Help

Jamf Laps- Wanting to test, is there a way to only scope to one computer?

lindseyguck
New Contributor

Posted on ‎05-21-2025 05:52 AM

I work for a university- they are requiring that we have rotating admin passwords throughout all devices, both mac and windows. We know that Jamf offers LAPS but it looks like from thats setting that it must be scoped to all computers, and we want to simply test it on a few to make sure it works the way we want to before deploying to the entire university. Is this possible?

I have also read that FileVault will be affected once this is turned on, which is a requirement that it stays enabled. Is this accurate, and if so, how do I ensure that both LAPS & FV stay intact and working the way it should?

Thanks!

0 Kudos
Reply
6 REPLIES 6

sdagley
Esteemed Contributor III

‎05-21-2025 06:05 AM - edited ‎05-21-2025 06:09 AM

@lindseyguck That's something you'd want to try in a test environment for sure but I think a test Jamf Cloud instance is only included with Jamf Premium Cloud (and above). If you're on the standard Jamf Cloud service you could try signing  if your access to the Jamf Pro betas and use that as a test environment.

It's not that FileVault has to be turned off to use LAPS, but you can't rely on the LAPS account to have a Secure Token which is required to unlock the Mac.

Reply

Shyamsundar
Valued Contributor

Posted on ‎05-21-2025 09:53 PM

I will advice to not to turn ON the FileVault for the Account enabled with LAPS, JAMF LAPS can be enabled only during Enrollment, 

Reply

howie_isaacks
Valued Contributor III
In response to Shyamsundar

Posted on ‎05-22-2025 05:23 AM

I was told by someone at Jamf that enabling FileVault for a LAPS account can cause issues with password rotation. If someone uses a LAPS account at the login window and logs in as that account, the account will get authorized for FileVault as long as the volume has been first unlocked by a FileVault enabled user. I have asked my support people not to login as a LAPS account and instead use su (substitute user) in Terminal to run commands as the LAPS account and they can replace the user's username with the LAPS account username in authentication prompts to perform actions that require an admin account. I think for best security, no one should be able to unlock a FileVault encrypted Mac except the assigned user. We have FileVault recovery keys stored in Jamf Pro to use if we need to access a Mac and we don't have the user's login password.

0 Kudos
Reply

thebrucecarter
Contributor III
In response to howie_isaacks

Posted on ‎05-22-2025 07:30 AM

We have virtually the same process as Howie.

0 Kudos
Reply

A_Collins
Contributor II

Posted on ‎05-22-2025 04:04 PM

Well, unfortunately you can not scope LAPS, best way to test is, enable with auto-deployment and auto-rotate options are off

{
  "autoDeployEnabled": false,
  "passwordRotationTime": 7200,
  "autoRotateEnabled": false,
  "autoRotateExpirationTime": 7776000
}

or on a Sandbox (you should have one, if not ask to Jamf). 

Reply

howie_isaacks
Valued Contributor III

Posted on ‎05-23-2025 06:42 AM

This isn't like a policy that could alter a Mac in a way that could be harmful. It's just the account that gets created on a Mac after it is enrolled. Jamf Pro has been installing a "management" account for a very long time. The only thing that has changed in recent years is that this account is now a LAPS account. Before my company started using it, the account was on all Macs already. The only testing we did was to ensure that the password rotations were working as they should. We also tested which password rotation options would work best for us. I'm all for being cautious with something new, but you will be fine just deploying the account when Macs enroll.

0 Kudos
Reply