Jamf added support for LAPS in April’s Jamf Pro 10.46.0 release.Jamf 在 4 月份的 Jamf Pro 10.46.0 版本中增加了对 LAPS 的支持。
What is LAPS? 什么是 LAPS?
LAPS is short for Local Administrator Password Solution
. It was coined by Microsoft in May 2015 as a solution for automatically rotating passwords of shared IT administrator accounts on end users’ computers. Since then, it’s become a standard industry term used across platforms.LAPS 是本地管理员密码解决方案的缩写。它是由 Microsoft 于 2015 年 5 月创建的,作为在最终用户计算机上自动轮换共享 IT 管理员帐户密码的解决方案。从那时起,它已成为跨平台使用的标准行业术语。
Desktop administrators have added shared IT admin accounts to their end users’ computers for decades for those times when they need to sit in front of a computer or remotely control it and log in. But this practice introduces a few major security problems:几十年来,桌面管理员一直将共享的 IT 管理员帐户添加到最终用户的计算机中,以便他们需要坐在计算机前或远程控制计算机并登录。但这种做法会带来一些主要的安全问题:
- Typically, these accounts share the same username and password across computers. If the credentials are ever exposed to unauthorized persons, the entire fleet is vulnerable to attack.通常,这些帐户在计算机之间共享相同的用户名和密码。如果凭据暴露给未经授权的人员,整个舰队都容易受到攻击。
- Multiple people know these shared IT admin credentials and they’re easy to reshare to anyone without any means of controlling access.多个人知道这些共享的 IT 管理员凭据,并且它们很容易重新共享给任何人,而无需任何控制访问权限的方法。
- Because multiple people know the credentials, end user privacy and sensitive data are at risk without any way to audit who and when someone uses them to access a computer.由于多人知道凭据,最终用户隐私和敏感数据面临风险,无法审核谁以及何时使用它们访问计算机。
- And if a desktop administrator leaves the organization, someone must change the credentials on all the computers and share the updated password with the remaining administrators.如果桌面管理员离开组织,则必须有人更改所有计算机上的凭据,并与其余管理员共享更新的密码。
LAPS solves these problems. LAPS解决了这些问题。
While Microsoft may have developed the LAPS workflow, Jamf Pro is using Apple’s technology in its implementation. Jamf Pro’s LAPS supports all recommended macOS versions listed in Jamf Pro’s System Requirements
.虽然 Microsoft 可能已经开发了 LAPS 工作流程,但 Jamf Pro 在其实施中使用了 Apple 的技术。Jamf Pro 的 LAPS 支持 Jamf Pro 的系统要求中列出的所有推荐的 macOS 版本。
Let’s look at how to use LAPS with Jamf Pro. We’ll cover how to:让我们看看如何将 LAPS 与 Jamf Pro 结合使用。我们将介绍如何:
- Define the admin account in a PreStage enrollment在 PreStage 注册中定义管理员帐户
- Review and enable LAPS settings in Jamf Pro在 Jamf Pro 中查看并启用 LAPS 设置
- Apply LAPS settings to a computer将 LAPS 设置应用于计算机
- Verify LAPS is applied to a computer验证 LAPS 是否应用于计算机
- Retrieve the local admin username and password检索本地管理员用户名和密码
- Audit LAPS access 审核 LAPS 访问
- Disable LAPS 禁用 LAPS
Define the admin account in a PreStage enrollment在 PreStage 注册中定义管理员帐户
Automated Device Enrollment must create the local admin account during enrollment.自动设备注册必须在注册期间创建本地管理员帐户。
When Automated Device Enrollment creates the local admin account, it becomes the sole managed Apple admin account
. That means LAPS in Jamf Pro can only manage one local admin account.当“自动设备注册”创建本地管理员帐户时,它将成为唯一的托管 Apple 管理员帐户。这意味着 Jamf Pro 中的 LAPS 只能管理一个本地管理员帐户。
Jamf Pro administrators define the name of this account in Computers > PreStage Enrollments. Each PreStage enrollment may have its own unique admin username, but computers are still limited to just one managed Apple admin account.Jamf Pro 管理员在“计算机”> PreStage 注册中定义此帐户的名称。每个 PreStage 注册可能都有自己唯一的管理员用户名,但计算机仍仅限于一个受管理的 Apple 管理员帐户。
To configure a PreStage enrollment with a managed Apple admin account:要使用托管 Apple 管理员帐户配置 PreStage 注册,请执行以下操作:
- Create a new PreStage enrollment or edit an existing PreStage enrollment.创建新的 PreStage 注册或编辑现有的 PreStage 注册。
- In the Account Settings payload, enable
Create a local administrator account before the Setup Assistant
.在“帐户设置”有效负载中,启用“设置助理”之前创建本地管理员帐户。 - Set
Username
to something like “localadmin” or any single name without spaces.将用户名设置为“localadmin”或任何不带空格的单个名称。 - Set the
Password
and Verify Password
