lithnet/access-manager

[HELP] MacOS LAPS Administration

Closed this issue · 2 comments

gbica-hzo commented

Unable to determine user of the MacOS LAPS password

We are testing LAPS using AMS on MacOS. Here is the scenario

  • MacOS is managed using MDM and Apple Businees Manager.
  • The system has 2 users configured:
  1. User BOB. Password is set by user.
  2. Admin User PHIL. Password is set by user.
  • Successfully setup a registration key
  • Deployed the AMS agent on a Mac and registered it with the AMS server. The device shows in Access Manager Directory Devices list as approved.
  • Authorization rule was configured to grant a user access to LAPS password.
  • User requests the LAPS password via the AMS web interface and is successful.

What is the username associated with this LAPS password? Do we need to create an admin user called "Administrator" via MDM?

jcspencer commented

Hi @gbica-hzo,

In the current version of the AMS agent, the agent will set the password of the root account on macOS.

This account is disabled by default. However, in v2, you can change this account by modifying the local agent configuration file by following this guide.


It is worth noting that, currently, the AMS agent does not support setting the password for accounts with Secure Tokens (i.e. FileVault enabled accounts). This is for a few reasons:

  • When the password is changed on these accounts, the current password is required to re-encrypt the FileVault key for that user.
  • AMS does not currently provide a mechanism for a machine to retrieve its own LAPS password for security reasons.

For these two reasons, the machine is unable to retrieve the existing password to change the password for FileVault-enabled accounts. However, accounts without FileVault can be changed.

There are a few things are in the pipeline on this one:

  • In Access Manager v3 - which is currently nearing the end of development - we have changed the policy mechanism to allow for more granular device policy from AMS itself - including the ability to remotely specify the target account. This should make things easier to configure.
  • Also in v3 is the ability to have the agent automatically create a local account if it doesn’t already exist.
  • Also on our roadmap - in the longer term - dealing with the “problem” of accounts with secure tokens enabled.

Unfortunately today, while you can specify custom accounts, you can only do so for accounts that don’t have FileVault keys associated.

Hopefully AMS v3 will help with some quality-of-life improvements around managing custom accounts for macOS. I’ll make sure to keep you up to date with the updates around AMSv3, and any improvements we make to secure token account management.

Let me know if you have any questions or concerns.

Thanks!

stale commented

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.