@talkingmoose                                                            , Thank you for this Tech Thought to help as we can look at deploying LAPS in JAMF and we consider moving away from binding to AD. @talkingmoose，感谢您提供此技术思想的帮助，因为我们可以考虑在 JAMF 中部署 LAPS，并且我们考虑摆脱对 AD 的绑定。

When a Local administrator account is create before the Setup Assistant for computers enrolled with this PreStage enrollment, does checking Hide managed administrator account in Users & Groups create problems?  If if does create a issue is there a way to unhide the account post enrollment?                                                            如果在“设置助理”之前为已注册此 PreStage 注册的计算机创建本地管理员帐户，则选中“用户和组”中的“隐藏托管管理员帐户”是否会产生问题？ 如果确实产生了问题，有没有办法在注册后取消隐藏帐户？

Will this Admin account get a secure token and generated a bootstrap token to be escrowed in JAMF, and be this account be Volume owner?  Is the a way to give this Admin account a secure token make it a volume owner so I can git rid of the other local admin accounts?此管理员帐户是否会获得安全令牌并生成要托管在 JAMF 中的引导令牌，并且此帐户是否是卷所有者？ 有没有一种方法可以给这个管理员帐户一个安全的令牌，使其成为卷所有者，这样我就可以 git 摆脱其他本地管理员帐户？                                                        

Currently we do a light touch were the service desk enrolls the computer and creates the first admin account, before handing the device over to the Active directory end user and I would like to move away from this practice. 目前，在将设备移交给 Active Directory 最终用户之前，服务台注册了计算机并创建了第一个管理员帐户，我们进行了轻微的接触，我想摆脱这种做法。

@burdett                                                            , glad to hear this will help!@burdett，很高兴听到这会有所帮助！

LAPS has no influence over whether the managed Apple admin account created during Automated Device Enrollment is hidden, MDM-enabled, receives a secure token, or is made a volume owner. It also doesn’t care about any of these properties when rotating a password. Apple’s guidance sill applies.                                                            LAPS 对在自动设备注册期间创建的托管 Apple 管理员帐户是隐藏的、启用了 MDM、接收安全令牌还是成为卷所有者没有影响。轮换密码时，它也不关心这些属性中的任何一个。 Apple 的指导门槛适用。

Never enable a shared IT admin account for FileVault. It's one set of credentials that allows access to your entire fleet if they’re ever shared or stolen. If you use LAPS, it won’t rotate the FileVault password.切勿为 FileVault 启用共享 IT 管理员帐户。这是一组凭据，允许访问您的整个车队，如果它们被共享或被盗。如果您使用 LAPS，则不会轮换 FileVault 密码。

Hi,  你好 

Thanks for the clear tutorial :)感谢您的清晰教程:)

I have a question : when devices are already enrolled since months or years through DEP/MDM, how the apple managed account should be created ?我有一个问题：当设备已经通过 DEP/MDM 注册了数月或数年时，应该如何创建 Apple 管理帐户？

I change my prestage enrollment configuration by adding an account, but he is never created during the phases described in your tuto.我通过添加一个帐户来更改我的预台注册配置，但他从未在 tuto 中描述的阶段创建。

Any help or advice would be appreciate.任何帮助或建议将不胜感激。

Kind regards. 亲切问候。 

@alewko                                                             you could try creating a policy and using the "Local Accounts" payload to create the account on devices that are missing it. I started setting up something like that but never had to use it yet. @alewko，您可以尝试创建策略并使用“本地帐户”有效负载在缺少该帐户的设备上创建帐户。我开始设置这样的东西，但从未使用过它。

@bcbackes                                                             well, already tried but not working. The strange behavior : LAPS is enabled, but for all my devices when I check into the API manager, 0 accounts are shown compatible with LAPS.@bcbackes好吧，已经尝试过但不起作用。奇怪的行为：LAPS 已启用，但是当我签入 API 管理器时，对于我的所有设备，显示 0 个帐户与 LAPS 兼容。

I will check it on Monday, maybe an issue related to an update time needed on jamf's backoffice side 我会在周一检查它，也许是与 jamf 后台方面所需的更新时间有关的问题

@alewko                                                            , the managed Apple admin account is only created during Automated Device Enrollment. You’ll specify that account in a Jamf Pro PreStage enrollment in the Account Settings payload.@alewko ，托管 Apple 管理员帐户仅在自动设备注册期间创建。您将在“帐户设置”有效负载的 Jamf Pro PreStage 注册中指定该帐户。

Run this command on the computer to verify the account exists:在计算机上运行以下命令以验证帐户是否存在：

We are currently using https://github.com/joshua-d-miller/macOSLAPS                                                            .我们目前正在使用 https://github.com/joshua-d-miller/macOSLAPS .

