Posted on 10-27-2022 05:30 PM
We are looking for Laps implementation for our MacOS. we utilize jamf pro and jamf connect.
our Macbook is binded to jamf connect.
I had a look of MacOSLAPS however this solution require AD integration.
is there another reliable laps solution that doesnt need AD integration?
we do have intune subscription (but we only use that for our windows devices)
Posted on 10-27-2022 05:58 PM
MacOSLAPS is not reliant on AD integration. It is just an option
We have it configured in various environments with no AD Server.
Look at their Jamf extension attributes to capture and record the LAPS details.
Posted on 10-27-2022 06:48 PM
thanks for the confirmation
Posted on 10-28-2022 06:03 AM
Technically if your users are local admins , you dont need a secondary admin account which will make the device more secure , plus there is more overhead because you would want to make the laps admin account with secure token access. Just my 2 cents.....
a month ago
our users is not local admin
Posted on 10-31-2022 11:49 AM
@TheITGuy69 could you elaborate why it's needed to have laps for admin account with securetoken granted?
Posted on 11-09-2022 11:25 AM
sorry, i need to change my notification settings so i can reply quicker.
What happens when you have a filevault issue? or the users password doesnt work with filevault even though it should especially after a recent password reset and it doesnt sync properly. The laps account although an admin wont be able to unlock filevault. and its a headache to manage to make sure it can be securetoken granted.
We are moving away from this scenario, as long as the primary account of the device is an admin with securetoken or filevault acess , and you have the filevault key escrowed in jamf , you dont need the laps account. if anything should happen you can provide the user with the filevault key to log into recovery and their local password.
Posted on 11-09-2022 11:32 PM
True, we used to have all our accounts as admin and there wasn't a need to have a "IT localadmin" account at all cuz we were counting on using FV recovery key to reset the end user accounts's password but recently we're trying to change this scenario, the plan is to demote our accounts to standard and have a localadmin account "without having secure token" with laps solution in place to make it more secure.
Posted on 11-10-2022 02:59 PM
Just curious what your end game is for this scenario. you can create an admin account adhoc via a script at anytime and remove the account when done.
Posted on 11-10-2022 11:40 PM
as far as I know you can't deploy a new Mac with just a standard account on it, you have to have admin account on it as well in our case it would be a managed admin account created by Jamf.
a month ago
is this true? can someone confirm this?