Help

MacOS Laps

N30
New Contributor III

Posted on ‎10-27-2022 05:30 PM

We are looking for Laps implementation for our MacOS. we utilize jamf pro and jamf connect.

our Macbook is binded to jamf connect. 

I had a look of MacOSLAPS however this solution require AD integration.

is there another reliable laps solution that doesnt need AD integration?

we do have intune subscription (but we only use that for our windows devices)

0 Kudos
Reply
10 REPLIES 10

rickgmac
Contributor

Posted on ‎10-27-2022 05:58 PM

MacOSLAPS is not reliant on AD integration. It is just an option

We have it configured in various environments with no AD Server.

Look at their Jamf extension attributes to capture and record the LAPS details. 

Reply

N30
New Contributor III
In response to rickgmac

Posted on ‎10-27-2022 06:48 PM

thanks for the confirmation

0 Kudos
Reply

TheITGuy69
Contributor

Posted on ‎10-28-2022 06:03 AM

Technically if your users are local admins , you dont need a secondary admin account which will make the device more secure , plus there is more overhead because you would want to make the laps admin account with secure token access.  Just my 2 cents.....

0 Kudos
Reply

N30
New Contributor III
In response to TheITGuy69

Posted on ‎02-20-2023 08:33 PM

our users is not local admin

0 Kudos
Reply

MacJunior
Contributor III

Posted on ‎10-31-2022 11:49 AM

@TheITGuy69 could you elaborate why it's needed to have laps for admin account with securetoken granted?

0 Kudos
Reply

TheITGuy69
Contributor
In response to MacJunior

Posted on ‎11-09-2022 11:25 AM

sorry, i need to change my notification settings so i can reply quicker. 

What happens when you have a filevault issue? or the users password doesnt work with filevault even though it should especially after a recent password reset and it doesnt sync properly. The laps account although an admin wont be able to unlock filevault. and its a headache to manage to make sure it can be securetoken granted. 

 

We are moving away from this scenario, as long as the primary account of the device is an admin with securetoken or filevault acess , and you have the filevault key escrowed in jamf , you dont need the laps account. if anything should happen you can provide the user with the filevault key to log into recovery and their local password. 

0 Kudos
Reply

MacJunior
Contributor III

Posted on ‎11-09-2022 11:32 PM

True, we used to have all our accounts as admin and there wasn't a need to have a "IT localadmin" account at all cuz we were counting on using FV recovery key to reset the end user accounts's password but recently we're trying to change this scenario, the plan is to demote our accounts to standard and have a localadmin account "without having secure token" with laps solution in place to make it more secure.

0 Kudos
Reply

TheITGuy69
Contributor
In response to MacJunior

Posted on ‎11-10-2022 02:59 PM

Just curious what your end game is for this scenario. you can create an admin account adhoc via a script at anytime and remove the account when done. 

0 Kudos
Reply

MacJunior
Contributor III

Posted on ‎11-10-2022 11:40 PM

as far as I know you can't deploy a new Mac with just a standard account on it, you have to have admin account on it as well in our case it would be a managed admin account created by Jamf.

 

0 Kudos
Reply

N30
New Contributor III
In response to MacJunior

Posted on ‎02-20-2023 08:35 PM

is this true? can someone confirm this?

0 Kudos
Reply