This comes in useful as password are stored in AD and users who do not have access to JSS can lookup passwords using the macOSLAPS app.  这很有用，因为密码存储在 AD 中，无法访问 JSS 的用户可以使用 macOSLAPS 应用程序查找密码。

What would be nice is if we could target any additional local admin account with JAMF Pros LAPS not just the management account.如果我们可以使用 JAMF Pros LAPS 而不仅仅是管理帐户来定位任何其他本地管理员帐户，那就太好了。

Attempted to implement this and I have a large portion of our prestage enrolled fleet that returns 0 accounts. If I SSH into one of them and run 'cat /var/db/ConfigurationProfiles/Settings/.setupUser' I do see the account that was created, reflecting the prestage profile. Any guidance on troubleshooting this?尝试实现这一点，我有很大一部分预注册的队列返回 0 个帐户。如果我通过 SSH 连接到其中之一并运行“cat /var/db/ConfigurationProfiles/Settings/.setupUser”，我确实会看到已创建的帐户，反映了预备配置文件。关于解决此问题的任何指导？

@gsoft                                                            , have you enabled LAPS in Jamf Pro (set autoDeployEnabled to “true”) and then updated inventory for these Macs using a policy or manually running “sudo jamf recon”?@gsoft，您是否在 Jamf Pro 中启用了 LAPS（将 autoDeployEnabled 设置为“true”），然后使用策略或手动运行“sudo jamf recon”更新了这些 Mac 的清单？

That’s all it should take to start reporting.这就是开始报告所需的全部内容。

I enabled LAPS with the put request, verified that the settings took with a fresh get request, and then ran a policy on our PreStaged computer smart group to force an inventory update. Even after all that only 14 of our 44 PreStage computers return an account for LAPS. Choosing a few random computers and checking the .setupUser file shows that the corresponding local admin account was created.我使用 put 请求启用了 LAPS，验证了使用新的 get 请求进行的设置，然后在我们的 PreStaged 计算机智能组上运行策略以强制更新库存。即便如此，我们的 44 台 PreStage 计算机中也只有 14 台返回了 LAPS 帐户。随机选择几台计算机并检查 .setupUser 文件，显示已创建相应的本地管理员帐户。

@talkingmoose                                                             thanks for the great write up, as always!@talkingmoose一如既往地感谢您的精彩报道！

I saw that HCS Technology Group also put up a guide on implementing LAPS the same way. However, they did have a warning that there is a known issue with PreStage Enrollments that include a configuration profile. (@gsoft                                                             this may be the same issue you're experiencing with those other 30 computers.)我看到HCS技术集团也以同样的方式发布了实施LAPS的指南。但是，他们确实收到警告，指出包含配置文件的 PreStage 注册存在已知问题。（@gsoft这可能与您在其他 30 台计算机上遇到的问题相同。

Here is what they said in their guide                                                            :以下是他们在指南中所说的话：

Known LAPS Issues: Jamf has an open issue for Mac computers enrolled through PreStage Enrollments that include a configuration profile. Jamf Pro will not enable LAPS for these computers unless their computer record is deleted and the computer is re-enrolled into the Jamf Pro server. Jamf will address this issue in an upcoming release. Settings won't apply until a computer submits an inventory update and then a check-in to Jamf Pro. To force settings immediately on a computer after enabling LAPS, run the following command: sudo jamf recon已知的 LAPS 问题：Jamf 对于通过包含配置描述文件的 PreStage 注册注册的 Mac 计算机存在未解决的问题。Jamf Pro 不会为这些计算机启用 LAPS，除非删除其计算机记录并将计算机重新注册到 Jamf Pro 服务器。Jamf 将在即将发布的版本中解决此问题。在计算机提交清单更新，然后签入 Jamf Pro 之前，设置不会应用。若要在启用 LAPS 后立即在计算机上强制设置，请运行以下命令：sudo jamf recon

I can't imagine how long this workaround would take for organizations that have hundreds (or even thousands!) of computers!我无法想象对于拥有数百台（甚至数千台）计算机的组织来说，这种解决方法需要多长时间！

As part of my imaging/deployment workflow I sign into my local administrator account immediately after the automatic enrollment process is complete. This ensures I have a bootstrap token escrowed, and I have a SetupYourMac policy setup to run that executes the basic computer configuration while I'm logged in under that account, and then restarts once the core policies are all executed successfully. 作为映像/部署工作流的一部分，我在自动注册过程完成后立即登录到本地管理员帐户。这确保了我托管了一个引导令牌，并且我有一个要运行的 SetupYourMac 策略设置，该设置在我使用该帐户登录时执行基本计算机配置，然后在核心策略全部成功执行后重新启动。

                                                           If I enable LAPS at what point does it change the password of the local administrator account? If it waits until the first inventory update I should be fine with my workflow - but is there any chance that LAPS will rotate the local admin password as the local admin account is created?如果我启用 LAPS，它会在什么时候更改本地管理员帐户的密码？如果它等到第一次清单更新，我应该可以处理我的工作流程 - 但是 LAPS 是否有可能在创建本地管理员帐户时轮换本地管理员密码？

                                                           Basically - I want to be able to image labs of computers without having to look up LAPS passwords for each individual machine.基本上 - 我希望能够对计算机的实验室进行成像，而无需查找每台计算机的 LAPS 密码。

@JCMBowman                                                            , it’s going to be fairly immediate after enrolling. You might consider creating a policy to add a temporary “setup” account with a known password and then another to remove it when you’re done.@JCMBowman，注册后会相当立即。您可以考虑创建一个策略来添加一个具有已知密码的临时“安装”帐户，然后在完成后添加另一个帐户以将其删除。

Any idea if it can change the password, if the password has been changed by other means, like with macOSLAPS (https://github.com/joshua-d-miller/macOSLAPS.) ? I deployed this not too long ago, and it is working fine, but I would like to transition to this in the future.                                                            知道它是否可以更改密码，如果密码已通过其他方式更改，例如macOSLAPS（https://github.com/joshua-d-miller/macOSLAPS）？我不久前部署了它，它工作正常，但我想在将来过渡到它。

