Hi Jamf Nation,
I am wondering what the best practice is for managing local admin accounts on corporate MacOS devices. We have over 500 Silicon Macs in our environment and currently configure a local admin via PreStage Enrollment as well as a policy to push our local admin account to a few non-Business Manager devices. We try to avoid typing this password in locally at all cost, but it happens from time to time. When we need to cycle the password, we do not have an easy way to do this today.
I am skeptical this is the best way to manage local accounts and feel like there should be a solution like FileVault where each device has a unique local admin password that is escrowed in Jamf Pro. In doing some google searches, I found reference to something that may be similar for Windows called LAPS.
What is everyone else doing to securely manage local admin accounts?
What issue are you having with changing local account passwords? I guess I am doing the same thing that you are but have not had issues with changing passwords via the "Local Accounts" policy.
That said there is a MacOS LAPS is a thing (as an open source project) , it has been years since I have seriously looked at it so I am sure it is quite a bit more mature since I have looked at it, and I would assume there would be some third party provider by now.
Hi, I think we found the issue changing the password through Jamf as a mismatch between what was considered complex. So let's remove that issue from the equation.
I continue to wonder if there is a better, more secure, way to manage local admin accounts on our end user devices. I feel like they should have unique auto generated passwords stored in Jamf and cycled after each use.
I've been working on a LAPS solution for macs and have created a couple of scripts to manage the cycle of the password and account creation and an app to show the password when it's needed.
Some other LAPS for mac solutions display the admin password in plain text in Jamf which is a massive security risk. My script encrypts it all and never displays the password unless you use the decryption script which you can scope to just admin users.
I've detailed the setup on my github and the scripts are there as well.
Check it out to see if it does what you need.