Service: Multi-Platform LAPS

An MSP decided to modernize their local admin security practice by implementing LAPS (Local Admin Password Service) for both macOS and Windows, across multiple MDM and RMM platforms.

LAPS password rotation is the practice of generating & applying a new random password to the computer's local admin account on scheduled cadence. Each computer has its own unique local admin password that is only functional until the next scheduled rotation.

The MSP needed to replace their previous workflow of having shared customer local admin passwords which needed to be manually changed often, causing operational and technical issues across the supported fleet.

Additional internal company knowledge base articles were written for the help desk team, documenting the support password retrieval procedures for each platform.

For Windows, we opted to use a single PowerShell script which downloads a dictionary wordlist file, generates a new password, and applies it to the Windows local admin account. The script additionally writes the generated password to a NinjaOne Custom Field that was created in the NinjaOne console.

For macOS, the macOSLAPS Project was utilized and engineered for deployment in Addigy, Mosyle, JumpCloud, and Jamf Pro MDM's for a consistent and secure support workflow at the MSP.

Each MDM has it's own capabilities, quirks, and differing features that require re-engineering of the macOSLAPS deployment in each system.

Windows: NinjaOne RMM

Retrieving the current LAPS password in NinjaOne:

macOS: Addigy MDM

Retrieving the current LAPS password in Addigy MDM:

macOS: Mosyle MDM

Retrieving the current LAPS password in Mosyle MDM:

macOS: Jamf Pro MDM

Retrieving the current LAPS password in Jamf Pro MDM:

macOS: JumpCloud MDM

Retrieving the current LAPS password in JumpCloud MDM:

"Life changes, and so should your passwords"