@vagabon                                                            , I can’t confirm without testing, but the password change is done using an Apple command sent to the computer from Jamf Pro. I don’t believe it requires knowledge of the existing password because the account is already a managed Apple admin account on a Jamf Pro managed computer.@vagabon ，我无法在没有测试的情况下进行确认，但是密码更改是使用从Jamf Pro发送到计算机的Apple命令完成的。我不认为它需要知道现有密码，因为该帐户已经是 Jamf Pro 托管计算机上的托管 Apple 管理员帐户。

@talkingmoose                                                             your blogs are always incredible!!@talkingmoose你的博客总是令人难以置信！

Excellent tutorial!  We have already begun to deploy, and it works like a charm.优秀的教程！ 我们已经开始部署，它就像一个魅力。

Thanks for the hard work and write-up!感谢您的辛勤工作和写作！

Great document, William - thanks!很棒的文件，威廉 - 谢谢！

                                                           A few questions:几个问题：

                                                           1 Instead of using a PreStage Admin account, can we use the User-Initiated account (AKA the 'Jamf Management' account)? Will LAPS work with this account?1 我们是否可以使用用户启动的帐户（又名“Jamf 管理”帐户）来代替 PreStage 管理员帐户？LAPS 是否适用于此帐户？

                                                           2 When choosing to hide the PreStage admin account, it only hides it from the Users & Groups GUI pane. The admin's homedir is located in /Users and therefore can be seen by any casual user. Why is this homedir not in /var or other hidden dir?2 选择隐藏 PreStage 管理员帐户时，它只会在“用户和组”GUI 窗格中隐藏它。管理员的 homedir 位于 /Users 中，因此任何临时用户都可以看到。为什么这个 homedir 不在 /var 或其他隐藏的目录中？

                                                           In contrast, the User-Inititated account (AKA  the 'Jamf Management' account) DOES have a hidden homedir in /var (not /Users) Any idea why these 2 accounts differ?相比之下，用户发起的帐户（又名“Jamf 管理”帐户）在 /var 中确实有一个隐藏的 homedir（不是 /Users） 知道为什么这两个帐户不同吗？

                                                           3 Does LAPS care what UUID the PreStage admin account has (example 501, 502 etc)?3 LAPS 是否关心 PreStage 管理员帐户的 UUID（例如 501、502 等）？
                                                           I'm asking because at my org, I have both                                                             a PreStage admin account and a User-Inititated admin account. Typically the User-Initiated admin gets created BEFORE the PreStage and therefore gets UUID 501 and the PreStage admin gets UUID 502. But Im planning on disabling the User-Inititated admin account (legacy workflows removed and I no longer require the account) and at that point, the PreStage admin will get UUID 501 I'm assuming.我问是因为在我的组织中，我同时拥有一个 PreStage 管理员帐户和一个用户启动的管理员帐户。通常，用户启动的管理员是在 PreStage 之前创建的，因此会获得 UUID 501，而 PreStage 管理员会获得 UUID 502。但是我计划禁用用户启动的管理员帐户（删除了旧工作流，我不再需要该帐户），届时，PreStage 管理员将获得我假设的 UUID 501。

                                                           4 Does a PreStage admin account get a Secure Token?4 PreStage 管理员帐户是否获得安全令牌？

                                                       

Is there a known extension attribute we can use to find the date of  SetAutoAdminPassword ?是否有已知的扩展属性可用于查找 SetAutoAdminPassword 的日期？

@dstranathan                                                            , some good questions.@dstranathan，一些好问题。

1. Jamf Pro is using Apple’s mechanism for creating the “managed Apple admin account”. Apple only allows for one managed admin account, and they require it be created via Automated Device Enrollment. I believe the jamf binary creates the Jamf management and all other accounts, therefore they don’t qualify.1. Jamf Pro 正在使用 Apple 的机制来创建“托管 Apple 管理员帐户”。Apple 只允许一个托管管理员帐户，并且他们要求通过自动设备注册创建该帐户。我相信 jamf 二进制文件创建了 Jamf 管理和所有其他帐户，因此它们不符合条件。

2. Here                                                            ’s the spec on the AutoSetupAdminAccounts key                                                             from Apple. It doesn                                                            ’t seem to allow for choosing a path for the home folder. That might be a RADAR you                                                            ’ll want to file with Apple.                                                            2.这是Apple的AutoSetupAdminAccounts密钥的规范。它似乎不允许为主文件夹选择路径。这可能是您想向 Apple 提交的 RADAR。

And before you think                                                             “AutoSetupAdminAccounts" (plural!), this page describes only the first element will be used and other accounts ignored.                                                            在你想到“AutoSetupAdminAccounts”（复数！）之前，本页只描述了将使用的第一个元素，而忽略了其他帐户。

3. I don                                                            ’t think Jamf Pro cares what the local user ID of the managed Apple admin account is, however, I think it                                                            ’s likely to be 501 since it                                                            ’s getting created as part of Automated Device Enrollment before all else.                                                            3. 我不认为 Jamf Pro 关心托管 Apple 管理员帐户的本地用户 ID 是什么，但是，我认为它很可能是 501，因为它首先被创建为自动设备注册的一部分。

4. My understanding is only accounts actually logging in to a Mac at the login window (not command line) can get a secure token. The first local account to log in will be the only local account with a secure token. A token can be issued to another local account, but then the first will lose its token. That’s why the better practice is to let end users go through Automated Device Enrollment themselves, so they can be the first to log in and get the token.4.我的理解是，只有在登录窗口（而不是命令行）实际登录Mac的帐户才能获得安全令牌。第一个登录的本地帐户将是唯一具有安全令牌的本地帐户。一个令牌可以发行到另一个本地账户，但第一个账户将失去其代币。因此，更好的做法是让最终用户自行完成自动设备注册，这样他们就可以率先登录并获取令牌。

