How to securely manage local admin passwords with Jamf Pro and LAPS
Jamf Pro’s implementation of Local Administrator Password Solution (LAPS) is now finalized. William Smith takes a deep dive into how it works and how to implement it.
A lot has changed and improved with Local Administrator Password Solution (LAPS). Let’s discover how it works and how to implement it.
What is Local Administrator Password Solution, or LAPS?
For decades desktop administrators have added shared IT administrator accounts to their end users’ computers for those times when they need to sit in front of a computer or remotely control it and log in. These accounts provide the elevated privileges they need to give support or troubleshoot problems. But this practice introduces a few major security problems:
- Typically, these accounts share the same username and password across computers in Accounting, Marketing, Design or even the CEO’s computer. If the credentials are ever exposed to unauthorized persons, the entire fleet is vulnerable to attack.
- Multiple people know the shared IT administrator account username and password, and these credentials are easy to share with anyone without any means of controlling access.
- Because multiple people know the credentials, end-user privacy and sensitive data are at risk without any way to audit who and when someone accesses a computer.
- And if a desktop administrator leaves the organization, someone must change the credentials on all the computers and share the updated password with the remaining administrators. Quickly!
Local Administrator Password Solution (LAPS) solves these problems.
It isn’t a piece of software like a package that we can install. It’s not a command line tool built into macOS that we can control from Jamf Pro or any other management system. And it’s not a standard technical protocol with documented guidelines like DNS or TCP/IP that all computer platforms use to interoperate with each other.
Instead, think of it as a concept. An idea. A workflow. Or as the name itself says, a “solution."
LAPS was coined by Microsoft in May 2015 as a solution for automatically rotating passwords of shared IT administrator accounts on end users’ Windows computers. Since then, it’s become a standard industry term used across multiple computer platforms.
That year, Microsoft implemented Windows LAPS using Active Directory to securely store the passwords and Group Policy to deploy and manage settings. In October 2023, they included support in Entra ID.
Jamf Pro LAPS is using a combination of Jamf and Apple technology to support macOS High Sierra (10.13) and later, which means it supports all computers listed in Jamf Pro’s System Requirements — recommended, minimally supported and untested. It can do this because LAPS is only a solution for managing a computer’s local administrator account — the account itself is the same as any other macOS account.
Choose a LAPS method
Jamf Pro offers two methods for managing LAPS accounts. Each method has a slightly different benefit. The method you implement — or methods, because you could choose to implement both — depends on the benefits you find important.
The first method uses the jamf binary — that’s the command line tool Jamf Pro installs on every computer as part of its management framework. It includes two commands for managing its LAPS password:
createAccount
rotateManagementAccountPassword
Think of the jamf binary as “Jamf’s technology.”
The second method uses Apple's Mobile Device Management (MDM) specification, which is the management standard they designed. It too can create an administrator account and change its password.
The MDM specification includes two commands for managing its LAPS password:
AutoSetupAdminAccounts
SetAutoAdminPassword
When Jamf Pro sends these commands, they’ll appear under the computer’s History tab as part of Management History.
Think of MDM as “Apple’s technology.”
Both of these are well-established technologies that Jamf Pro supports, and they both accomplish the same goal of managing LAPS accounts. But they differ in their methods for password rotation and FileVault management.
Password rotation
The jamf binary can’t keep an open connection to its managed computers all the time. Instead, it relies on computers to check in every 15 minutes by default.
That means when it’s time to rotate the LAPS account password, there could still be a delay of several minutes before that actually happens. If you’ve set the check-in frequency to the highest possible setting “Every 60 minutes," it could be up to an hour before the password is actually rotated once Jamf Pro runs the rotateManagementAccountPassword
command.
MDM with the help of Apple’s Push Notification service (APNs), however, lets Jamf Pro maintain a persistent connection with computers. The LAPS account password is changed on the computer within seconds of running its SetAutoAdminPassword
command.
FileVault management
The jamf binary can do something that Apple’s MDM implementation can’t currently do: manage FileVault passwords.
That means if you use the jamf binary to create and manage LAPS, the local administrator account can receive a secure token, and you can unlock a FileVault-encrypted computer using the LAPS account.
