MacOS Laps

N30
New Contributor III

We are looking for Laps implementation for our MacOS. we utilize jamf pro and jamf connect.

our Macbook is binded to jamf connect. 

I had a look of MacOSLAPS however this solution require AD integration.

is there another reliable laps solution that doesnt need AD integration?

we do have intune subscription (but we only use that for our windows devices)

10 REPLIES 10

rickgmac
Contributor

MacOSLAPS is not reliant on AD integration. It is just an option

We have it configured in various environments with no AD Server.

Look at their Jamf extension attributes to capture and record the LAPS details. 

N30
New Contributor III

thanks for the confirmation

TheITGuy69
Contributor

Technically if your users are local admins , you dont need a secondary admin account which will make the device more secure , plus there is more overhead because you would want to make the laps admin account with secure token access.  Just my 2 cents.....

N30
New Contributor III

our users is not local admin

MacJunior
Contributor III

@TheITGuy69 could you elaborate why it's needed to have laps for admin account with securetoken granted?

sorry, i need to change my notification settings so i can reply quicker. 

What happens when you have a filevault issue? or the users password doesnt work with filevault even though it should especially after a recent password reset and it doesnt sync properly. The laps account although an admin wont be able to unlock filevault. and its a headache to manage to make sure it can be securetoken granted. 

 

We are moving away from this scenario, as long as the primary account of the device is an admin with securetoken or filevault acess , and you have the filevault key escrowed in jamf , you dont need the laps account. if anything should happen you can provide the user with the filevault key to log into recovery and their local password. 

MacJunior
Contributor III

True, we used to have all our accounts as admin and there wasn't a need to have a "IT localadmin" account at all cuz we were counting on using FV recovery key to reset the end user accounts's password but recently we're trying to change this scenario, the plan is to demote our accounts to standard and have a localadmin account "without having secure token" with laps solution in place to make it more secure.

Just curious what your end game is for this scenario. you can create an admin account adhoc via a script at anytime and remove the account when done. 

MacJunior
Contributor III

as far as I know you can't deploy a new Mac with just a standard account on it, you have to have admin account on it as well in our case it would be a managed admin account created by Jamf.

 

N30
New Contributor III

is this true? can someone confirm this?