Any number of directory (Active Directory) accounts may receive a secure token.任意数量的目录 （Active Directory） 帐户都可以接收安全令牌。

And newer macOS versions that support a bootstrap token make user secure tokens a moot point. Only an MDM can get the bootstrap token and then it can do everything an account with a secure token can do.而支持引导令牌的较新 macOS 版本使用户安全令牌成为一个有争议的问题。只有 MDM 才能获取引导令牌，然后它可以执行具有安全令牌的帐户可以执行的所有操作。

@burdett                                                            , I made this extension attribute a while back for some internal testing:@burdett ，我不久前制作了这个扩展属性以进行一些内部测试：

Managed Apple Admin 托管 Apple 管理员                                                         

#!/bin/zsh

if [[ -f "/var/db/ConfigurationProfiles/Settings/.setupUser" ]]; then
    lapsUsername=$( /usr/libexec/PlistBuddy -c "Print :Users:0:shortName" /var/db/ConfigurationProfiles/Settings/.setupUser )
    echo "<result>$lapsUsername</result>"
else
    echo "<result>Not configured</result>"
fi

Thanks William!                                                               谢谢威廉！ 

The EA works great for getting the DEP AutoAdmin name.    What I was looking for was an extension attribute                                                             to confirm / validate that password rotation was running and create a smart group from that.                                                               EA 非常适合获取 DEP AutoAdmin 名称。   我正在寻找的是一个扩展属性，用于确认/验证密码轮换是否正在运行并从中创建一个智能组。

Once I have a confirm / validate that password rotation is running I want to have a policy to remove the "shared IT admin accounts" on our end users’ computers.                                                            一旦我确认/验证密码轮换正在运行，我希望有一个策略来删除最终用户计算机上的“共享 IT 管理员帐户”。                                                        

                                                           Is there a way to create a EA grab the date from SetAutoAdminPassword                                                             from the computer inventory -> History -> Management History ->SetAutoAdminPassword: 05/22/2023 at 10:57 PM 有没有办法创建 EA 从计算机清单中的 SetAutoAdminPassword 中获取日期 ->历史记录 ->管理历史记录 ->SetAutoAdmin密码： 05/22/2023 于 10：57 下午                                                        

I had this working a couple of weeks ago in a test environment and decided to check again today to make sure it is still working but I have tried entering in the password the API shows and it won't let me sign in with the local admin account and password shown. Terminal shows Sorry when I try su localadmin with password. I even waited an hour for the password to change and tried the new one still can't sign in. Any thoughts why I not able to sign in now after it has been working previously. 几周前，我在测试环境中进行了这项工作，并决定今天再次检查以确保它仍然有效，但是我尝试输入API显示的密码，但它不允许我使用本地管理员帐户和显示的密码登录。当我尝试使用密码 su localadmin 时，终端显示对不起。我什至等了一个小时才更改密码，并尝试了新密码仍然无法登录。为什么我现在无法登录的任何想法，因为它之前一直在工作。

@burdett                                                             This should work to get the last date/time the LAPS password was changed from the computer itself. Jamf Pro can’t create extension attributes from its own data.@burdett这应该可以从计算机本身获取LAPS密码更改的最后日期/时间。Jamf Pro 无法从自己的数据创建扩展属性。

Managed Apple admin password last set time上次设置时间的托管 Apple 管理员密码                                                        

#!/bin/zsh

# get LAPS account username
lapsUsername=$( /usr/libexec/PlistBuddy -c "Print :Users:0:shortName" /var/db/ConfigurationProfiles/Settings/.setupUser )

# read LAPS account for password information
userPasswordInfo=$( /usr/bin/dscl . read "/Users/$lapsUsername" accountPolicyData | /usr/bin/tail -n +4 )

# extract Unix epoch date from account password information
passwordChangeDateEpoch=$( /usr/bin/xpath -e '//key[text()="passwordLastSetTime"]/following-sibling::real[1]/text()' 2>/dev/null <<< "$userPasswordInfo" )

# convert Unix epoch date to ISO 8601 standard format
passwordChangeDate=$( /bin/date -j -f "%s" "$passwordChangeDateEpoch" +"%F %T" 2>/dev/null )

# report value to Jamf Pro according to computer's local time zone
echo "<result>$passwordChangeDate</result>"

@talkingmoose                                                             If I want to get the managementID in a script. How do I get the info?@talkingmoose 如果我想在脚本中获取 managementID。如何获取信息？

@YanW                                                            , I have a sample script I’ve been using for testing here:@YanW ，我有一个示例脚本，我一直在使用这里进行测试：

https://gist.github.com/talkingmoose/fe84537a3a6951caa7fcb767d15ee3e6                                                        

I wrote it a little experimentally. Look for the "get computer management ID” section, which references the apiGET function earlier in the script.                                                            我有点实验性地写了它。查找“获取计算机管理 ID”部分，该部分在脚本前面引用了 apiGET 函数。

@talkingmoose                                                             thank you @talkingmoose谢谢 

@talkingmoose                                                             I have setup LAPS and it's working fine for me, but I want to reduce the LAPS password length from 30 characters to 12 characters,@talkingmoose我已经设置了 LAPS 并且它对我来说工作正常，但我想将 LAPS 密码长度从 30 个字符减少到 12 个字符，

