ask them to for a test environment. You are eligible for a limited test Jamf Cloud instance.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-19-2023 02:14 PM
LAPS accounts have nothing to do with the MDM Enabled accounts. MDM enabled accounts are local accounts that can use user level profiles. If you don't use user level profiles, you don't need to worry about MDM enabled.
The "MDM" account referenced regarding LAPS is the hidden local admin account that is an option creation during setup. In your prestage, you can create a local admin account in addition (or instead of) creating a local account during setup. By default, this account is NOT LAPS enabled. You much use and API command to enable LAPS for the MDM account. Once it is enable, this MDM account's password will be rotated based on the schedule. (Jamf has announced that the MDM enabled account will no longer allow a static password in a future release of Jamf Pro. If that affects your workflow, please file feedback with Jamf.)
There is another LAPS enabled account that is ON by default. This is the Jamf Management account that is setup in User Initiated Enrollment setting. If you have this setup (it was pretty much optional for the past several years), LAPS is already enabled, and passwords are being rotated for this account.
If you go into your Computer Inventory record, you can see what accounts are available to LAPS. They are listed as "Managed By".
If you have neither of these accounts available, then you will need to re-enroll the computer.
Using LAPS is optional, are your users local admins? If so, there really is no need to worry about the LAPS at this point.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2023 03:20 AM
Hi @Tribruin ,
MDM account (with static password) is not hidden in our case and the psw is shared across Helpdesk team to use that account to complete the build workflow.
MDM account has filevault enabled. Can LAPS enable on this account?
Thanks in advance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2023 06:21 AM
I am not 100% what will happen there. The MDM created account is handled differently than the Jamf Management account when it comes to password rotation. Jamf will be using an MDM command to rotate that password.
Normally Jamf can not rotate a FV enabled password, but the MDM command may have different capabilities. Might be a good idea to open a ticket with Jamf and see what is going to happen.
And, again I stress, if Jamf enabling LAPS on the MDM created administrator account is going to cause a workflow issue, open a ticket and explain. I am hoping Jamf will hold off on making this a forced change and leave it optional.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2023 06:33 AM
Thanks @Tribruin!
i'll open a support case
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 12-20-2023 08:02 AM
Gotcha, yeah after a conversation with our coordinator this is the route that we are going to be going down. Adding our admin accounts for our agency to be able to sign in and create a local admin account. Our only worry is that which was stated below, since the MDM created local admin account has the FileVault pw we can foresee workflow issues when it comes to how that account is handled with a rotating PW. I have a ticket open with Jamf and i'll voice our concerns. Thank you for your Help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-01-2024 05:34 AM
Hi @belacwesd
First of all Happy New Year!
Unfortunately the support guy is not that helpful. Have you got any positive feedback from your side?
At this point I am thinking to implement Joshua's LAPS solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-03-2024 07:21 AM
Hi @Ryy,
Yes we were able to talk with a JAMF personnel who knew what he was talking about and guided me to what i needed to know. I was informed that admin accounts that are created in the Prestage for the MacBooks will not be affected when it comes to being LAPS enabled. The account that is going to be LAPS enabled is the hidden accounts as @Tribruin mentioned the place that you find this account is found in your settings: Global > User-initiated enrollment > macOS > Management Account. In the section it informs that it is a "Account to be used for managing computers enrolled via a PreStage enrollment or user-initiated enrollment."
This is such a obscure spot to have a admin account information held but it is what it is. This will be the account that is going to be LAPS enabled once the "switch" is flipped. So if you have a default admin account that your FileVault key is stored with you should be fine.
On another note i wish that the JAMF Help Desk was all equally versatile in knowing what they were talking about because it took me 3 calls before i finally got on with a agent who knew the answer I needed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-04-2024 05:16 AM
Hmm.
But in this documentation Types of LAPS - Technical Paper: Local Administrator Password Solution for Jamf Pro | Jamf The hidden account is already LAPS enabled and is always on.
The account that is going to be LAPS enabled is the one created in PreStage Enrollment Computers -> PreStage Enrollments -> Account Setting -> Create local admin account before Setup Assistant.
Or am I missing something?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-04-2024 05:21 AM
We have a local admin account created during PreStage Enrollment called "macadmin"
and another account during UIE called "macjamf". If I understand "macadmin" won't be affected when LAPS is enabled?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-05-2024 01:27 PM
Apologies i was investigating yesterday but things got really busy. So if i remember correctly when Jamf says they are going to enable the LAPS feature they will enable it but only for the account that is found here: Global > User-initiated enrollment > macOS > Management Account.
I'm not sure why the documentation says that JAMF LAPS is enabled and always on as if you see here, on our Cloud hosted JAMF instance:
it is not on for ours.
But long story short, the account that gets created in the PreStage will not be affected, (I imagine that JAMF realizes that a lot of people probably have the FileVault key linked to that account so it would probably cause a lot of issues). The account that will have JAMF LAPS enabled is the one found at:Global > User-initiated enrollment > macOS > Management Account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-05-2024 01:31 PM
Apologies i realize now that the photo i sent was an example Value as to what we would get, not the actual state of our JAMF instance. none the less the information that i got from JAMF support was that the only account that would be affected by the LAPS enablement or is effected by it is the one found at:Global > User-initiated enrollment > macOS > Management Account
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 01-16-2024 12:18 AM
Hi @belacwesd ,
Thanks for this info! hopefully laps will only enabled on the account you've mentioned Global > User-initiated enrollment > macOS > Management Account or else it will cause lot of issues on our estate.
Again thank you and have a great day!
