Jamf added support for LAPS in Jamf Pro 10.46.0 released in April.
TURNS is an abbreviation forLocal administrator password analysis.It was invented by Microsoft in May 2015 as a solution to automatically rotate shared IT administrator account passwords on end-user computers. Since then, it has become an industry standard term used across all platforms.
For decades, desktop admins have been adding shared IT admin accounts to end-user computers when they need to sit in front of a computer or remotely control a computer and log in. However, this approach introduces several serious security issues:
- Typically, these accounts have the same username and password on different computers. If credentials are leaked to an unauthorized third party, the entire fleet is vulnerable.
- Many people are familiar with these shared IT administrator credentials and can easily share them with others without any means of controlling access.
- Because many people know that credentials, end-user privacy, and sensitive data are at risk, but can't see who is using it to access a computer when.
- If a desktop administrator leaves the organization, someone needs to change the credentials on all computers and share the updated password with other administrators.
LAPS addresses these issues.
While Microsoft may have developed the LAPS workflow, Jamf Pro uses Apple technology to implement it. LAPS Jamf Pro is compatible with all recommended macOS versions listed inJamf Pro system requirements.
Let's take a look at how to use LAPS with Jamf Pro. We'll discuss how to:
- Define an administrator account in the PreStage registration
- View and enable LAPS settings in Jamf Pro
- Apply LAPS settings to your computer
- Check if LAPS is being used on the computer
- Recover local administrator username and password
- LAPS Access Audit
- turn off turn
Automatic device registration must create a local administrator account during registration.
When device auto-enrollment creates a local administrator account, it becomes the only accountManaged Apple administrator account.This means that LAPS in Jamf Pro can only manage local administrator accounts.
The Jamf Pro administrator defines this account name under Computers > PreStage Registration. Each PreStage registration can have its own unique administrator username, but computers are still limited to a single managed Apple administrator account.
To set up PreStage registration using a managed Apple administrator account:
- Create a new PreStage registration or edit an existing PreStage registration.
- In Payload Account Settings, enableCreate a local administrator account before installing the wizard.
- environmentusernameSomething like "localadmin" or any unique name without spaces.
- placepasswordIverify passwordFields for known passwords. (Later we will try to authenticate with a known password to see if LAPS will break it.)
- Choose if you want to hide the account and enable MDM on it. These settings do not affect the management of LAPS.
- Specify the range and save the PreStage recording.
Once enabled by the Jamf Pro administrator, machines already registered with existing PreStage are eligible for LAPS management.
In the initial release, LAPS in Jamf Pro can only be configured and viewed through the Jamf Pro API. Jamf will provide LAPS in the Jamf Pro GUI at a later date as the feature set matures. This does not mean that administrators need to learn how to write scripts to use LAPS. They can perform any action in the Jamf Pro API page.
Administrators must ensure their Jamf Pro account is set up before configuring LAPS.set of privilegesis set to "Administrator". If your account's permission set is set to Custom, you should verify that you have enabled two new permissions on the Permissions > Jamf Pro Server Operations tab:
- View local administrator password
- View local administrator password audit history
Let's see how LAPS is configured by default:
- Open the Jamf Pro server in a web browser and add "/api" to the end of the URL (for example,https://talkingmoose.jamfcloud.com/api).
- Click the View Jamf Pro API button.
- At the top of the Jamf Pro API page, enter your Jamf Pro username and password (with LAPS permissions) and click Authorize. The account is authorized for 30 minutes and must then be reauthorized.
- scroll down and clicklocal administrator passwordSix new endpoints were reviewed. (There may be older version 1 endpoints, but they are deprecated and Jamf will remove them later.)
- clickGET /v2/localadmin_password/settings, click Try it out, and then click Go.
- In the "Answers" section below, find the text of the answer. It will display the current LAPS Jamf Pro settings.
LAPS is disabled by default (Enable automatic deploymentSet to 'false)'. When LAPS is enabled, the password on the computer will be rotated every three months (AutoRotationExpirationTimeAutoRotationExpirationTimeset to "7776000" seconds). And it will automatically rotate the password of the managed Apple administrator account after one hour of showing (Password rotation timeset to "3600" seconds).
Let's enable LAPS:
- Scroll down and click on the next endpointPUT /v2/localadmin_password/settings.
- Click Try it out.