If you use Apple’s MDM implementation, you can’t enable the LAPS account for FileVault.
That may sound problematic, but keep in mind your Jamf Pro server should already have a personal recovery key escrowed, which you can use to unlock FileVault.
Everything else, though, behaves the same with both management methods.
What if I need an account for computer technicians to prepare new computers?
Ideally, you would’ve already moved to a zero-touch workflow so that technicians don’t need to prepare computers for end users. However, you may have situations where a zero-touch workflow doesn’t fit.
If your existing workflow uses the administrator account specified in User-Initiated Enrollment, you shouldn’t use the jamf binary LAPS management method. You’ll want to use MDM LAPS management.
If your existing workflow uses an administrator account specified in a PreStage enrollment, you shouldn’t use the MDM LAPS management method. You’ll want to use jamf binary management.
Turn on LAPS for new computers
After reviewing the benefits of each LAPS method and choosing the one that works better for your needs, you’re ready to turn it on for your computers.
Let’s look first at managing LAPS using the jamf binary. You need to configure two areas in Jamf Pro.
jamf binary
1. Starting in Jamf Pro’s navigation bar on the left, click Settings > Computer Management > Security.
2. Click Edit and scroll to “Password settings for managed local administrator accounts.”
This section has three settings to consider.
3. Because you’re enabling the jamf binary method for managing a LAPS account, you don’t need to select “Enable LAPS for PreStage accounts." This is for the MDM LAPS method only.
4. The “Rotation Interval” option defaults to “Never." That means Jamf Pro won’t rotate the LAPS account password until viewing it. If your security team has stricter requirements for managing LAPS, you may need to set it to something like “180 days," but it’s really not necessary to rotate a password that’s never been viewed.
5. The third setting “Rotation After Viewing Interval” defaults to “15 minutes." That means as soon as you view the password in Jamf Pro, it’ll wait 15 minutes and then send the rotateManagementAccountPassword
command to rotate it. You may find 15 minutes may be a little too quick, especially if a desktop technician is troubleshooting a problem. Set this to as short an interval as possible while still allowing a reasonable amount of time for troubleshooting.
Save these settings when you’re done. Now, let’s look at the second area you’ll need to configure.
6. In Jamf Pro Settings, click Global > User-Initiated Enrollment.
7. Click Edit and then select the Computers tab.
8. Select “Create managed local administrator account." This used to be called the Jamf Management Account, but it’s been repurposed for LAPS now.
9. Specify a username for the administrator account you’ll deploy to your computers, and choose whether to hide it from your end users on the computer.
LAPS works regardless of whether the administrator account is hidden. Keep in mind, if you choose to enable this account for FileVault later, you can’t hide it on the FileVault login window. (Again, if you turn on FileVault, you should also be storing the personal recovery key in Jamf Pro. Use that instead of turning on FileVault for the LAPS account.)
From here, all you need to do is save.
What if the managed local administrator account is already turned on?
If you were already deploying this account when it was known as the Jamf management account, it was automatically upgraded. There’s nothing for you to do. Jamf Pro LAPS is now managing the administrator accounts on your existing computers using the jamf binary and has already randomized their passwords.
Every computer you enroll from this point forward will receive a LAPS management account. This won’t put the LAPS account on computers already enrolled. We’ll talk more about what you can do for them in a little bit.
MDM
But what if you prefer instead to use MDM to manage LAPS accounts? Similar to the jamf binary, you need to configure two areas in Jamf Pro.
1. Starting in Jamf Pro’s navigation bar on the left, click Settings > Computer Management > Security.
2. Click Edit and scroll to “Password settings for managed local administrator accounts."
This section has three settings to consider.
3. Select “Enable LAPS for PreStage accounts." Remember, this is for the MDM LAPS method only and doesn’t affect jamf binary LAPS management. (This also doesn’t disable jamf binary LAPS management. While it’s possible to turn on both LAPS management methods, the better practice is to choose one and disable the other. I talk about why in the “Good to know” section below.)
4. The “Rotation Interval” setting defaults to “Never." That means Jamf Pro won’t rotate the LAPS account password until someone views it. If your security team has stricter requirements for managing local administrator accounts, you may need to set it to something like “180 days," but it’s really not necessary to rotate a password that’s never been viewed.
