Posted on 11-29-2023 03:36 AM
We're currently running Jamf Pro 10.48.2 (on prem) to manage our macOS estate (mainly MacBooks) and looking to update to Jamf Pro 11. We held off due to the implementation of LAPS, however we're now looking to complete the prep work to make use of that functionality.
At the moment macs are AD domain bound and users get a mobile account. We don't currently make use of any Automated Device Enrollment or Pre-Stage Enrollment, but instead use User Initiated Enrollment with some manual pre-provisioning steps prior to device enrollment. One of those steps is the creation of a local administrator account. The way we provision and enroll will change in the near future when we move to Jamf Cloud and Jamf Connect. FileVault is enabled as part of the enrollment process, so the original administrator account created gets a secure token, as do subsequent users that log in.
In Jamf UIE settings, the management account is configured, but with the same credentials as the local account that gets created. The 'Create management account' setting is not enabled.
I have the following questions:
1. With the 'Create management account' not being enabled, is a management account actually being configured in any way on the device, with us having the local account using those same credentials?
2. As in order to use Jamf LAPS, the 'Create management account' must be enabled, that means we'd need to change the name of either the local account we initially set up, or the management account name so as to not have them conflict. Will this have any consequences to existing machines? How would one get LAPS functioning for those existing machines?
2. What prep work is required to get Jamf LAPS functioning in our setup?