- heLAPS configuration to updateThis field shows the current setting. is editable
- To enable LAPS, set autoDeployEnabled and autoRotateEnabled to "true". To adjust the frequency of each setting, enter new values in seconds.
- Click Run.
- The response body shows the updated configuration. Jamf Pro will rotate your computer's managed Apple administrator account password after 15 minutes (900 seconds) of display and automatically change all passwords daily (86400 seconds).
The computer must send an inventory report before Jamf Pro can apply your LAPS settings. By default, they upload their inventory once a week.
To force a manifest update on your test machine, open your Terminal application and run the following command:
sudo jamf identify
Alternatively, create a new Jamf Pro policy and enable it.update your inventorywmaintainburden. existGeneralload setoffspringA "loop recording" iexecution frequencyto "Once per computer". Apply the policy to the test computer and save it. Once registered with Jamf Pro, the computer updates its inventory. (It's also a quick way to apply LAPS to a group of computers or an entire fleet.)
How does an administrator know that LAPS is running?
Jamf Pro uses Apple Push Notification service (APN) commands.Set an automatic admin passwordChange your account password. Within seconds of sending the inventory report, the Jamf Pro should send a command to the computer and receive a response.
To verify the command, click Computer > Browse Resources. Click a computer name to view its inventory. Then click History > Manage History. heSet an automatic admin passwordThe command should appear under "Completed Commands".
Another way to check if Jamf Pro has applied LAPS on your computer is to try authenticating with a local administrator account. The easiest way to do this is to log in as the account using Terminal again. runningand(Proxy user) Use the name of the Apple administrator account you manage on your computer:
local administrator
Enter a known password when prompted. If the terminal responds with "Sorry", the known password is no longer valid, which means Jamf Pro has changed the password.
use:The computer itself does not know that it is managed by LAPS. As far as he knows, he was directed to change the password of the Apple administrator account he manages.
Displaying the current LAPS password requires combining several elements.
First, the Jamf Pro administrator needs to restore the computerAdmin ID.This is an identifier created during registration and unique to each computer. It is only stored in Jamf Pro and is only visible through the Jamf Pro API.
- In the machine inventory log in Jamf Pro, click Inventory > General and noteJamf Pro Computer ID. (This is not the administrator ID, but the computer ID helps identify the next computer.)
- Return to the Jamf Pro API by adding "/api" to the end of the Jamf Pro server URL and reauthorize if necessary.
- scroll down and clickcomputer inventoryCheck out your endpoints.
- clickGET /v1/computers-inventory-detail/{id}, click Try It Out, and enter the standard Jamf Pro PC ID.
- Click Run.
- In the "Answers" section below, find the text of the answer. It will display information about your computer.
- Scroll down the answer a bit and look for managementId. Copy its value.
- Scroll down the Jamf Pro API page to return tolocal administrator password.
- clickGET /v2/local admin password/{clientManagementId}/accounts, click Try it out, and paste the management ID into the clientManagementId field.
- Click Run.
- In the "Answers" section below, find the text of the answer. It will display the username of the managed Apple administrator account. (This is the same administrator account username used for PreStage registration.)
- To recover your LAPS account password, scroll up slightly on the Jamf Pro API page.
- clickGET /v2/local-administrator-password/{clientManagementId}/account/{username}/password, click Try and paste your management ID into the clientManagementId field, then enter the username of your local administrator account in the Username field.
- Click Run.
- In the "Answers" section below, find the text of the answer. It will display the password of the managed Apple administrator account.
Note that this password is only valid for the time specified in the passwordRotationTime parameter when LAP is enabled. work quickly.
Protecting the privacy of end-user data requires knowing who accessed passwords and when. The LAPS implementation in Jamf Pro provides auditing to disclose this information.
For a successful audit, the Jamf Pro administrators themselves should not use a shared user account when logging into the server. Instead, administrators should set a long, complex password that only one person knows and keep it in a safe place. (Also consider enabling Jamf Propassword policyto allow password recovery for this account, just in case). Each server administrator must then use a uniquely identifiable username with the necessary privileges.
To control who has access to the passwords of LAPS-managed computers:
- Return to the Jamf Pro API by adding "/api" to the end of the Jamf Pro server URL and reauthorize if necessary.
- scroll down and clickcomputer inventoryCheck out your endpoints.
