Description
This article will show you how to check if MDM LAPS has been enabled on a Jamf Pro instance utilizing the Jamf Pro API and GUI.
Checking if MDM LAPS is Enabled on Jamf Pro version 11.4 or earlier
Go to https://NAME.jamfcloud.com/api in a web browser.
Click on Jamf Pro API.
Towards the top of the page enter a Username and Password (with the necessary privileges) to authorize and generate tokens.
Scroll down to the endpoint named local-admin-password and click on it to expand it.
Click on the GET /v2/local-admin-password/settings to expand it.
Click Try it out.
Click Execute.
In the response body, if the
autoDeployEnabled
is set totrue
then MDM LAPS is enabled.
Checking if MDM LAPS is Enabled on Jamf Pro version 11.5 or later
This information can now be verified in Settings > Computer management > Security. The available settings at this page are as follows:
Enable LAPS for PreStage accounts
When you select the checkbox, LAPS password management is enabled for managed local administrator accounts created via PreStage enrollment (MDM LAPS).
This applies to an MDM-created managed local administrator account on both newly enrolled computers and previously enrolled computers.
The password for the account will be randomized the next time the computer submits inventory to Jamf Pro.
When the managed local administrator account password is randomized and managed by LAPS, the global settings for password rotation will apply to the account. The account will remain managed by LAPS, even when the checkbox is deselected.
When you deselect the checkbox, passwords for managed local administrator accounts on newly enrolled computers created via PreStage enrollment will not have their passwords randomized and managed by LAPS.
Rotation interval
Choose how often to automatically rotate passwords for managed local administrator accounts. The default value is "Never". This is equivalent to setting
autoDeployEnabled
tofalse
in the Jamf Pro API.
Rotation after viewing interval
Choose how often to automatically rotate passwords for managed local administrator accounts after they are viewed.
Jamf does not recommend using MDM LAPS for password rotation if the account needs to use FileVault or authorize software updates on computers with Apple silicon.
Rotating a managed local administrator account password from the PreStage enrollment that has become cryptographically enabled with a secure token will result in the login password being changed. However, the new password will not work for cryptographic user authentication purposes.
More Resources