5. The third setting “Rotation After Viewing Interval” defaults to “15 minutes." That means as soon as you view the password in Jamf Pro, it’ll wait 15 minutes and then run the setAutoAdminPassword
command to rotate it. You may find 15 minutes may be a little too quick, especially if a desktop technician is troubleshooting a problem. Set this to as short an interval as possible while still allowing a reasonable amount of time for troubleshooting.
Save these settings when you’re done. Now, let’s look at the second area you’ll need to configure.
In Jamf Pro’s navigation bar on the left, click Computers > PreStage Enrollments.
Edit an existing PreStage enrollment or create a new one, and then select the Account Settings payload.
6. Select “Create a managed local administrator account during macOS Setup Assistant."
This account is created during the Setup Assistant whereas the Jamf binary account is created after the first user logs in. That’s not really important to how LAPS works, but it’s good to know when each account is created in case you need to troubleshoot.
7. Specify a username for the administrator account you'll deploy to your computers.
8. Provide a password.
9. Choose whether to hide the account from your end users on the computer and whether to make it MDM-enabled. LAPS works regardless of whether the administrator account is hidden.
10. Save your settings. Jamf Pro immediately changes the password during Automated Device Enrollment. (Remember, Jamf Pro cannot rotate this account’s FileVault password. Don’t enable this account later for FileVault.)
Every computer you enroll from this point forward will receive this LAPS management account when enrolled using Automated Device Enrollment. This won’t retroactively put the LAPS account on computers already enrolled. We’ll talk next about what you can do for them.
Can both LAPS accounts have the same username?
No. If you attempt to enable both methods for managing LAPS accounts, Jamf Pro won’t allow you to use the same username. Both LAPS methods cannot manage the same LAPS account.
Turn on LAPS for existing computers
With LAPS turned on, new computers enrolled from that point forward receive the managed administrator account. But what about existing computers? You’ll likely want to add a LAPS account to them too.
You have one choice: re-enroll them.
Fortunately, we have both MDM and jamf binary commands for re-enrolling computers.
MDM
Let’s quickly review what you need to know about MDM LAPS. This assumes you’ve created a new PreStage enrollment or likely edited an existing PreStage enrollment to create the administrator account.
The MDM re-enrollment command looks like this:
/usr/bin/profiles renew -type enrollment
Great! Now, how do you send that command to your computers that need re-enrolling?
You can’t.
At least not without unenrolling the computer first, which I strongly discourage. This re-enrollment method has a few problems:
First, you can definitely use Jamf Pro to send the command, and the computer will respect it. However, it requires someone sitting in front of the computer to complete the command. It’s interactive. And Jamf Pro can’t work around that.
Second, even if you did have someone sitting in front of the computer to complete the command, Jamf Pro still doesn’t add the administrator account from the PreStage enrollment. It only adds the account during the Setup Assistant, which we don’t see when running this command.
And finally, even re-enrolling this way doesn’t update the computer record’s last enrollment date in Jamf Pro. It has no good way of identifying that anything really happened.
jamf binary
So, what about the jamf binary method — the LAPS method that creates the managed local administrator account specified in User-Initiated Enrollment?
Its re-enrollment command looks like:
/usr/local/bin/jamf enroll -noRecon -noManage -noPolicy \<br /> -invitation "124632841331503686010851388828066332132"
It’s a little bit longer and more complex than the MDM command. And it requires that you generate an enrollment invitation.
However, this method works very well, and I recommend you use it. Here’s why:
Again, you can use Jamf Pro to send an enroll command and the computer will respect it. And it requires no user interaction on the computer.
Second, if you set the LAPS account in User-Initiated Enrollment and re-enroll a computer, the computer will receive the new account.
Third, re-enrollment will update the last enrollment date in Jamf Pro’s computer record, which means it now has a way of knowing it completed a new enrollment.
As a bonus, you can use this command to re-enroll a computer even if it was initially enrolled using a PreStage enrollment. It doesn't affect inventory items like the Enrollment Method where you can report whether it was enrolled using a PreStage enrollment or User-Initiated Enrollment. It’ll continue to report “PreStage enrollment.”
