Jamf LAPS - Admin Account (MDM-Enablement)

From what I understand, reading the documentation and talking to Jamf support, any admin account created during the PreStage enrollment is eligible for LAPS.

For devices that haven't checked in for some time, LAPS should apply to them on the next check-in. If a device will no longer check in with Jamf even when online, you'll need to determine the cause and fix that before LAPS will be enabled. Without knowing a specific cause it's hard to say what steps you would need to take.

So if i were to go into the JAMF Setting and enable the "MDM-Enabled" setting for the admin account, that should in theory make all admin accounts MDM-Enabled for the devices that we have already enrolled? 
I would test this but we do not have a testing Server as we are on the Cloud.

So if i were to go into the JAMF Setting and enable the "MDM-Enabled" setting for the admin account, that should in theory make all admin accounts MDM-Enabled for the devices that we have already enrolled? 
I would test this but we do not have a testing Server as we are on the Cloud.

LAPS accounts have nothing to do with the MDM Enabled accounts. MDM enabled accounts are local accounts that can use user level profiles. If you don't use user level profiles, you don't need to worry about MDM enabled. 

The "MDM" account referenced regarding LAPS is the hidden local admin account that is an option creation during setup. In your prestage, you can create a local admin account in addition (or instead of) creating a local account during setup. By default, this account is NOT LAPS enabled. You much use and API command to enable LAPS for the MDM account. Once it is enable, this MDM account's password will be rotated based on the schedule. (Jamf has announced that the MDM enabled account will no longer allow a static password in a future release of Jamf Pro. If that affects your workflow, please file feedback with Jamf.)

There is another LAPS enabled account that is ON by default. This is the Jamf Management account that is setup in User Initiated Enrollment setting. If you have this setup (it was pretty much optional for the past several years), LAPS is already enabled, and passwords are being rotated for this account. 

If you go into your Computer Inventory record, you can see what accounts are available to LAPS. They are listed as "Managed By". 

If you have neither of these accounts available, then you will need to re-enroll the computer. 

Using LAPS is optional, are your users local admins? If so, there really is no need to worry about the LAPS at this point. 

Hi @Tribruin ,

MDM account (with static password) is not hidden in our case and the psw is shared across Helpdesk team  to use that account to complete the build workflow. 

MDM account has filevault enabled. Can LAPS enable on this account?

Thanks in advance

I am not 100% what will happen there. The MDM created account is handled differently than the Jamf Management account when it comes to password rotation. Jamf will be using an MDM command to rotate that password. 

Normally Jamf can not rotate a FV enabled password, but the MDM command may have different capabilities. Might be a good idea to open a ticket with Jamf and see what is going to happen. 

And, again I stress, if Jamf enabling LAPS on the MDM created administrator account is going to cause a workflow issue, open a ticket and explain. I am hoping Jamf will hold off on making this a forced change and leave it optional. 

LAPS accounts have nothing to do with the MDM Enabled accounts. MDM enabled accounts are local accounts that can use user level profiles. If you don't use user level profiles, you don't need to worry about MDM enabled. 

The "MDM" account referenced regarding LAPS is the hidden local admin account that is an option creation during setup. In your prestage, you can create a local admin account in addition (or instead of) creating a local account during setup. By default, this account is NOT LAPS enabled. You much use and API command to enable LAPS for the MDM account. Once it is enable, this MDM account's password will be rotated based on the schedule. (Jamf has announced that the MDM enabled account will no longer allow a static password in a future release of Jamf Pro. If that affects your workflow, please file feedback with Jamf.)

There is another LAPS enabled account that is ON by default. This is the Jamf Management account that is setup in User Initiated Enrollment setting. If you have this setup (it was pretty much optional for the past several years), LAPS is already enabled, and passwords are being rotated for this account. 

If you go into your Computer Inventory record, you can see what accounts are available to LAPS. They are listed as "Managed By". 

If you have neither of these accounts available, then you will need to re-enroll the computer. 

Using LAPS is optional, are your users local admins? If so, there really is no need to worry about the LAPS at this point. 

Gotcha, yeah after a conversation with our coordinator this is the route that we are going to be going down. Adding our admin accounts for our agency to be able to sign in and create a local admin account. Our only worry is that which was stated below, since the MDM created local admin account has the FileVault pw we can foresee workflow issues when it comes to how that account is handled with a rotating PW. I have a ticket open with Jamf and i'll voice our concerns. Thank you for your Help!

Hi @belacwesd 

First of all Happy New Year!

Unfortunately the support guy is not that helpful. Have you got any positive feedback from your side?

At this point I am thinking to implement Joshua's LAPS solution

Hi @Ryy,

Yes we were able to talk with a JAMF personnel who knew what he was talking about and guided me to what i needed to know. I was informed that admin accounts that are created in the Prestage for the MacBooks will not be affected when it comes to being LAPS enabled. The account that is going to be LAPS enabled is the hidden accounts as @Tribruin  mentioned the place that you find this account is found in your settings: Global > User-initiated enrollment > macOS > Management Account. In the section it informs that it is a "Account to be used for managing computers enrolled via a PreStage enrollment or user-initiated enrollment." 
This is such a obscure spot to have a admin account information held but it is what it is. This will be the account that is going to be LAPS enabled once the "switch" is flipped. So if you have a default admin account that your FileVault key is stored with you should be fine.

On another note i wish that the JAMF Help Desk was all equally versatile in knowing what they were talking about because it took me 3 calls before i finally got on with a agent who knew the answer I needed.

 We have a local admin account created during PreStage Enrollment called "macadmin"
and another account during UIE called "macjamf". If I understand "macadmin" won't be affected when LAPS is enabled?

Apologies i was investigating yesterday but things got really busy. So if i remember correctly when Jamf says they are going to enable the LAPS feature they will enable it but only for the account that is found here: Global > User-initiated enrollment > macOS > Management Account.

I'm not sure why the documentation says that JAMF LAPS is enabled and always on as if you see here, on our Cloud hosted JAMF instance:

it is not on for ours.

But long story short, the account that gets created in the PreStage will not be affected, (I imagine that JAMF realizes that a lot of people probably have the FileVault key linked to that account so it would probably cause a lot of issues). The account that will have JAMF LAPS enabled is the one found at:Global > User-initiated enrollment > macOS > Management Account

Apologies i realize now that the photo i sent was an example Value as to what we would get, not the actual state of our JAMF instance. none the less the information that i got from JAMF support was that the only account that would be affected by the LAPS enablement or is effected by it is the one found at:Global > User-initiated enrollment > macOS > Management Account