The Administrator account created in the PreStage Enrollment does not have the ability to unlock the disk via FileVault after the password is rotated via Jamf Pro LAPS, and this is causing issues for our techs. If they log in to the system, perform some operations, and then return to the computer later, they find they are not able to log in as Administrator at the FileVault Login screen.
However if we create an additional administrator account i.e. ‘jamfadmin’, and manually enable it for FileVault, that password is viewable in the Jamf Pro web UI and rotated regularly/after viewing. Because Administrator is the first account created and the one with the initial Secure Token, we need that one to be always and easily accessible.
We are a long way off zero-touch due to ageing infrastructure that will hopefully be replaced in the coming years, but in the meantime we require the ability to have our techs log in with an administrator level account at the FileVault login screen, and be able to recall the LAPsed password easily going forward in case the user runs into issues/needs an operation performing on the console itself. Our security team would like us to use LAPS for our Administrator Level accounts and from a personal POV I always like to use the built-in Jamf Pro functionality wherever possible. Before Jamf Pro LAPS came along we used macOSLAPS, but we always found that to be very hit and miss in terms of storing passwords in AD (yes we still bind to AD!)
Does anyone have a similar workflow? Is there a way of having our techs log in as Administrator first, doing any final checks and setup, then handing over to the customer - but then being confident that they can log in with the same account sometime in the future?
