SureMDM LAPS (Local Administrator Password Solution)
SureMDM Local Administrator Password Solution (LAPS) is a feature that enhances security by automating the management of local administrator passwords on macOS devices. SureMDM LAPS ensures that each device has a unique, automatically rotating administrator password, reducing the risk of unauthorized access.
Steps to SureMDM LAPS Job
To create a LAPS job and deploy it to the enrolled device(s) or group(s) remotely, follow these steps:
Navigate to SureMDM Web Console > Jobs > New Job > macOS > SureMDM LAPS.
Enter the Job Name.
Configure the following settings and click Save.
SureMDM LAPS Configuration Options
| Option | Description |
|---|---|
| Enable SureMDM LAPS | Enable this option to configure LAPS. To disable LAPS configuration from devices, disable this option and deploy the job to the device(s). |
| Username | Enter the username (without spaces) and password. Use the + button to add multiple usernames if needed. |
| Create Above Accounts If Not Present on Device | Select this option to automatically create the listed accounts if they are not already present on the device. |
| Password Rotation Frequency | Select the frequency for automatic password rotation in days. Choose Set Frequency to specify a value (1 to 365 days), or select Never to disable or stop automatic rotation of passwords. |
| Rotate Password Upon Use | Select this option to automatically rotate the password after each use. |
| Password Complexity and Length | Select the desired complexity level and length for the generated password. Complexity Levels: Simple (numbers and letters) Medium (upper and lower case, numbers) Complex (upper, lower case, numbers, special characters) Length: Ranges from 8 to 64 in increments of 4. |
| Rotate Password Upon Use | Select this option to automatically rotate the password after each use. Note: This setting triggers password rotation in the event of a successful login to the device with the current password. |
| Password Complexity and Length | Select the desired complexity level and length for the generated password. Complexity Levels: Simple (numbers and letters) Medium (upper and lower case, numbers) Complex (upper, lower case, numbers, special characters) Length: Ranges from 8 to 64 in increments of 4. |
| Rotate password only when device is online | When enabled, the password is rotated only when the device is connected to SureMDM. If disabled, the password is rotated even when the device is offline, and the updated password will be displayed on the console when the device is back online next time. |
- This feature is supported on macOS devices with SureMDM Agent version ≥ 6.7.0.
- When using the Password Policy payload in profiles, ensure that the password length set in LAPS aligns with the one configured in the Password Policy. A shorter password length in LAPS job compared to the Password Policy may lead to password rotation failures.
- Currently SureMDM LAPS is unsupported on accounts added via Apple MDM API (ex: accounts added during ADE/DEP enrollments) and will be ignored if present in above configurations.
- Once a user account is removed from the SureMDM LAPS job, its password rotation will no longer be managed by SureMDM LAPS. Use the User Account Management > Change Account Password job to reset the password for such accounts. To view the last known password for these accounts, refer to the SureMDM LAPS Report.
Click Save.
The newly created job will be listed in the Jobs List section.
Go back to the Home tab and select the macOS device(s) or group(s).
Click Apply to launch the Apply Job/Profile To Device prompt.
In the Apply Job/Profile To Device prompt, select the job and click Apply.