Skip to main content

Utilize the API and GUI to see if MDM LAPS is enabled for a Jamf Pro instance

Updated over 2 months ago

Description

This article will show you how to check if MDM LAPS has been enabled on a Jamf Pro instance utilizing the Jamf Pro API and GUI.

Checking if MDM LAPS is Enabled on Jamf Pro version 11.4 or earlier

  1. Go to https://NAME.jamfcloud.com/api in a web browser.

  2. Click on Jamf Pro API.

  3. Towards the top of the page enter a Username and Password (with the necessary privileges) to authorize and generate tokens.

  4. Scroll down to the endpoint named local-admin-password and click on it to expand it.

  5. Click on the GET /v2/local-admin-password/settings to expand it.

  6. Click Try it out.

  7. Click Execute.

  8. In the response body, if the autoDeployEnabled is set to true then MDM LAPS is enabled.

Checking if MDM LAPS is Enabled on Jamf Pro version 11.5 or later

This information can now be verified in Settings > Computer management > Security. The available settings at this page are as follows:

  • Enable LAPS for PreStage accounts

    • When you select the checkbox, LAPS password management is enabled for managed local administrator accounts created via PreStage enrollment (MDM LAPS).

      • This applies to an MDM-created managed local administrator account on both newly enrolled computers and previously enrolled computers.

    • The password for the account will be randomized the next time the computer submits inventory to Jamf Pro.

    • When the managed local administrator account password is randomized and managed by LAPS, the global settings for password rotation will apply to the account. The account will remain managed by LAPS, even when the checkbox is deselected.

    • When you deselect the checkbox, passwords for managed local administrator accounts on newly enrolled computers created via PreStage enrollment will not have their passwords randomized and managed by LAPS.

  • Rotation interval

    • Choose how often to automatically rotate passwords for managed local administrator accounts. The default value is "Never". This is equivalent to setting autoDeployEnabled to false in the Jamf Pro API.

  • Rotation after viewing interval

    • Choose how often to automatically rotate passwords for managed local administrator accounts after they are viewed.

Jamf does not recommend using MDM LAPS for password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon.

Rotating a managed local administrator account password from the PreStage enrollment that has become cryptographically enabled with a secure token will result in the login password being changed. However, the new password will not work for cryptographic user authentication purposes.

More Resources

Did this answer your question?