                                                           It looks like we are using the FileVault key to the LAPS account, Please let me know if we can do that in API or JAMF.看起来我们正在使用 LAPS 帐户的 FileVault 密钥，请告诉我是否可以在 API 或 JAMF 中执行此操作。

@BagaleAnil                                                             You’ll probably be interested in upvoting this feature request:@BagaleAnil 您可能有兴趣对此功能请求投赞成票：

Give the new LAPS feature the ability to create passwords with modifiable complexity使新的 LAPS 功能能够创建具有可修改复杂性的密码                                                        

Also, Jamf Pro’s LAPS feature doesn’t manage the FileVault password for the account. I recommend not enabling the account for FileVault. You should already have the computer’s personal recovery key escrowed and should use it instead for those times when the computer is in the hands of IT but powered off.此外，Jamf Pro 的 LAPS 功能不管理帐户的 FileVault 密码。我建议不要启用FileVault的帐户。您应该已经托管了计算机的个人恢复密钥，并且应该在计算机掌握在 IT 手中但已关闭电源时使用它。

Thanks, @talkingmoose                                                            ! 谢谢，@talkingmoose！ 

Shameless self-promotion: 无耻的自我推销： 

Jamf Pro LAPS: Retrieving Password via TerminalJamf Pro LAPS：通过终端检索密码                                                        

hey @dan-snelson嘿@dan-斯内尔森 

                                                           Any suggestions on why i keep having this error when i run the lapss from terminal?关于为什么我从终端运行 lapss 时一直出现此错误的任何建议？

                                                           All the information shows up, except the password. Username matches with the admin local account, and was deployed via prestage. 除密码外，所有信息都会显示。用户名与管理员本地帐户匹配，并通过 prestage 部署。


                                                       

@Double_G                                                            : @Double_G ： 

Nice write up!! 写得不错！！ 

I've made a nice gui dialog box for configuring JAMF LAPS and a nice gui for viewing the LAPS password.我制作了一个漂亮的 gui 对话框来配置 JAMF LAPS，以及一个漂亮的 gui 来查看 LAPS 密码。
                                                           They are up on my github and might be of use to some of you?它们在我的 github 上，可能对你们中的一些人有用？
https://github.com/PezzaD84/JAMFLAPS-Configuratorhttps://github.com/PezzaD84/JAMFLAPS-Configurator
https://github.com/PezzaD84/JAMF-LAPS-UIhttps://github.com/PezzaD84/JAMF-LAPS-UI                                                        

Just to note these are very early versions so they might have little qwerks.请注意，这些是非常早期的版本，因此它们可能几乎没有 qwerks。

This article states that PreStage can be used for management but fails to mention that LAPS will break the account’s Secure Token and thus CANT be used to manage FV2 and starting with Jamf Pro 10.49 Jamf even recommends NOT using this account for FV2 related activities.本文指出 PreStage 可用于管理，但没有提到 LAPS 会破坏帐户的安全令牌，因此 CANT 用于管理 FV2，从 Jamf Pro 10.49 开始，Jamf 甚至建议不要将此帐户用于 FV2 相关活动。

But what’s the point of an IT admin account if it can’t be used for tasks that require a Secure Token? Things like Software Update, running the sysadminctl command and FV2 are critical things that an IT department might need an administrator account with a Secure Token for. But according to Jamf it won’t work because the token is corrupted after LAPS rotation.但是，如果 IT 管理员帐户不能用于需要安全令牌的任务，那么它有什么意义呢？软件更新、运行 sysadminctl 命令和 FV2 等操作是 IT 部门可能需要具有安全令牌的管理员帐户的关键操作。但根据 Jamf 的说法，它不会起作用，因为令牌在 LAPS 轮换后损坏。

Thoughts? 思潮？ 

@dstranathan                                                             I also saw these notes and did have the same thoughts. The JAMF Documentation also mentions not to log in with the management account or use it for admin tasks and recommends creating a separate local admin account for admin tasks. This comment makes the use of JAMF LAPS a little redundant to me?!@dstranathan我也看到了这些笔记，确实有同样的想法。JAMF 文档还提到不要使用管理帐户登录或将其用于管理任务，并建议为管理任务创建单独的本地管理员帐户。这个评论让 JAMF LAPS 的使用对我来说有点多余？！

I came across these same issues when making my own LAPS solution where the account isn't FV enabled but this doesn't limit the account to not fully administer the device. The account gets a secure token automatically so it can run software updates, log in and run any admin tasks. The FV drawback can be bypassed by logging in with the recovery key and then the LAPS account can do it's thing.在制作自己的 LAPS 解决方案时，我遇到了同样的问题，其中帐户未启用 FV，但这并不限制帐户无法完全管理设备。该帐户会自动获得安全令牌，以便它可以运行软件更新、登录和运行任何管理任务。可以通过使用恢复密钥登录来绕过 FV 缺点，然后 LAPS 帐户就可以执行它的任务。

I've thought of ways to automatically enable FV but with lot's of devices being deployed as zero-touch and the end user becoming the only FV enabled user it makes this task hard as you would need to get the users password at some point.我已经想到了自动启用 FV 的方法，但是由于许多设备被部署为零接触，并且最终用户成为唯一启用 FV 的用户，这使得这项任务变得困难，因为您需要在某个时候获取用户密码。

