Can't retrieve local admin password set by Pre-stage enrollment

Unfortunately my recollection is that, no, it won't sync the change, it'll just break features using the management account, which are mercifully few at this point.

Try an API LAPS pull on a machine with that account, with AutoRotateEnabled set to false if you want to keep that password, and see what you get. If the problem isn't pressing 11.1 will probably put that feature within the GUI by EoY.

Changing the password without the existing one is difficult to impossible on newer versions of macOS and especially Apple Silicon machines, but you could create another account, then change the management account settings to use that one. Just make sure the new one gets admin rights, SecureToken, volume ownership, etc before switching over.

If you are an on prem user you could in theory pull the encrypted password from the database, but that is totally undocumented.

The account you are creating with PreStage likely has a Secure Token. MacOS requires a Secure Token to change the password of an account with a Secure Token. Sudo (ie JAMF policies or scripts) uses bootstrap tokens, not secure tokens and cannot change the password or delete the account of a Secure Token holder.

JAMF does have LAPS which you can look in to. Beyond LAPS JAMF has no way to know what the local accounts PW is as its not recorded in JAMF anywhere. 

Apologies for the delay in responding! It seems like LAPS will be the way to go as we want to use it for things when we're teamviewer'ing on and want to do admin things etc.

However LAPS doesn't seem that simple to setup so if anyone had a good link to share that would be great!

Thanks so much!