- clickGET /v1/computers-inventory-detail/{id}, click Try It Out, and enter the standard Jamf Pro PC ID.
- Click Run.
- In the "Answers" section below, find the text of the answer. It will display information about your computer.
- Scroll down the answer a bit and look for managementId. Copy its value.
- To see who has accessed your computer's LAPS password, scroll down and clicklocal administrator passwordCheck out your endpoints.
- clickGET /v2/local-administrator-password/{clientManagementId}/account/{username}/audit, click Try it out, paste your management ID into the clientManagementId field, and enter your local administrator account's username in the Username field.
- Click Run.
- In the "Answers" section below, find the text of the answer. The audit history for the LAPS account will be displayed, including the account name showing the password, the password itself, and the date they were viewed by a Jamf Pro administrator.
LAPS Jamf Pro is global. This applies to all computers with a local administrator account created during automatic device enrollment. Therefore, administrators cannot easily apply LAPS settings to only a subset of computers.
Desktop administrators can disable LAPS on existing computers by removing the managed Apple administrator account. Recreating the account with the same name will not re-enable it for LAPS as it will have a different UUID.
To disable LAPS globally, Jamf Pro administrators must follow a specific sequence of operations in order not to lose access to the local administrator account:
- Return to the Jamf Pro API by adding "/api" to the end of the Jamf Pro server URL and reauthorize if necessary.
- scroll down and clicklocal administrator passwordCheck out your endpoints.
- clickPUT /v2/localadmin_password/settingsand click Try it.
- The LAPS Setting to Update field displays the current setting.
- Set autoRotateEnabled to false to disable and continue password changes.
Note that LAPS cannot recover the original local administrator account password on a computer, and each computer has a unique password. Although Jamf Pro providesPUT /v2/local-admin-password/{clientManagement}/set-password endpoint, only one computer can be configured at a time. Jamf Pro administrators need to create a Jamf Pro API script to set a password for each computer using LAPS. Administrators should disable LAPS only after ensuring that all passwords have been changed to known passwords:
- Return to the Jamf Pro API by adding "/api" to the end of the Jamf Pro server URL and reauthorize if necessary.
- scroll down and clicklocal administrator passwordCheck out your endpoints.
- clickPUT /v2/localadmin_password/settingsand click Try it.
- Set autoDeployEnabled to false to disable LAPS.
- Click Run.
Now is the time for customers to try out LAPS and provide feedback while Jamf is in its early stages. Any customer can sign up for Jamf ProCustomer Feedback ProgramAnd visit the private beta forum. Betas are a great opportunity to see what's next and test key workflows before a new version of Jamf is released. Customers planning to use LAPS in their environment must participate.
Administrators should carefully consider whether LAPS is appropriate for their environment. Ideally, each Jamf Pro admin account should be protected by a combination of a strong password policy, single sign-on using a randomized failover URL, and limited access to other admin account settings. Although products likeinterfering connectionCompatible with LAPS Jamf Pro, both provide secure and controlled administrator access to computers. Implement one of these for simplicity and auditability.
Jamf Cloud customers should test LAPS on their free Jamf Cloud sandbox instances before enabling LAPS on their production servers. Clients can use theiraccount interferenceOr contact your Customer Success Manager.
It's worth reiterating that LAPS is an API-first feature. This means it will only be available in the API until Jamf completes its LAPS feature set. Later, for those who are unhappy with the API, it should be moved to the Jamf Pro GUI.
FAQs
What is laps local administrator password solution? ›
The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
Does laps enable local admin account? ›If this policy is not configured, LAPS will default to using the local built-in Administrator account. We recommend creating your own LAPS administrator account for a variety of reasons, one of which is that the default Administrator account is often disabled by default.
How do you secure laps? ›- PowerShell Permission Scripts. ...
- Remove All Extended Permissions. ...
- Locking Password Reset Permissions. ...
- Administrator Training and Awareness. ...
- Integrated Approach to Data Security.
Browse to the following policy settings Computer Configuration -> Policies -> Administrative Templates -> LAPS. Click on the policy Enable local admin password management. Click on Enable and then OK.
Is laps still supported? ›The Windows LAPS on-premises Active Directory scenarios are fully supported as of the above updates. Windows LAPS with Microsoft Entra (Azure AD) and Microsoft Intune support is now in public preview as of April 21st 2023.
