Skip to main content

Reposting this from my personal website to gain some visibility. 


UPDATE 1: I'm being told now that this change IS RETROACTIVE. Meaning your dozens/hundreds/thousands of endpoints that have been configured with Prestage enrollment, and an admin account created in that process, will have that password randomized. Which will break Secure Token/Volume Ownership/etc. Maybe you're okay with this, but if you're not, you NEED to reach out to your Jamf Representative and tell them. 


I wanted to bring up that a big change is coming to Jamf soon and they (Jamf) seem to think it’ll be well received all around: forced LAPS for Prestage (ADE/DEP) admin accounts (See bullet 2 here, https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Deprecations_and_Removals.html, “Functionality to specify the local administrator account for computers in a PreStage enrollment”).


And to start with, I applaud Jamf for working on a LAPS solution. All we've ever asked in this whole thing is: Make it optional (for those that already have a solution, or want to see this bake longer). If you know this is going to break your fleet, you need to reach out to your Jamf rep and let them know. 


On it’s face, this sounds great. Static passwords are bad. LAPS is good. Right? Right?!


So yes, Good LAPS is good. Bad LAPS is… bad. Very bad.


First, Jamf is using Apple’s inferior LAPS functionality via the MDM “SetAutoAdminPassword” (https://developer.apple.com/documentation/devicemanagement/set_the_local_administrator_password). This basically just pushes a new hashed password into the OS, which breaks Secure Token and Volume Ownership (due to Apple reality). So Prestage configured admin accounts will no longer have any Crypto permissions (no logging into a Filevaulted computer, Applying updates on Apple Silicon machines, etc.


Second, Jamf is also forcing their same 29 character passwords (like Recovery Lock). 


Jamf has said “you can use the management account!” but many of us with Jamf Pro infrastructures that span several years (with thousands of computers) have management accounts that were used for Jamf Remote, never actual login. Jamf remote is no more, and Jamf decided to repurpose this formerly invisible account to be some kind of “admin” account (I honestly don’t know who they’re talking to sometimes). Those accounts are named who knows what (because it wasn’t visible), have no secure token, and still would rely on Jamf’s immature LAPS.


So, you say, “Just ignore Prestage admin account!” Somewhat easier said than done. If you don’t have that account created via Prestage, you cannot skip account creation (which makes sense, why would you want a computer with no accounts). So, you make the Prestage admin account some throw away account name that you can delete, or use in an emergency with the FileVault recovery key. Then you have a policy create your _real_ admin account. Great (assuming enrollment policies actually run properly). You login, but now notice that that account doesn’t have secure token, and bootstrap hasn’t been escrowed (it’s unclear why this is happening, as the first user to login SHOULD get SecureToken, and bootstrap should escrow. However, having tested this several times on a current macOS 14.2.1 machine, I can confirm this is the behavior). So you have to do the whole “no accounts have secure token, so you can grant secure token to the account itself” (sysadminctl -secureTokenOn username -password “password” -adminUser “username” -adminPassword “password”), and then manually escrow bootstrap (profiles install -type bootstraptoken). All good, but more and more work to work around Jamf’s decisions. 


We’ve spent months trying to convince Jamf to make this change optional. As mentioned, we don’t disagree with LAPS, good LAPS is good. We use it across the fleet of several thousand machines (we used a product called EasyLAPS). We just think their (Jamf’s) implementation is sub-par (and certainly below the level of EasyLAPS, which we pay for because it’s a good product). 


I think Jamf has a blind spot on this, and they’re not properly alerting their users this change is coming, and coming SOON! (we’re being told it’s scheduled for 11.3, which is slated for February). And because they don’t hear anyone upset (other than us?), they think everyone is cool and happy with this change. But they’re also not about to alert everyone either (I’m sure many many Jamf admins don’t bother reading the Deprecations and Removals section of the release notes (note! you should read these! You should read ALL the release notes)). We’ve met more than once with the Project Manager that’s working on the LAPS rollout, and it goes no where (instead of listening to us, and our concerns, it turns into “how can we help you implement our LAPS solution?”). We’ve told Jamf this, but it’s honestly making us look at switching MDM vendors, which I’m sure you realize is a HUGE undertaking.

