Body
Overview
This article outlines how the Local Administrator Password Solution (LAPS) interacts with local administrator accounts managed via Jamf Pro. It details how to locate these account credentials inside the Jamf console, lists automated expiration parameters, and explains how to manually force a password rotation sequence early.
Audience: Service Desk, Tier 1-3 Support
Applies To: All pre-existing and new pre-stage local admin accounts managed by Jamf
How to Locate Local Admin Accounts in Jamf Pro
To view managed administrator credentials for a specific machine record, use the following workspace steps:
- Navigate to Computers in the left-hand menu sidebar of Jamf Pro.
- Select Inventory and search for the specific target macOS device (via Serial Number, Asset Tag, or Name).
- There are two ways to find the local admin account:
- Select the computer, then select the "General" payload. Scroll down to "Managed Local Administrator Accounts", then select "View Accounts and Passwords"
- Select the computer, then scroll down to the "local accounts" payload tab across the top sub-menu row.
LAPS Password Rotation Schedule
To keep devices secure, Jamf LAPS automatically updates account passwords based on whether or not they have been viewed.
- If Password is Viewed: The password automatically expires and rotates every 1 hour (60 minutes) after it has been revealed in the Jamf console.
- If Password is NOT Viewed: The password automatically rotates every 7 days as part of standard system lifecycle security.
Security Best Practice: Because credentials cycle within 60 minutes of visual discovery, never document or save retrieved passwords locally in documentation blocks, ticket entries, or plain text notes. Pull a fresh key string explicitly from Jamf Pro whenever tasks are initiated.