What is LAPS?
The full name of LAPS is Local Administrator Password Solution, LAPS provides organisations with a unified management of local administrator account passwords for client computers included:
- The local administrator password is unique for each computer managed by LAPS.
- LAPS randomly changes the local administrator password at regular intervals.
- LAPS stores local administrator passwords securely and centrally.
What can be achieved by enabling LAPS in Jamf Pro?
Enabling LAPS in Jamf Pro allows you to enable random passwords for the Hosted Local Administrator account and centralise management, specifically:
- The Hosted Local Administrator account password is unique on each Mac computer.
- The Hosted Local Administrator account password is automatically changed at regular intervals.
- Hosted Local Administrator account passwords are centrally and securely stored in Jamf Pro.
- The Jamf Pro UI interface provides access to random passwords on each computer.
- Random passwords are automatically changed and updated in Jamf Pro after a set period of time after they have been viewed.
- The Jamf Pro UI interface provides access to the Random Password Audit Log, e.g. who viewed the Random Passwords for which account at what time.
What local accounts does LAPS work with?
On Mac computers managed by Jamf Pro, the LAPS feature can be applied to local administrator accounts created in one of two ways, which are called hosted local administrator accounts:
1.Managed local administrator account created by jamf binary during UIE (User-initiated enrollment).
2. The hosted local administrator account configured in the PreStage Enrollment auto-enrollment settings.
Tip: Local admin accounts created through Mac System Preferences, Policy, scripts, command line, etc. are not managed accounts and cannot apply LAPS features.
How can I view random passwords and audit logs for hosted local administrator accounts in Jamf Pro?
Go to Jamf Pro > Computers > Search Inventory > Search, search out the computers you need to view, and then you can view the following information in the General information field under the Inventory option:
- Managed local administrator account created by jamf binary during UIE (User-initiated enrollment)
2.The hosted local administrator account configured in the PreStage Enrollment auto-enrollment settings.
Tip: Local admin accounts created through Mac System Preferences, Policy, scripts, command line, etc. are not managed accounts and cannot apply LAPS features.
How can I view random passwords and audit logs for hosted local administrator accounts in Jamf Pro?
Go to Jamf Pro > Computers > Search Inventory > Search, search out the computers you need to view, and then you can view the following information in the General information field under the Inventory option:
Click View accounts and passwords and go to the Local User Account information section. Under Managed Local Administrator Accounts, click View to the right of the hosted local administrator account name that you want to look up.
Then, a prompt will appear for the password to be changed automatically, and the random password will be changed automatically after the set time. Click Continue.
The password is presented on the page.
The audit log for LAPS passwords is recorded in the computer Inventory > History > Managed Local Administrator Account History. In the log, you can see information such as the name of the event, the time of the operation, the operator, and the Managed Local Administrator Account that was queried.
There are a lot of customers we have contacted who have such password management needs. Using the same set of passwords for all computers poses a big security risk, and even if you go to update the passwords regularly, you can’t avoid the security loophole of having one key to unlock all the doors. Enabling LAPS in Jamf Pro not only solves the security problem of local administrator account passwords, but also brings great convenience to password management, which brings our IT management to a new level.
Feel free to contact us if you have any questions.