Update on this based on responses from last week and today from Project Manager. We're still working with them, but right now, what we're being told:



  • They're delaying implementation (rather than forcing in 11.3, they'll force in 11.4) and are pivoting to using the JMF account to rotate the password for the prestage account rather than using MDM. 11.3 will use MDM, 11.4 will use JMF. We're supposed to see updated release notes (again, deprecations and removals) reflecting updated timetable. 

  • 11.4 they will take away the ability to set prestage password, it'll be forced LAPS. There will still be no way to turn off LAPS once it's forced on. So once again, they're forcing the change with the same version they're implementing something. =/

  • They're still saying it'll be retroactive, which means if the JMF doesn't know the existing password, it's going to break SecureToken, etc.

  • still no ability to set password length, makeup, etc. 

  • still no documentation on how Jamf handles failed rotations... at this point, kinda sounds like it'll just do a "reset" which will break Secure Token, etc. 

  • Still lack of clear communication to Jamf users about this upcoming change. 

  • No clear guidance at this time how to "break" LAPS so that it stops trying to rotate the password. With MDM method you COULD change the GUID, but that caused other issues. 

  • Still zero answer, or even acknowledgement of question, when asked "Why are we forcing this?" They completely ignore us when we repeatedly ask/suggest "make this optional..."


I continue to be amazed at how Jamf engineering, or whomever, doesn't seem to understand why this is such a big deal for us... we've been raising alarms about this since August. =(

We're continuing to attempt to engage and impress upon them why this is a problem. Please continue to push on your account reps... they need to know this is bad, and should not be blindly rushed into. 


Thanks for the update.

interesting thread, one I will also ping to jamf.

We have a meeting with Jamf again on Thursday, potentially involving engineering. I've also emailed one of our Apple EDU reps to let them know this is coming, and they were also surprised this was mandatory (they assumed it was optional). They have forwarded to their Jamf SE for information... At this point, we're just trying to get this in front of as many eyes as possible. Next step if Thursday meeting doesn't result in any real progress is to start emailing people on Jamf's leadership page. =/ 

I love how I'm just now hearing about this from a 2 week old post being shared in another circle. Whelp, time to ramble a Success. I feel bad for them, because they get to receive a lot of complaints from us that they have no more power than tossing it into the void.

Good morning everyone. I believe @Deanna will be posting to this thread soon with an update. Will leave that up to her. 

Thanks @rstasel 
Jamf is looking forward to bringing LAPS functionality to the GUI and in 11.3 you'll have the ability to view/rotate passwords from the Inventory page. The ability to configure settings via the GUI will be in a subsequent release.  There's been a lot of chatter about the PreStage account and I can share that:



  • LAPS will not be on by default for the PreStage account


    • The ability to set a static password in the PreStage will remain. 

      • This means that there will be no change to your current static passwords.





  • The ability to enable LAPS for the PreStage account will be available in the GUI in a future release.  Admins will have the ability to "opt-in" to automatic password rotation.


 


Current workflows that rely on a static password in the PreStage will remain unchanged.  More information to follow in an upcoming blog post.  

Thanks @rstasel 
Jamf is looking forward to bringing LAPS functionality to the GUI and in 11.3 you'll have the ability to view/rotate passwords from the Inventory page. The ability to configure settings via the GUI will be in a subsequent release.  There's been a lot of chatter about the PreStage account and I can share that:



  • LAPS will not be on by default for the PreStage account


    • The ability to set a static password in the PreStage will remain. 

      • This means that there will be no change to your current static passwords.





  • The ability to enable LAPS for the PreStage account will be available in the GUI in a future release.  Admins will have the ability to "opt-in" to automatic password rotation.


 


Current workflows that rely on a static password in the PreStage will remain unchanged.  More information to follow in an upcoming blog post.  


