Jamf Nation Community

@sdagley , the problem with LAPS is that it is not fully implemented. At minimum, Jamf needs to add a way to retrieve the LAPS password from the Jamf Pro GUI. For organizations that don't have robust solutions for API calls (like educational institutions), it is impossible to retrieve the password. 

But the bigger issue with this change is that Jamf is not listening to its customers and instead pushing a potentially breaking change on its customers. Some organizations need a standard admin account setup to assist with deployment. Again, educational customers may need to pre configured hundreds of computers for students. Asking the tech to look up a new password for every new build? That is going to be a killer. Not every organization can easily support full zero touch deployment using ADE. 

Jamf has already made turning on LAPS for the MDM account option by requiring making a change via the API. I am not sure what Jamf is gaining by forcing this change. Let an organization make the decision. 

I am hoping that Jamf, at the minimum, makes a few concessions. One suggestion is to continue to allow a defined password and set the rotation to not happen for X hrs or days. This would give techs enough time to configure and then make the account LAPS enabled. 

I did not even know that we cant see the password in the JAMF UI, while we have some minor API calls that we do on the JSS we dont have anything like this implemented. Worse case scenario I was worried that I would have to have a laptop next to me to use the jamf pro UI to look up the password. Now it seems like you cant even do this. This needs a better solution JAMF, as a customer of your product for 10+ years I did not expect you to limit us like this. 

Talking it over with a friend it will just require me to create a policy that creates a local admin account after the machine has gone though the prestage enrollment, set this to run on the enrollment complete trigger and it will do the same thing. Not the end of the world just needless extra work just to get a basic admin account on the end users device. 

This doesn't address the main issue, which is, why should the new LAPS functionality be forced on customers? I'm not saying LAPS generally speaking is a bad thing or something we shouldn't all be looking at, but how is it any of Jamf's business whether we use LAPS or not in our environments?

I agree that this change should be optional. If not permanently, then at least at first for a while, to give everyone a chance to really test it out and make any necessary changes to their device enrollment workflows. The new LAPS feature is not fully baked right now IMO, and yet Jamf is saying they will force it on anyone that wants to have a local admin account created as part of Prestage enrollment in just a couple of months?

I have looked at this and its not a solution when i have to pre configure 1800 devices every summer. I agree with mm2270
This doesn't address the main issue, which is, why should the new LAPS functionality be forced on customers? I'm not saying LAPS generally speaking is a bad thing or something we shouldn't all be looking at, but how is it any of Jamf's business whether we use LAPS or not in our environments?

Must have missed this on the first go round, but the fact that we can't easily get the LAPS password in the standard Jamf Pro GUI is a dealbreaker. I wouldn't even know where to start with API stuff. again, this should be based on customer need, not forced down our throats. JAMF, listen to your customers. At the very least, wait until this can all be done within Jamf Pro.

I've done the same, as well about removal of Jamf Admin app. We use this and they don't have alternative solution.

@Deanna  Thank you for the update.

And thanks to Jamf for listening to our concerns. 

This is great to hear, thanks for the update ! 

Thanks for the update on this @Deanna This is great to hear! Thanks for listening to customer concerns around this.

I do have one question about it. You mentioned in your other separate post that 'this deprecation is on hold'. Does this mean the ability to specify local admin account creation during Prestage will eventually be deprecated, or that it's being put on hold while Jamf researches how to implement this as an optional change?

I'm hoping it's the latter, but either way, I'm glad we won't be forced into this change in the next couple of months.

Hi @mm2270 the work is on hold as we determine the right path forward.  There are no plans to remove the ability to set a static password on the 2024 roadmap.  The deprecation notice will stay posted for visibility, but the timeline will be removed.  

Ok, thanks for the clarification. Sounds good!