This doc from WIllaim got my LAPS juices flowing back in April and was the genesis of why I decided to move from a UIE Jamf Management admin account to a PreStage admin account in the first place. In fact, I called a meeting with Jamf to start planning my FV2 project (which is supposed to go live in October) based on ideas I got from this article. But the Jamf doc fails to mention 2 critical facts:WIllaim 的这份文档让我的 LAPS 在 4 月份流淌起来，这也是我决定首先从 UIE Jamf 管理管理员帐户转移到 PreStage 管理员帐户的原因。事实上，我与 Jamf 召开了一次会议，根据我从这篇文章中得到的想法开始规划我的 FV2 项目（应该在 10 月上线）。但 Jamf 文档没有提到 2 个关键事实：

-The PreStage admin account can't be used for FV2 etc because the Secure Token will be killed after LAPS rotation.- PreStage 管理员帐户不能用于 FV2 等，因为安全令牌将在 LAPS 轮换后被终止。

-The UIE Jamf Management admin account can also be used with LAPS.- UIE Jamf 管理管理员帐户也可以与 LAPS 一起使用。


@perryd84                                                             I was slo told by Jamf (for 7+ years!) to never                                                             use the UIE Jamf Management admin account for general IT tasks like SSH, ARD etc. This was causing issues at my org because we have a policy to not have more than 1 IT account per Mac for security. This is another reason I moved to a PreStage account in the first place. Now I might end up needing 2 or more going into 2024. This is crazy. @perryd84 Jamf 告诉我（7+ 年！）永远不要将 UIE Jamf 管理管理员帐户用于 SSH、ARD 等一般 IT 任务。这在我的组织中引起了问题，因为为了安全起见，我们有一个策略，即每台 Mac 的 IT 帐户不超过 1 个。这是我首先转向 PreStage 帐户的另一个原因。现在我可能最终需要 2 个或更多到 2024 年。这太疯狂了。
                                                       

Hey @talkingmoose                                                             , I just saw your presentation at JNUC. Very good! Well organized and presented.嘿@talkingmoose，我刚刚在JNUC上看到了你的演讲。非常好！组织和呈现良好。

I manage about 800 systems and as part of our standard configuration have the local admin account already created. We use this account to preform administration functions on the systems whenever necessary.我管理着大约 800 个系统，作为我们标准配置的一部分，已经创建了本地管理员帐户。必要时，我们使用此帐户在系统上执行管理功能。

I would like to test out the LAPS system but I don't think I can as soon as I activate it, it will start rotating the password on all my systems. Correct?我想测试一下 LAPS 系统，但我认为我不能在激活它后立即开始在我的所有系统上轮换密码。正确？

How would you go about setting up a test environment so we can develop and test deploying LAPS to our fleet? Should we ignore Jamf's sytem and use yours (macOSLAPS)?您将如何设置测试环境，以便我们可以开发和测试将 LAPS 部署到我们的车队？我们是否应该忽略 Jamf 的系统并使用您的 （macOSLAPS）？

Thanks a ton!!!  非常感谢!! 

p.s. Love your handle. Is it a throwback to antlered friend that used to inhabit my Mac Plus waaaay too many years ago?p.s. 爱你的手柄。这是对多年前曾经居住在我的 Mac Plus waaaay 上的鹿角朋友的回归吗？

@Dan                                                            , thanks so much for the kudos on the presentation! I have to say Starbucks not only upsized my drink later that day but the next day, so I was pretty well caffeinated later on. ;-P@Dan，非常感谢您对演示文稿的赞誉！我不得不说，星巴克不仅在那天晚些时候，而且在第二天都增加了我的饮料量，所以我后来的咖啡因含量很高。;-P

Jamf Pro’s LAPS story is still evolving and you may have seen there are two accounts that it may affect — the managed Apple admin account created during Automated Device Enrollment (MDM account) and the Jamf management account created from the settings in User-Initiated Enrollment (JMF account).Jamf Pro 的 LAPS 故事仍在不断发展，您可能已经看到它可能会影响两个帐户 — 在自动设备注册期间创建的托管 Apple 管理员帐户（MDM 帐户）和根据用户启动的注册中的设置创建的 Jamf 管理帐户（JMF 帐户）。

For years we’ve been encouraging customers not to use the JMF account for their own purposes but to leave it for only Jamf Pro to use. As soon as your server updates to Jamf Pro 10.49.0, the JMF account is automatically put under LAPS. The only other settings you can test are the rotation frequency and the delay between someone viewing the password and the automatic rotation.多年来，我们一直鼓励客户不要将 JMF 帐户用于自己的目的，而应将其留给 Jamf Pro 使用。一旦您的服务器更新到 Jamf Pro 10.49.0，JMF 帐户就会自动置于 LAPS 下。您可以测试的唯一其他设置是旋转频率以及查看密码的人与自动旋转之间的延迟。

There’s more work to do with the MDM account, but if you’re using that for your own needs, I’d make sure to begin transitioning now to a different account you can create using a policy. (Or consider not using a shared IT admin account at all, which is much more secure.)MDM 帐户还有更多工作要做，但如果你将其用于自己的需要，我确保现在开始过渡到可以使用策略创建的其他帐户。（或者考虑根本不使用共享的 IT 管理员帐户，这样更安全。

If you’re concerned about testing, ask your Customer Success Manager at Jamf for a Jamf Cloud sandbox instance. It’s free. You can enroll a Mac and test there and see how it’s going to affect you.如果您担心测试，请向 Jamf 的客户成功经理索取 Jamf Cloud 沙盒实例。它是免费的。您可以注册一台 Mac 并在那里进行测试，看看它会如何影响您。