Thanks @Deanna

Thanks @rstasel 
Jamf is looking forward to bringing LAPS functionality to the GUI and in 11.3 you'll have the ability to view/rotate passwords from the Inventory page. The ability to configure settings via the GUI will be in a subsequent release.  There's been a lot of chatter about the PreStage account and I can share that:



  • LAPS will not be on by default for the PreStage account


    • The ability to set a static password in the PreStage will remain. 

      • This means that there will be no change to your current static passwords.





  • The ability to enable LAPS for the PreStage account will be available in the GUI in a future release.  Admins will have the ability to "opt-in" to automatic password rotation.


 


Current workflows that rely on a static password in the PreStage will remain unchanged.  More information to follow in an upcoming blog post.  


No, seriously, thank you Deanna. You've been a great help through all of this, and I'm sorry if I've contributed to any gray hairs for you or any on the team. Thanks for listening to feedback and being willing to adjust. Greatly appreciated. =)

Could we ask that release notes be updated at some point to reflect this change? not sure how you deprecate a deprecation notice... =/ 





@rstasel, I appreciate the dedicated effort you've put into collaborating with Jamf on this project, as well as our productive exchange of direct messages and the exploration of ideas and solutions.











I'd like to take a moment to extend my gratitude publicly to @Deanna for our insightful meeting on this topic. Her excellent communication skills and genuine interest in understanding my concerns created a sense of true partnership.



A heartfelt thank you goes out to the entire Engineering Team for attentively listening to our input and recognizing the potential impacts on specific workflows.






No, seriously, thank you Deanna. You've been a great help through all of this, and I'm sorry if I've contributed to any gray hairs for you or any on the team. Thanks for listening to feedback and being willing to adjust. Greatly appreciated. =)

Could we ask that release notes be updated at some point to reflect this change? not sure how you deprecate a deprecation notice... =/ 


Hi @rstasel - Thanks for your partnership.  As far as the gray, I prefer to think of it as "hair sparkles."


The 11.3 GA release notes will be updated.  The work is on hold as we determine the right path forward.  There are no plans to remove the ability to set a static password on the 2024 roadmap.  The deprecation notice will stay posted for visibility, but the timeline will be removed.  

This is great to hear. We're searching for a good LAPS solution but would love to leverage our existing Jamf system, So far nothing else has met our requirements. 🤞

This is great to hear. We're searching for a good LAPS solution but would love to leverage our existing Jamf system, So far nothing else has met our requirements. 🤞


Check out EasyLAPS. Jamf’s LAPS solution is/wasn’t it if you plan to use the account…

I am working with a Jamf environment that currently does not have any Jamf LAPS capable admin accounts.


They did not create a “Management Account” in User-initiated enrollment.


They did not create a “local administrator account” int PreStage Enrollment.


 


We have since specified a “Management Account” and a “local administrator account”. With two separate names.


They are using Apple Business Manager Automated Device Enrollment. There are some locations that do not have ABM, so they are using User-initiated enrollment. (That is begin resolved).


LAPS is working with newly enrolled Mac systems using either admin accounts. 


 


Is there away to retroactively add a User-initiated enrollment “Management Account”?


I’ve tried using “jamf policy -trigger enrollmentComplete”. This will successfully re-run the enrollment policies, but it does not create the “Management Account” from User-initiated enrollment.


“profiles -N” does work. But that requires user interaction.


 


Thoughts?

I am working with a Jamf environment that currently does not have any Jamf LAPS capable admin accounts.


They did not create a “Management Account” in User-initiated enrollment.


They did not create a “local administrator account” int PreStage Enrollment.


 


We have since specified a “Management Account” and a “local administrator account”. With two separate names.


They are using Apple Business Manager Automated Device Enrollment. There are some locations that do not have ABM, so they are using User-initiated enrollment. (That is begin resolved).


LAPS is working with newly enrolled Mac systems using either admin accounts. 


 


Is there away to retroactively add a User-initiated enrollment “Management Account”?


