- Jamf Nation Community
- Products
- Jamf Pro
- Re: JAMF LAPS Breaking Secure Tokens
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
JAMF LAPS Breaking Secure Tokens
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I’ve noticed that when using JAMF LAPS, it correctly rotates local administrator passwords as expected. However, I’ve encountered an issue where the secure token becomes corrupt, typically when attempting to perform a software update. From what I can tell, this happens when JAMF LAPS rotates the password. Could you confirm whether the secure token is updated when the password is changed?
Additionally, I used to find JAMF highly customisable with scopes and smart groups, but I’ve noticed that JAMF LAPS applies universally without an option to exclude specific devices. I wish there was a way to adjust this.
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Which account are you using for LAPS? The PreStage or jamf binary (ie user-initiated) account? It is my understanding that only the jamf binary account can have a secure token, but then again I don't grant either of these accounts a token.
Feel free to submit a feature request about the customisable option you mentioned. Might be worth searching first to see if there isn't already one there.
Shannon
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
It happens to all Local Accounts. It's even worse when the bootstrap token isn’t escrowed, as it prevents the creation of new accounts with a secure token.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
If the bootstrap token isn't escrowed the you will have issues so if that's not escrowing then it'd be worth investigating that.
It might be worth looking into an alternative approach for what account has a secure token. Perhaps a non PreStage or jamf binary account that you can grant a token to. Alternatively reach out to Jamf support
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I've just granted my jamf binary account a secure token so I'll see what happens in an hour when the LAPS password rotates.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
So the password has been rotated and the account still has a secure token. Seems like maybe the bootstrap token you have could be causing this.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Feature Request for JAMF LAPS Scoping is here -> https://ideas.jamf.com/ideas/JPRO-I-1101
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
There is also this one related to API: https://ideas.jamf.com/ideas/JPRO-I-188
That said, Jamf supports two LAPS enabled accounts, through the API they get identified as JMF (the standard Jamf account), and MDM (the PreStage enrolment account), per there documentation, only the standard Jamf account (JMF in API) supports accounts with Secure Tokens, the PreStage enrolment account (MDM in API) does not, the latter being an Apple macOS limitation, since password changes to that account are completely handled by Apple Push Notifications network, and all Jamf Pro does is ask the APN network to change the password, while the former (JMF) is completely handled by the jamf binary on the computer, allowing it to change the password securely and maintaining the Secure Token status.
See https://learn.jamf.com/en-US/bundle/technical-paper-laps-current/page/LAPS_Account_Comparison.html
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
It's all a bit of a mess. I've noticed that the Jamf binary account never receives a secure token, while the prestage account might get one. Additionally, our extra local admin recovery account (created because the first two were unreliable) may receive a secure token, but only if we log in at the desktop rather than via SSH. That account can only get a secure token, because we force the bootstrap token to happen.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
Sounds like something else is happening breaking the secure token on either of your LAPS accounts. Could be the bootstrap token but not really sure as it's been pretty reliable in my experience. Perhaps its worth reaching out to Jamf Support.