This does require a separate inventory update to make sure Jamf Pro is aware the LAPS account was created. I won’t go into the details here, but this requires a script.
To do that I’ve written Re-enroll computers for LAPS.zsh. The script includes setup instructions, which you can complete in about 10 minutes.
Retrieve the local administrator username and password
Now that you’ve configured LAPS on new and existing computers, you can start using it. It’s pretty simple.
If a desktop technician needs to do something on an end user’s computer requiring administrator privileges, either they or someone with access to Jamf Pro can locate the computer record and scroll down just a little to verify it has a LAPS account available.
The Managed Local Administrator Accounts section of a computer record will report it has no LAPS-managed accounts, one account or both types of accounts. (I’ll discuss later why I don’t recommend turning on both.)
From here, you can click the link to view accounts and passwords. This is simply taking you a little further down the list of payloads under the Inventory tab to the Local User Accounts payload.
Managed local administrator accounts appear at the top of the page. Click the button to view the password, and you’ll receive a notification you’ll have one hour (or whatever Rotation After Viewing Interval you configured earlier in Settings > Computer Management > Security) until Jamf Pro rotates the password. You have that long to troubleshoot. If it takes longer than that, you’ll need to come back and get the updated password.
Don’t forget, if this administrator account is managed using the jamf binary and depending on your check-in frequency settings, it might take up to another hour for the computer to check in with Jamf Pro and actually rotate the password.
When you click Continue, you see the password and the clock starts ticking.
Click the button to the right of the password to copy it to your clipboard where you can use it however you need.
You can use it with Terminal to SSH into the computer across the network, use it with Apple Remote Desktop to remote control and send commands, or even use it with Jamf Remote Assist. You’ll only need the password when prompted by something that requires elevated privileges.
The password is 30 characters long. You'll notice a few things about it.
First, it’s a random mix of letters, numbers and dashes. No other symbols. The dashes are important. You need to include them when typing the password.
Next, all the letters are upper case. Turn on caps lock when typing the password.
And if you question whether some of those characters are capital Os or zeroes (they could be either), paste the password into a text editor and change the font to a monospace font that clearly shows the difference between characters.
For example, the Courier New font displays 0
for zero and O
for capital O.
IJ0OPI-KQILU5-IUZZYDK-KWX54YM4
Audit LAPS access
The last piece of the LAPS solution is auditing to determine who viewed a password and when.
Under the History tab of the computer record, click the Managed Local Administrator Account History payload to see a log of all the activity for that computer. It displays not only who and when but also whether the password was rotated automatically, was viewed or is pending rotation.
Turn off LAPS
You may find you need disable LAPS for either the jamf binary or MDM management method. It’s simple to turn off either method for computers you’ll be enrolling in the future.
To disable the LAPS method using the jamf binary, return to Jamf Pro Settings > Global > User-Initiated Enrollment and deselect “Create managed local administrator account."
To disable the MDM method, return to Jamf Pro Settings > Computer Management > Security and turn off “Enable LAPS for PreStage accounts."
However, once either LAPS management method is applied to a computer, Jamf Pro continues to manage the LAPS account even if you’ve turned it off in Settings. The only way to disable LAPS management on a computer is to delete the administrator account itself. You can:
1. Run a policy with the Local Accounts payload to “Delete Account."
2. Locate the account in the computer record under the Inventory tab > Local User Accounts, click Manage to the far right and click “Remove User."
3. Run either of the following commands in Terminal:
That takes care of everything an administrator needs to know to configure and deploy LAPS.
But some administrators may need to implement LAPS at scale across multiple instances, or they may need to create some custom workflows that combine LAPS with other tools like Self Service. For them, the Jamf Pro API offers the same configurability for their scripting needs as the Jamf Pro interface.
Let’s see how we can manage LAPS with scripts.
Use the Jamf Pro API to manage LAPS
You can manage everything from turning on LAPS to retrieving passwords to auditing access with the Jamf Pro API.
All the API work was done first in earlier releases of Jamf Pro starting more than a year ago, and what you see in the GUI today is built on that work. If you’ve been testing LAPS in the API, be sure to update your scripts and workflows to the v2 endpoints.