What advantages does laps provide an it administrator? ›LAPS simplifies password management while helping customers implement additional recommended defenses against cyberattacks. In particular, the solution mitigates the risk of lateral escalation that results when customers use the same administrative local account and password combination on their computers.
Is local administrator account the same as domain administrator? ›You see, the limitation is that the Domain Administrator cannot do anything outside of the domain. A Local Administrator is already outside the domain and has the full power to do anything desired on the location machine, which IS PART of the domain.
What happens when laps password expires? ›LAPS retrieves the current expiry date and time for the Local Administrator password on the current computer from Active Directory. If the expiry is not blank and is still in the future, nothing happens.
What is the difference between local administrator and system account? ›An administrator account is similar to a standard account but with some additional privileges. These privileges allow you to manage system files or do anything without requiring confirmation. With an administrator account, you can also access all those files that other users own on the same computer.
What are the risks of laps? ›Organizations have the practice of using the same password for local administrator accounts across all domain-joined computers. Such accounts are vulnerable to credential theft attacks like Pass-the-Hash (PtH) attacks.
How do I run laps as administrator? ›
- Open the Group Policy Management Console.
- Create a new Group Policy in your Computers OU.
- Right-Click the new Policy and select Edit.
- Navigate to : Computer Configuration > Polices > Administrative Templates > LAPS.
You can use the ADPasswordEncryptionPrincipal policy setting to set a specific security principal for encrypting the password. If ADPasswordEncryptionPrincipal isn't specified, Windows LAPS encrypts the password against the Domain Admins group of the managed device's domain.
How do I enter local admin credentials? ›- In the bottom-left corner of the sign-in screen, click on Other User.
- Enter “. \Administrator” as the username, enter your local admin password, and press Enter.
By default, the OverLAPS is configured to use port 80 for unencrypted (HTTP) traffic and port 443 for encrypted (HTTPS) traffic.
Is laps now part of the OS? ›Windows LAPS now part of the OS; new password security features included. With the cumulative update for April 2023, Microsoft delivers the Local Administrator Password Solution (LAPS) as a system component for the first time. The updated version uses different attributes in AD and introduces new PowerShell cmdlets.
Is Windows laps now part of the OS? ›The new version of LAPS is now being delivered via Windows Update to the following Operating Systems: Windows 11 Pro, EDU and Enterprise. Windows 10 Pro, EDU and Enterprise. Windows Server 2022 and Windows Server Core 2022.
How do I know if laps is installed? ›- # Identify if installed to Program Files. Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll' Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll' dir 'C:\Program Files\LAPS\CSE\' ...
- # Import module. Import-Module AdmPwd. PS. ...
- # Get Groups that can read the ms-Mcs-AdmPwd attribute. Find-LAPSDelegatedGroups.
Passwords of the local administrators in the AD are stored in cleartext in LAPS. The ms-Mcs-AdmPwd attribute of the Computer Object stores these passwords.
Where are the laps passwords stored in AD? ›Open this policy in the Domain Policy Management Console (gpmc. msc) and go to the following GPO section: Computer Configuration -> Administrative Templates -> LAPS. LAPS graphic interface (GUI) to view LAPS passwords must be installed on the administrator computers.
What is the most important goal of a system administrator? ›The primary responsibility of a sysadmin is to support reliable and effective use of complex IT systems by end users, whether internal employees or external customers. Activities range from managing identities and access to providing dedicated technical support to individual users.
Are domain admins automatically local admins? ›
Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains.
Should I rename local administrator account? ›Because the administrator account exists on all Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), renaming the account makes it slightly more difficult for attackers to guess this user name and password combination.
How do I give local admin rights to a domain controller? ›From the start menu go to Windows Administrative Tools > Active Directory Users and Computers. To grant Admin permissions to non-admin users: Navigate to Users, select Domain Users, right click and select Add to a group… In the Select Groups popup, in the Enter the object names to select text box, enter Domain Admins.
How many accounts can laps manage? ›LAPS can only store one password in the attribute. If you have multiple local admin accounts enabled on the computer, you are encouraged to to disable all but one and have that one use LAPS.
How often does the password change in laps? ›The passwords will by default be randomized every thirty days and can be changed on demand by your service desk. Use this guide to step up your security using LAPS and get those passwords under control!