I’ve tried using “jamf policy -trigger enrollmentComplete”. This will successfully re-run the enrollment policies, but it does not create the “Management Account” from User-initiated enrollment.


“profiles -N” does work. But that requires user interaction.


 


Thoughts?


https://community.jamf.com/t5/jamf-pro/retroactively-creating-jamf-laps-capable-admin-accounts/m-p/309839/thread-id/269584#M269599

Hi @rstasel - Thanks for your partnership.  As far as the gray, I prefer to think of it as "hair sparkles."


The 11.3 GA release notes will be updated.  The work is on hold as we determine the right path forward.  There are no plans to remove the ability to set a static password on the 2024 roadmap.  The deprecation notice will stay posted for visibility, but the timeline will be removed.  


Hey Deanna, so 11.3 just dropped, and indeed, the date is gone from the notes, but the language is still... worrisome? discouraging? 

"


Functionality to specify the local administrator account for computers in a PreStage enrollment


In a future release, the ability to specify or modify a local administrator account password in a PreStage enrollment for computers will be removed from Jamf Pro.


Once implemented, the local administrator password solution (LAPS) will provide equivalent functionality for securely viewing and modifying macOS account passwords on managed computers. For more information, see the Local"


This still reads as "this change is coming, like it or not... we just don't know when". This isn't what any of us want to hear, or read. Kinda thought we all made that clear... =(


Hey Deanna, so 11.3 just dropped, and indeed, the date is gone from the notes, but the language is still... worrisome? discouraging? 

"


Functionality to specify the local administrator account for computers in a PreStage enrollment


In a future release, the ability to specify or modify a local administrator account password in a PreStage enrollment for computers will be removed from Jamf Pro.


Once implemented, the local administrator password solution (LAPS) will provide equivalent functionality for securely viewing and modifying macOS account passwords on managed computers. For more information, see the Local"


This still reads as "this change is coming, like it or not... we just don't know when". This isn't what any of us want to hear, or read. Kinda thought we all made that clear... =(



Sounds like one or more people need to get on the same page at Jamf.

Hi @rstasel - Thanks for your partnership.  As far as the gray, I prefer to think of it as "hair sparkles."


The 11.3 GA release notes will be updated.  The work is on hold as we determine the right path forward.  There are no plans to remove the ability to set a static password on the 2024 roadmap.  The deprecation notice will stay posted for visibility, but the timeline will be removed.  


To confirm, PreStage admin accounts will continue to be able to be set to a static password for the remainder of 2024?

Hey Deanna, so 11.3 just dropped, and indeed, the date is gone from the notes, but the language is still... worrisome? discouraging? 

"


Functionality to specify the local administrator account for computers in a PreStage enrollment


In a future release, the ability to specify or modify a local administrator account password in a PreStage enrollment for computers will be removed from Jamf Pro.


Once implemented, the local administrator password solution (LAPS) will provide equivalent functionality for securely viewing and modifying macOS account passwords on managed computers. For more information, see the Local"


This still reads as "this change is coming, like it or not... we just don't know when". This isn't what any of us want to hear, or read. Kinda thought we all made that clear... =(



Hi @rstasel 
I shared in this post three weeks prior that the date would be removed, but the deprecation notice would remain.  This is to provide visibility to admins of future changes.

The post stated "The 11.3 GA release notes will have the date removed from the deprecation notice.  There is no plan to remove the ability to set a static password in the PreStage on the 2024 roadmap.  The notes will remain for visibility as we determine a path forward."

The immediate goal is to bring LAPS functionality to the GUI and make it accessible for those who want to use it.  Beyond that, additional enhancements will be researched and reviewed before changes to the PreStage are prioritized.  

To confirm, PreStage admin accounts will continue to be able to be set to a static password for the remainder of 2024?


Yes, confirmed.  You can continue to use a static password.  We are not removing this ability at this time.  Workflows that require a static password in the PreStage will not be impacted.  

Hi @rstasel 
I shared in this post three weeks prior that the date would be removed, but the deprecation notice would remain.  This is to provide visibility to admins of future changes.

