Hi Community,
The first half of the summer holidays is almost history. I decided to write a blog about one of the most anticipated feature releases for macOS: macOS LAPS is finally here.
I can already state this from my personal opinion: is it what I wanted? Does it meet my expectations? The short answer to that is—not quite.
You can use a macOS Automated Device Enrollment (ADE) profile to set up new macOS devices with both admin and standard user accounts, along with Microsoft’s Local Admin Password Solution (LAPS). The macOS LAPS account settings are optional and can be added to both new and existing ADE profiles—whether or not you’re using user affinity. Just keep in mind: these account settings only apply to new device enrollments.
With macOS local account setup using LAPS, the device gets a local admin account with a strong, encrypted, and randomized password. Intune takes care of storing and encrypting that password securely.
The admin password generated by Intune is 15 characters long and includes a mix of uppercase and lowercase letters, numbers, and special symbols.
Do also check out the official Microsoft docs here.
Prerequisites macOS LAPS
Device Requirements for macOS Local Account Configuration with macOS LAPS:
- macOS 12 or later
- Devices must be synced to Intune via Apple Business Manager or Apple School Manager
- Devices must be enrolled in Intune using a macOS Automated Device Enrollment (ADE) profile
I would like to have also already enrolled devices to be able to use macOS LAPS, i’m guessing a lot of customers will complain about this.
macOS LAPS Intune settings
To create or edit an Apple enrollment profile go to the Intune Portal – Devices – macOS – Enrollment – Enrollment program tokens – profiles. I will create a new profile so click Create profile – macOS.
Give you profile a name e.g. macOS with LAPS and click next.
On the management settings tab i use the following options:
- User affinity – Enroll with User Affinity
- Authentication Method – Setup Assistant with modern authentication
- Await Final configuration – Yes
- Locked Enrollment – Yes
Click next to proceed to the next step.
On the Setup Assistant tab choose what setup screens you want to see during the enrollment and click next.
Now for the Account settings tab, this is where we set the settings for macOS LAPS. We have the option to create an admin and a user account. In my lab, I will create an admin and a user account during the setup assistant.
Now let’s go over the settings for the user account. Basically, the process is the same as for the admin account. We create a standard account. If you want to restrict editing or manage the account name, set the prefill account info to yes.
Now click next, review and create your profile by clicking create.
After the profile is created we need to assign a device to it before we can test it out, so click on your new profile and under manage click assign devices and add devices.
Choose your device from the list of synced devices from Apple Business Manager and click Add.
Now click save.
Enroll Experience
I have made a video that showcases the complete enrollment process. I’m also using PSSO with secure enclave and filevault encryption during setup assistant in this setup. If you want to know more on these topics check out my other guide on how to set this up.
Now when we go to the Intune portal – Devices – macOS – Select your device – Password and keys you can see the password together with the Filevault key, you also can rotate both the filevault key and the password from here.
Issues
I have heard from other guys that there where some issues like the intune agent eating up CPU usage, memory overflows, intune agent crashing and that the admin account need a password change at 1st logon.
Check out the video here for the password change that’s get triggered.
Also a big issue is that the password rotation is not working properly, i have tried a couple of times, i sometimes get Rotate local admin password initiated or initiating rotate local admin password failed. But no rotation of the password. Also no entries in the audit logs for rotateLocalAdminPassword ManagedDevice.
If you look at the time stamps of the audit logs and compare them with the last rotation time stamp you can see that there has been no change at all.
Do play around with it and make sure you test all the things before going live but the people at Microsoft have still some work to do!!
This concludes this blog on macOS LAPS – i would like to have also already enrolled devices to be able to use this but it is what it is unfortunately.
And as always if you feel like there is something in error or if you would like to contribute, don’t hesitate to contact me!
Did you configure the Role-based access controls for macOS LAPS to try to fix the password rotation not working?
Microsoft describes that you need this to Rotate the MacOS admin password, which is not included within Intune administrator.
Yes i did but still not functional
Thank you for letting me subscribe to your blog and for being informed about this article. We’re currently facing exactly this issue. I’ll definitely enable LAPS for macOS, as we don’t want the user account to have admin rights.
Do you happen to have a preferred approach for handling developers? Our developers now all want MacBooks – but also admin rights. We’re not particularly happy about that, even though it’s now possible to restrict this quite well and mark the device as non-compliant quickly in case of certain actions.
Yup i know. Devs usually get admin rights. If you don’t give them these rights they will call every single time and with every macOS upgrade it will get worse. I know some customers give them VM’s to work on as admins but they are just plain users on their machines.
im running into an issue with laps for macos. When i activate it just like you and enroll a new macbook and my account is used to login to the Macbook i can not setup PSSO it just failes. So i reverted the laps setting and began new with the macbook and witout laps it just works. Do you have any Idea why laps would not let the Account do PSSO through Company Portal?
i found my problem:
Microsoft itself already notes in the Intune feature docs:
“The local administrator account password (macOS LAPS) feature is currently not compatible with Platform SSO. Use a separate method for administrative access if Platform SSO is required.”
Hi Jonas,
Where did you find that information from Microsoft regarding PSSO incompatibility please?
I’m struggling to find that quote from Microsoft themselves but am using PSSO and macOS LAPS and seeing issues (LAPS password works once on the Mac then locks the account out if used again), so wondering if this could be related.
Jonas,
I second Ethan. Where did you find that information?
LAPS works great until a PlatformSSO is synced on the device, even with the local admin account excluded from the policy.
Excellent article, congratulations!
Guys,
Please help vote on the suggestion below so we can also have this feature for enrolled devices.
https://feedbackportal.microsoft.com/feedback/idea/2fa03f16-87ba-f011-aa44-7c1e5298a4a1
Tks! =)
I don’t know, maybe I’m an idiot. But how do you all use a LAPS account if I can’t even log in unless the previous Mac owner logs out? I can’t just switch to a different account from the lock screen. Not to mention that I have to change the LAPS password the first time I log in.
It looks terrible.