When the development seems to have settled down, I’m hoping to put out a revised article explaining both types of LAPS and walking through how to prepare using them in production.当开发似乎已经稳定下来时，我希望发布一篇修订后的文章，解释这两种类型的 LAPS，并介绍如何在生产中使用它们进行准备。

And, yes! Talking Moose from Bob Levitus’s Stupid Mac Tricks!而且，是的！Bob Levitus 的 Stupid Mac Tricks 中的会说话的驼鹿！

@talkingmoose                                                             Hi @talkingmoose 嗨 

We have the situation where we have used the same username for the management account created in User-Initiated Enrollment settings and a managed local administrator account created in a PreStage enrollment (which was never an issue until LAPS has come online).我们遇到的情况是，我们对在用户发起的注册设置中创建的管理帐户和在 PreStage 注册中创建的托管本地管理员帐户使用了相同的用户名（在 LAPS 联机之前，这从来都不是问题）。

So we have some machines showing in Jamf as Managed by: administrator, administrator  This is confirmed when looking in the API which shows 2 LAPS capable accounts (JMF and MDM) both with the same username. When trying to get the LAPS password for administrator if fails, as you would expect.因此，我们在 Jamf 中有一些机器显示为“管理者”：管理员、管理员 在 API 中查看时证实了这一点，该 API 显示 2 个支持 LAPS 的帐户（JMF 和 MDM）都具有相同的用户名。如您所料，如果失败，则尝试获取管理员的 LAPS 密码时。

I have deleted the administrator account (after setting a new local account with admin rights), but it is still showing in the API with the 2 LAPS administrator accounts (and showing in Jamf as Managed by: administrator, administrator).我已经删除了管理员帐户（在设置了具有管理员权限的新本地帐户后），但它仍然显示在具有 2 个 LAPS 管理员帐户的 API 中（并在 Jamf 中显示为“管理者：管理员、管理员”）。

So is there a way of removing, or renaming one of these accounts to solve this issue, before we enable LAPS?那么，在我们启用 LAPS 之前，有没有办法删除或重命名其中一个帐户来解决此问题？

I would like to avoid the rebuilding of those machines if at all possible.如果可能的话，我想避免重建这些机器。

@sdunbar                                                             Currently, using the same username name for both the MDM LAPS account and JMF LAPS account puts you in an “unknown” state. Jamf Pro can’t have two processes managing one account.@sdunbar 目前，对 MDM LAPS 帐户和 JMF LAPS 帐户使用相同的用户名会使您处于“未知”状态。Jamf Pro 不能有两个进程管理一个帐户。

My recommendation is to immediately change the username for one or the other. It doesn’t matter which and the change won’t apply until you re-enroll a machine.我的建议是立即更改其中一个的用户名。这无关紧要，在重新注册计算机之前，更改不会应用。

Next, pick one LAPS method (MDM via the PreStage Enrollment or JMF via User-Initiated Enrollment) as your preferred LAPS management method. MDM LAPS accounts are managed using Apple’s technology and JMF is managed using Jamf’s technology. For you, I suggest changing the JMF account name in UIE and using the JMF LAPS account.接下来，选择一种 LAPS 方法（通过 PreStage 注册的 MDM 或通过用户启动的注册的 JMF）作为首选的 LAPS 管理方法。MDM LAPS 帐户使用 Apple 的技术进行管理，而 JMF 使用 Jamf 的技术进行管理。对于您，我建议您在 UIE 中更改 JMF 帐户名称并使用 JMF LAPS 帐户。

You can then send a /usr/local/bin/jamf enroll -noPolicy                                                             command in a policy (Files and Processes > Execute Command) to re-enroll computers and apply the updated LAPS management account.然后，您可以在策略中发送 /usr/local/bin/jamf enroll -noPolicy 命令（“文件和进程”>“执行命令”），以重新注册计算机并应用更新的 LAPS 管理帐户。

I haven’t tested this workflow to re-enroll to change the LAPS account, so be sure to test yourself on a single computer or small group of computers and verify the results first.我尚未测试此工作流以重新注册以更改 LAPS 帐户，因此请务必在单台计算机或一小组计算机上测试自己并首先验证结果。

Finally, if you choose to implement some sort of shared IT admin account that’s known to multiple engineers (I strongly recommend not doing this) then use a policy to create that account going forward.最后，如果您选择实现多个工程师已知的某种共享 IT 管理员帐户（我强烈建议不要这样做），请使用策略来创建该帐户。

@talkingmoose @talkingmoose                                                         

That is great, much appreciated. 这太棒了，非常感谢。

I'll give that a go and see how I get on. We have only used the shared IT admin a/c as a temporary measure until we get this sorted.我会试一试，看看我过得怎么样。我们仅使用共享的 IT 管理员 a/c 作为临时措施，直到我们对此进行排序。

Many thanks 非常感谢 

If anyone is using JAMF LAPS I've made some updates to my LAPS UI tool which you can find here https://github.com/PezzaD84/JAMF-LAPS-UI                                                            如果有人正在使用 JAMF LAPS，我已经对我的 LAPS UI 工具进行了一些更新，您可以在此处找到这些更新 https://github.com/PezzaD84/JAMF-LAPS-UI

Just makes viewing the LAPS Password a little more user friendly. You can scope this tool to your help desk etc and then they don't need JAMF or API access to view the password.只是使查看 LAPS 密码更加用户友好。您可以将此工具的范围限定为技术支持等，然后他们不需要 JAMF 或 API 访问权限即可查看密码。

Any idea when PreStage accounts will be required to use LAPS?  知道何时需要 PreStage 帐户才能使用 LAPS 吗？

                                                       