Let’s cover the fundamentals you’ll need for writing your own scripts.
First, determine which LAPS method you want to use —jamf binary or MDM.
In the Jamf Pro API, which you can access by appending “/api/doc” to the end of your Jamf Pro URL, locate local-admin-password to review its 12 endpoints.
This is not only developer documentation but an interactive playground where you can experiment with endpoints to see how they work and how they affect enrolled computers.
Turn on LAPS
To enable LAPS you’ll need to create a small text snippet in JSON format with the LAPS management settings. These settings correspond to the section in Jamf Pro Settings > Computer Management > Security > “Password settings for managed local administrator accounts.”
The equivalent of “Enable LAPS for PreStage accounts” is autoDeployEnabled
. Set this to “true” only if you’re using the MDM LAPS management method. Otherwise, keep this set to “false." Remember to also set the LAPS account username in either the PreStage enrollment or User-Initiated Enrollment.
The equivalent of “Rotation after viewing interval” is passwordRotationTime
. Set this to the number of seconds Jamf Pro should wait before automatically rotating the LAPS password after viewing it. For example, 3600 seconds equals “1 hour."
60 seconds x 60 minutes x 1 hour = 3600 seconds
The equivalent of “Rotation Interval” set to “Never” is autoRotateEnabled
set to “false."
The equivalent of “Rotation Interval” set to any number of days is autoRotateEnabled
set to “true” and autoRotateExpirationTime
set to the number of seconds Jamf Pro should wait before automatically rotating LAPS passwords whether they’ve been viewed or not. For example, the default 7776000 seconds equates to "90 days."
60 seconds x 60 minutes x 24 hours x 90 days = 7776000 seconds
To apply these settings programmatically using the Jamf Pro API, add this snippet to your script:
View LAPS credentials
Viewing credentials requires your script to get a few pieces of information once you’ve provided it with the computer’s Jamf Pro management ID. You can find the management ID under the General payload of each computer record or using one of the computer-inventory endpoints in the Jamf Pro API.
To get the full credentials, you must run two API commands plus some additional commands to extract the exact information:
Set LAPS password
The Jamf Pro API has similar endpoints your script can read to view management history and audit Jamf Pro users who’ve accessed LAPS credentials.
It also has one feature that’s unique and doesn’t appear in the Jamf Pro interface — it can set a LAPS account’s password to a shorter and easier-to-remember password.
To set a specific password, you must know the management ID of the computer:
These are just snippets to show the syntax for scripts. I’ve put together several example scripts for managing, administering, and auditing Jamf Pro LAPS accounts. They’re posted on GitHub. You can use them as starters for your own scripts.
For a full developer reference for managing LAPS using the Jamf Pro API, refer to Jamf’s developer documentation.
That’s it! That’s how LAPS works in Jamf Pro.
Good to know information about using Jamf Pro LAPS
I’ve only reviewed the basics of managing, administering and auditing Jamf Pro LAPS accounts. But I’ve also created a short list of good to know information you might find useful too.
- Still not sure whether you want to use the jamf binary method or MDM method for LAPS management? Go with the jamf binary method. Jamf Pro will have far more control over LAPS, and Jamf can deliver new features without depending on changes from Apple.
- If you notice inconsistencies when applying LAPS managed settings to a computer, you may need to re-enroll it or delete the computer record and re-enroll it. You can use the Re-enroll computers for LAPS.zsh script I mentioned earlier.
- That script is written to disable updating inventory, running policies and updating the Jamf management framework that normally occurs during enrollment. However, Jamf Pro is still aware that an enrollment completed. Test your critical workflows or integrations that it may impact.
- Over time, our Jamf Pro environments may get polluted with cruft left over from experimentation, past product issues or forgotten configurations. In some cases, setting LAPS management account passwords via the Jamf Pro API may require a full wipe and enrollment, not just a re-enrollment. You may find you need to recreate your PreStage enrollment configuration if its LAPS management account doesn’t appear as managed in Jamf Pro.