The post stated "The 11.3 GA release notes will have the date removed from the deprecation notice.  There is no plan to remove the ability to set a static password in the PreStage on the 2024 roadmap.  The notes will remain for visibility as we determine a path forward."

The immediate goal is to bring LAPS functionality to the GUI and make it accessible for those who want to use it.  Beyond that, additional enhancements will be researched and reviewed before changes to the PreStage are prioritized.  


Just a thought, leaving the deprecation notice in place appears to already only be serving confusion. Putting my ex-Jamf hat back on, there's a high likelihood that the deprecation will be seen by other admins who then raise similar concerns to support or customer success, who likely don't spend all their time in a Jamf Nation thread to get the information that it's still all a big ol' shrug at this point.

Further, removing the date doesn't clarify that it's still in flux, but only serves to add confusion that it could happen next update, or it could happen 2 years from now, but to anyone not in the thread that it's still been determined as happening.

Yes, confirmed.  You can continue to use a static password.  We are not removing this ability at this time.  Workflows that require a static password in the PreStage will not be impacted.  


Thanks Deanna. Ugh, wait: This Jamf Pro 11.3 document (dated yesterday Feb 19 2024) states that LAPS will be REQUIRED for PreStage account. Comments?

Hi @rstasel 
I shared in this post three weeks prior that the date would be removed, but the deprecation notice would remain.  This is to provide visibility to admins of future changes.

The post stated "The 11.3 GA release notes will have the date removed from the deprecation notice.  There is no plan to remove the ability to set a static password in the PreStage on the 2024 roadmap.  The notes will remain for visibility as we determine a path forward."

The immediate goal is to bring LAPS functionality to the GUI and make it accessible for those who want to use it.  Beyond that, additional enhancements will be researched and reviewed before changes to the PreStage are prioritized.  


Hi Deanna,


Right, I saw that response and replied. 


I understand you're trying to paint some nuance here, but the release notes do not have any of that. All the release note message conveys now is "we're doing this. we don't know when, but it's happening". Not "when we do it'll be optional" or anything. Which, brings us right back to ya'll hanging seriously workflow breaking changes over our head, only now we don't know when they'll happen. And worse, because it just lives in the release notes now, that could be seen as a "we gave everyone plenty of notice about this change, so we're doing it next release". 


I thought we all made it pretty clear this must be optional. 


What _should_ happen here is that message gets removed from the release notes, or better, a "reconsidered" note added, and a statement saying that when/if this is re-evaluated Jamf will reach out to admins across their customer base and discuss potential issues/solutions/etc. Or heck, they could even say: "In a future release, the ability to specify or modify a local administrator account password in a PreStage enrollment for computers may be removed from Jamf Pro." (emphasis is mine). 


Does all that make sense? I know time was spent getting all this ready, and we appreciate Jamf backing off on implementation... but now we're just waiting for the other shoe to drop. =(


Thanks. 

@Deanna

It would greatly benefit us to have the internal teams gather and share an update. Currently, the information we receive doesn't completely match the release notes. As mentioned previously, clearer definitions are needed. While some progress has been achieved, it seems like we've taken steps backward in certain areas, nearly reverting to square one.

Thanks Deanna. Ugh, wait: This Jamf Pro 11.3 document (dated yesterday Feb 19 2024) states that LAPS will be REQUIRED for PreStage account. Comments?


LAPS is not required.  It is optional.  You can continue to create a static password.  We will update the document.  Thank you for the feedback. 

@Deanna

It would greatly benefit us to have the internal teams gather and share an update. Currently, the information we receive doesn't completely match the release notes. As mentioned previously, clearer definitions are needed. While some progress has been achieved, it seems like we've taken steps backward in certain areas, nearly reverting to square one.


Hi @atomczynski11 We will update the document for clarification.  Work is in progress and I will advise.  I appreciate the feedback.  Thank you for your patience.  

Reply


Terms & ConditionsCookie settings