The Jamf Pro 11 Deprecation doc mentions it but no dates are provided. Why not?Jamf Pro 11 弃用文档提到了它，但没有提供日期。为什么不呢？

My techs require a PreStage account to deploy new Macs. Enabling LAPS at enrollment time will break all my workflows. I'd like to request to Jamf devs that the PreStage admin get LAPS at a time window that I control as an admin - not when Jamf dictates.我的技术人员需要 PreStage 帐户才能部署新 Mac。在注册时启用 LAPS 将破坏我的所有工作流程。我想向 Jamf 开发人员请求 PreStage 管理员在我作为管理员控制的时间窗口获取 LAPS，而不是在 Jamf 指示时获取 LAPS。

Hi @talkingmoose @sdunbar                                                             ,嗨，@talkingmoose @sdunbar，

Have try the method to fix the same username for the management account created in User-Initiated Enrollment settings and a managed local administrator account created in a PreStage enrollment by renaming the user for the User-Initiated Enrollment but when I run the commande I got this error message:                                                            通过重命名用户发起的注册的用户，尝试修复在用户启动的注册设置中创建的管理帐户和在 PreStage 注册中创建的托管本地管理员帐户的相同用户名的方法，但是当我运行命令时，我收到以下错误消息：

sudo /usr/local/bin/jamf enroll -noPolicysudo /usr/local/bin/jamf 注册 -nopolisi                                                               

There is an error in your syntax.语法有误。                                                        

Error: Valid credentials are required to enroll this computer. Use either the -invitation or the -prompt option to authenticate.错误：注册此计算机需要有效的凭据。使用 -invitation 或 -prompt 选项进行身份验证。                                                        

Have also try re-enroll with this command using my jamf admin credential还请尝试使用我的 jamf 管理员凭据重新注册此命令                                                        

sudo /usr/local/bin/jamf enroll -prompt -noPolicysudo /usr/local/bin/jamf 注册 -prompt -nopolisi                                                        

JSS Username:jamfadmin JSS 用户名：jamfadmin                                                         

JSS Password: *** JSS密码：***                                                         

But I'm still not able to see the laps admin password from the Jamf API:但是我仍然无法从 Jamf API 中看到 laps 管理员密码：                                                        

Did anyone has been able to fix this situation ?有没有人能够解决这种情况？                                                        

Many thanks. 非常感谢。                                                         

Hi @RichClic  嗨@RichClic 

I had a similar issue, with being prompted for credentials. I got the re-enrolment to work (for me) using  profiles renew -type enrollment                                                             我遇到了类似的问题，提示我输入凭据。我使用配置文件更新类型注册（对我来说）重新注册

One issue I have got however, is that if I try to run the command via a policy it does not pop up with the window asking to confirm the re-enrolment, but if run from Self Service it works fine. So I having difficulties getting it done with minimal user interaction.但是，我遇到的一个问题是，如果我尝试通过策略运行该命令，它不会弹出要求确认重新注册的窗口，但如果从自助服务运行，它工作正常。因此，我很难以最少的用户交互来完成它。

If the re-enrolment fails I have found the machine can end up being unmanaged (but I got it managed again using the Jamf API to Redeploy the Jamf Management Framework                                                            ).如果重新注册失败，我发现机器最终可能不受管理（但我使用 Jamf API 重新部署 Jamf 管理框架再次对其进行管理）。

Hope that helps. 希望能有所帮助。 

This should be a much more simple process, and JAMF shouldn't be forcing this on anyone until it is fully functional within the Jamf Pro GUI, at the earliest. Even then, it should be a customer choice.这应该是一个更简单的过程，JAMF 不应该强迫任何人这样做，直到它最早在 Jamf Pro GUI 中完全正常运行。即便如此，它也应该是客户的选择。

https://learn.jamf.com/bundle/jamf-pro-release-notes-current/page/Deprecations_and_Removals.html                                                        

Just chiming in on a related topic and linking to recent changes...只是插话一个相关的话题并链接到最近的变化......

                                                           According to Jamf from this Jamf Nation community link                                                             PreStage admin accounts will continue to be able to be set with a static password for the remainder of 2024.根据 Jamf 的说法，来自这个 Jamf Nation 社区链接的 PreStage 管理员帐户将在 2024 年剩余时间内继续使用静态密码进行设置。

                                                           As of Jamf Pro 11.3, admins can now view LAPS passwords from Inventory section of a computer record. See this                                                             video overview.从 Jamf Pro 11.3 开始，管理员现在可以从计算机记录的“清单”部分查看 LAPS 密码。请观看此视频概述。                                                        

Ugh, wait: This Jamf Pro 11.3 document                                                             (dated yesterday Feb 19 2024) says that LAPS WILL BE REQUIRED for PreStage account. What is going on...?呃，等等：这份 Jamf Pro 11.3 文档（日期为 2024 年 2 月 19 日）说 PreStage 帐户需要 LAPS。这是怎么回事。。。？

@perryd84                                                             , how do you get encoded API credentials ?                                                             @perryd84，如何获取编码的API凭据？

@ITMan                                                             You can use this little script here @ITMan 你可以在这里使用这个小脚本

If you put in your API account username and password the script will echo out an encoded string you can use to get the bearer token from JAMF. I'm looking to change the authentication method to use the new API roles feature in the next release.如果输入 API 帐户用户名和密码，则脚本将回显一个编码字符串，可用于从 JAMF 获取持有者令牌。我希望更改身份验证方法，以便在下一版本中使用新的 API 角色功能。