Local Admin Password Solution (LAPS) addresses security vulnerabilities of common admin workflows by supporting a unique and randomized local account password per device, that rotates after viewing, and that is accessible to a subset of authorized users. This security feature ensures an organization can maintain control over end user privacy and sensitive data. LAPS is an automated approach that allows IT administrators to maintain security, comply with regulations, improve efficiency, and maintain accountability by knowing who accessed the password and when.
With Jamf Pro 10.46.0, Jamf introduced LAPS support as an API-first solution for better securing shared IT admin accounts on computers. This implementation was specific to the admin account created during Automated Device Enrollment using a PreStage enrollment.
Jamf Pro 10.49.0, as part of User-Initiated Enrollment settings, Jamf expands LAPS support specifically for the Jamf Management Account specified. This solution adds support for managing an alternative admin account outside of Automated Device Enrollment.
Repurposing the Management Account for Enhanced Security
In 10.46, Jamf announced the ability to specify or modify computer management credentials would be deprecated in a future release. As of Jamf Pro 10.49, the ability to set a known Management Account password on enrolled computers is removed from the GUI. Upon upgrade, any pre-existing, known Management Account password will be replaced with a rotated, random password of 29 characters that is unique to each computer for enhanced security. Newly-enrolled computers will also receive a random password if the Management Account is set for creation during enrollment. Admins can view a computer’s randomized password in the Jamf Pro API using the local-admin-password endpoints.
Alternative Workflow and Tips
Jamf does not recommend using a common or known password. With the increasing risk of unauthorized access to sensitive data or systems, having unique local administrator passwords for each device is crucial to improving security. If all Macs in an organization share the same password, a single compromised password could grant access to all devices.
When using a policy, ensure it runs after the first/primary user receives the first secure token, and that the bootstrap token is automatically escrowed. For more information, seeApple's documentation.
Scope the policy to a group or trigger that presumes the first user already received the secure and bootstrap tokens. For example, a policy with a “Login” trigger would presume the first, primary user has received the first secure token from macOS.