- When experimenting with jamf binary LAPS accounts, running
sudo jamf policy
in Terminal will force password rotations right away instead of having to wait for the next check-in. - When troubleshooting your LAPS management scripts, verify first you can manage your settings or get LAPS information directly in the Jamf Pro API. This takes the script out of the mix. You may find you’ve discovered a product issue instead of a problem with your script.
- Remember, LAPS accounts are just ordinary macOS administrator accounts. There’s nothing on the computers themselves to indicate they’re being managed by Jamf Pro as LAPS managed accounts. You can’t create an extension attribute to report on them. You don’t need to. Instead, refer to the computer record’s Inventory tab > Local User Accounts.
- After enrollment, Jamf Pro immediately reports on jamf binary accounts. However, it won’t report on PreStage accounts until after the next inventory update. That usually occurs at the next check-in just after enrollment. During your testing, you can run
sudo jamf recon
in Terminal to update Jamf Pro immediately. - Although the jamf binary now includes a
rotateManagementAccountPassword
command, it’s not a command you can use interactively in Terminal or your scripts. It’s available only to the Jamf management framework. - Instead, you can rotate jamf binary passwords on demand using a policy. Add the Management Accounts payload and select “Rotate Account Password." You might find this useful to add to Self Service, for example, for a desktop technician to immediately rotate the LAPS account password after a support session. This is even more useful when the rotation interval after viewing a password is set to hours or days. It won’t affect pending password rotations, which remain queued.
- Changing the username for either LAPS management method won’t change the usernames on already-enrolled computers. That’s not a limitation of LAPS. Jamf Pro isn’t designed to do this. You’ll need to re-enroll computers to add a new jamf binary LAPS account, or you’ll need to erase and re-enroll computers to change the MDM LAPS account.
Rethinking local administrator support
With LAPS you no longer need a shared IT administrator account with the same username and password spread across your fleet of computers.
Instead, think of a LAPS account as a “break glass” account — something you should need only in case of an emergency. If you have Jamf Pro managing your computers and an Identity Provider (IdP) managing your user accounts, you should rarely need to use your LAPS account. Let’s modernize our thinking around how we use IT admin accounts.
- You really shouldn't need to use a computer’s LAPS account very often. If you’re using it a lot, you’re doing something wrong. Look at ways to minimize your need to act locally.
- The LAPS account’s password is purposely long, and you can’t control its length or complexity. Again, the account’s not something you should use daily. Making an administrator account convenient for yourself also makes it convenient for a bad actor.
- You have Jamf Pro. Use it to manage your fleet centrally and to stay as hands-off as possible with computers. This is just a wise use of your time, and it protects both you and your end users’ privacy and security.
- Use an Identity Provider (IdP) like Google Workspace, Microsoft Entra ID or Okta to manage your end users’ computer accounts. If someone forgets their password, they can take advantage of the IdP’s “forgot password” feature to reset their account. Or your Help Desk technicians can reset it for them.
- Don’t turn on FileVault for LAPS accounts. Instead, unlock computers using an escrowed Personal Recovery Key, which you should already have in the Jamf Pro computer record.
- The LAPS account is intended for use in the field while working with end users, not while you're doing long term troubleshooting, repairs or upgrades. If you need a working account while a computer is in your possession, create a temporary administrator account and then delete it before returning the computer to the end user.
- Don’t deploy more than one LAPS account. Every account is an attack vector — a way to enter a system — for a bad actor to attempt to exploit. Good security begins with limiting the number of possible ways to gain access to a computer.
- One more time: Any administrator account not just the LAPS account should be inconvenient to use to keep you from using it more often than absolutely needed.
Helping improve Jamf Pro’s LAPS support
Best of luck with implementing Jamf Pro LAPS in your environment!
If you find an issue where it behaves in an unexpected way, open the Jamf Support portal and log in with your Jamf ID. You can submit a technical support ticket or report a technical issue.
If you have ideas for improving Jamf’s LAPS implementation, submit a feature request and tell us what you have in mind.
And to give us your feedback before we release new versions of Jamf Pro, log in to your Jamf Account and join the Customer Feedback Program. You’ll receive a Jamf Cloud instance running the latest beta where you can test your workflows before they go into production.
Implementing LAPS in your environment will likely be the best security improvement you make this year.
Like what you see? Try Jamf Pro.