What is the recommendation for laps password length? ›admx/adml) is required - it is included with Microsoft Local Administrator Password Solution (LAPS). Default Value: 14 characters.
Why should I disable local administrator account? ›Bypass security settings, run exploit code
The all-powerful local admin access allows hackers to bypass critical security settings, delete system logs, impersonate other logged-on accounts, run exploit code or tools, and eventually gain access to sensitive data.
Becoming a system architect is a natural next step for system administrators. System architects are responsible for: Planning the architecture of an organization's IT systems based on company needs, cost and growth plans.
What does the system administrator has restricted the types of logon local account? ›In short, the error “the system administrator has restricted the type of logon” occurs when the RDP connections require Network Level Authentication (NLA). It happens when the user is not a member of the Remote Desktop Users group.
What is the full form of laps? ›Local Administrator Password Solution (LAPS)
What does it mean to run laps? ›
a complete trip around a race track that is repeated several times during a competition: He recorded the fastest lap in last weekend's Hungarian Grand Prix.
What is running laps? ›One lap around the track is 400 meters, or approximately . 25 mile. This workout will total approximately 3-4 miles. As you progress, add another hard lap around the track every few weeks. More experienced runners can do 12 repeats of 400 meters (one lap).
Why do I always have to Run as administrator? ›The purpose of an administrator role is to allow changes to certain aspects of your operating system that might otherwise become damaged by accident (or through malicious action) by a normal user account. If you own your own PC and it isn't managed by your workplace, you're probably using an administrator account.
What command will prevent all unencrypted passwords? ›What command will prevent all unencrypted passwords from displaying in plain text in a configuration file? To prevent all configured passwords from appearing in plain text in configuration files, an administrator can execute the service password-encryption command.
What is safe password storage encryption? ›Encryption scrambles your password so it's unreadable and/or unusable by hackers. That simple step protects your password while it's sitting in a server, and it offers more protection as your password zooms across the internet.
What is local admin password solution? ›The “Local Administrator Password Solution” (LAPS) provides management of local account passwords of domain joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
How to get local administrator with permissions to log on as a service? ›Sign in with administrator privileges to the computer from which you want to provide Log on as Service permission to accounts. Go to Administrative Tools, select Local Security Policy. Expand Local Policy, select User Rights Assignment. In the right pane, right-click Log on as a service and select Properties.
What is local admin credentials? ›The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-domain-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
How to change administrator password without admin rights? ›- Open the Windows Start menu. ...
- Then select Settings. ...
- Then click on Accounts.
- Next, click on Your info. ...
- Click on Manage my Microsoft Account. ...
- Then click More actions. ...
- Next, click Edit profile from the drop-down menu.
- Then click change your password.
Event ID 10033, LAPS – The machine is configured with legacy LAPS policy settings, but legacy LAPS product appears to be installed. The configured account's password will not be managed by Windows until the legacy product is uninstalled. Alternatively, you may consider configuring the newer LAPS policy settings.
How do I remove administrator password without knowing it? ›
When Windows 10 boots to login screen, click the ease of access icon to run Command Prompt without login. 5. Type the command "net user username /delete" and press Enter to delete administrator account without password login or admin rights.
Why only 65536 ports? ›65,536 is a very common number in computing, because it's 2 to the power of 16 (2^16). 2^8 is 256, and 65,536 is the square of 256. In other words, a 16 bit binary number can represent 65,536 different integers. So that's probably where your 65,535 range comes from.
What runs on port 4000? ›The topology server default uses the following IP socket ports: Port 4000 for NetView management console communications. Port 4020 for NetView communications for the topology server. Port 4021 for NetView communications for the TBSM server.
What ports do I need to forward for IPSec? ›...
How to set up VPN server with port forwarding?
| VPN server | Port |
|---|---|
| PPTP | TCP 1723, Other 47 |
| OpenVPN | UDP 1194 |
| IPSec | UDP 500, UDP 4500 |
- In the bottom-left corner of the sign-in screen, click on Other User.
- Enter “. \Administrator” as the username, enter your local admin password, and press Enter.
Background. Local Administrator Password Solution (LAPS) is a Microsoft product that manages the local administrator password and stores it in Active Directory (AD). This solution automatically updates the password on a routine basis.
What is the default password for Qsys administrator? ›FAQ: What is the default password on a Q-SYS Core? Q-SYS Cores by default are not assigned an access password.