EasyLAPS

EasyLAPS is a tool designed to regularly rotate the local administrator account password of a Mac and store it in a Mobile Device Management (MDM) solution. The main purpose of EasyLAPS is to have unique passwords on a Mac fleet which are centralized in the MDM console.

EasyLAPS offers two functioning logics and is designed to manage transparently a change between the two.

Logic #1 — The password is stored in encrypted form in the MDM and in the EasyLAPS Keychain. EasyLAPS uses the locally stored password as the current password to manage the rotation to the new generated one which is then written in the MDM. The public key used for the encryption is part of the EasyLAPS configuration file. The private key is not present on the device and must be kept in restricted access. This logic fits best when a large number of technicians have access to the MDM console and only those who own a copy of the EasyLAPS-Toolkit with the private key can reveal a rotated password.

Logic #2 — The password is stored in clear text in the MDM and is not stored locally unless a password reversion fails. EasyLAPS reads the password stored in the MDM and uses it as the current password to manage the rotation to the new generated one which is then written in the MDM. The logic fits best when a restricted number of technicians have access to the MDM console and then are able to reveal a rotated password.

After the first successful rotation, the new password is visible in the device inventory record, with Jamf Pro in an Extension attribute named "EasyLAPS", with Jamf School in the field named "Notes".

EasyLAPS operates a true rotation of the local administrator password, so the account keeps its cryptographic status. That means that once the password is changed, the account is still a Crypto user and Volume owner, able to unlock the device, install macOS updates, make changes to the startup security policy, initiate an Erase All Content and Settings, and more.