Jamf Nation Community

jrmfong · ‎03-21-2024

Just done some test to understand the behaviours of Prestage admin LAPS. Here’s the details:

1. Prestage admin is setup with static password. LAPS is off. No Jamf management admin is set up.

2. Enrol Mac A

3. The admin account is confirmed that it is created in Mac A.

4. Turn on prestage admin LAPS.

5. Enrol Mac B

6. The admin account in Mac B is created. Its password is rotated once enrolled and confirmed it is rotated after being viewed in Jamf Pro 1 hour later.

7. Mac A LAPS remains off. Password is not viewable in Jamf and not rotated.

This is my test result in Jamf Pro 11.3, not sure if it is the same in your environment? And how can I enable prestage LAPS for Mac A?

Pioneer · ‎03-24-2024

Strange. LAPS is enabled for the whole environment, not individual Macs - at least in theory - so it's probably enabled for your Mac A as well. The fact password is not viewable is really interesting - usually it happens when you've got management account set with the same name as pre-stage admin, but you've mentioned it's not created.

The only thing I've noticed in my environment - when LAPS was enabled it's not rolling already existed passwords right away, but only after viewing them, or after planned time - so basically you still got old passwords working for some time if you not revealing them.

Is it giving you any error codes after you try to view the password via API?

jrmfong · ‎03-27-2024

Yes. You are right. Subsequent tests show some finding that might be useful for somone:

Case 1: PreStage admin is setup but without Jamf management admin.

Case 2: PreStage admin and Jamf management admin set as the same account name.

Case 3: PreStage admin and Jamf management admin is setup with different name.

Turning on MDM LAPS for the cases above will just setup the 30 character password after 5 minutes. Rotation works as expected. 😀

Jamf Nation Community

MDM LAPS will affect previously enrolled Mac?