fields to a known password. (Later, we’ll attempt to authenticate with the known password to verify whether LAPS has rotated it.)将“密码”和“验证密码”字段设置为已知密码。(稍后,我们将尝试使用已知密码进行身份验证,以验证 LAPS 是否已轮换该密码。 - Choose whether to hide the account and whether to make it MDM-enabled. These settings don’t affect LAPS management.选择是否隐藏帐户以及是否使其启用 MDM。这些设置不会影响 LAPS 管理。
- Scope and save the PreStage enrollment.确定并保存 PreStage 注册。
Computers already enrolled using an existing PreStage enrollment are eligible for LAPS management after a Jamf Pro administrator enables the feature.在 Jamf Pro 管理员启用该功能后,已使用现有 PreStage 注册注册的计算机有资格进行 LAPS 管理。
Review and enable LAPS settings in Jamf Pro在 Jamf Pro 中查看并启用 LAPS 设置
In its initial release, LAPS in Jamf Pro is only available to configure and review via the Jamf Pro API. Jamf will later make LAPS available in the Jamf Pro GUI after refining its feature set. This doesn’t mean administrators need to learn scripting to use LAPS. They can do everything in Jamf Pro’s API pages.在初始版本中,Jamf Pro 中的 LAPS 只能通过 Jamf Pro API 进行配置和查看。Jamf 稍后将在 Jamf Pro GUI 中完善其功能集后提供 LAPS。这并不意味着管理员需要学习脚本才能使用 LAPS。他们可以在 Jamf Pro 的 API 页面中执行所有操作。
Before setting LAPS, administrators should ensure their Jamf Pro account’s Privilege Set
is set to “Administrator”. If the privilege set of their account is set to “Custom”, they should verify they have two new privileges enabled under the Privileges tab > Jamf Pro Server Actions:在设置 LAPS 之前,管理员应确保其 Jamf Pro 帐户的权限集设置为“管理员”。如果其帐户的权限集设置为“自定义”,则应验证他们在 Jamf Pro 服务器操作>“权限”选项卡下启用了两个新权限:
- View Local Admin Password 查看本地管理员密码
- View Local Admin Password Audit History查看本地管理员密码审核历史记录
Let’s see how LAPS is configured by default:让我们看看 LAPS 的默认配置方式:
- Open Jamf Pro server in a web browser and append “/api” to the end of the URL (e.g.
https://talkingmoose.jamfcloud.com/api
).在 Web 浏览器中打开 Jamf Pro 服务器,并在 URL 末尾附加“/api”(例如 https://talkingmoose.jamfcloud.com/api)。 - Click the Jamf Pro API’s View button.单击 Jamf Pro API 的 View 按钮。
- At the top of the Jamf Pro API page, provide a Jamf Pro username and password (with LAPS privileges) and click Authorize. The account is authorized for 30 minutes before needing to reauthorize.在 Jamf Pro API 页面顶部,提供 Jamf Pro 用户名和密码(具有 LAPS 权限),然后单击授权。该帐户已获得授权 30 分钟,然后需要重新授权。
- Scroll down and click
local-admin-password
to review its six new endpoints. (Older v1 endpoints may appear, but they’re deprecated and Jamf will remove them later.)向下滚动并单击 local-admin-password 以查看其六个新终结点。(可能会出现较旧的 v1 端点,但它们已被弃用,Jamf 稍后将删除它们。 - Click
GET /v2/local-admin-password/settings
, click Try It Out, and click Execute.单击“获取 /v2/local-admin-password/settings”,单击“试用”,然后单击“执行”。 - In the Responses section just below, locate the response body. It’ll display Jamf Pro’s current LAPS settings.在下面的“响应”部分中,找到响应正文。它将显示 Jamf Pro 的当前 LAPS 设置。
By default, LAPS is turned off (autoDeploymentEnabled
is set to “false)”. When LAPS is enabled, It’ll rotate passwords on computers once every three months (autoRotationExpirationTime
is set to “7776000” seconds). And it’ll rotate a computer’s managed Apple admin account password automatically one hour after it’s been viewed (passwordRotationTime
is set to “3600” seconds).默认情况下,LAPS 处于关闭状态(autoDeploymentEnabled 设置为“false)”。启用 LAPS 后,它将每三个月在计算机上轮换一次密码(autoRotationExpirationTime 设置为“7776000”秒)。它会在查看计算机一小时后自动轮换计算机的托管 Apple 管理员帐户密码(passwordRotationTime 设置为“3600”秒)。
Let’s turn on LAPS: 让我们打开 LAPS:
- Scroll down and click the next endpoint
PUT /v2/local-admin-password/settings
.向下滚动并单击下一个端点 PUT /v2/local-admin-password/settings 。 - Click Try It Out. 单击“试用”。
- The
LAPS settings to update
field displays the current settings. It’s editable.要更新的 LAPS 设置字段显示当前设置。它是可编辑的。 - To enable LAPS, set both autoDeployEnabled and autoRotateEnabled to “true”. To adjust the frequency of each setting, enter new values in seconds.若要启用 LAPS,请将 autoDeployEnabled 和 autoRotateEnabled 都设置为“true”。要调整每个设置的频率,请以秒为单位输入新值。
- Click Execute.单击“执行”。
- The response body shows the updated settings. Jamf Pro will rotate a computer’s managed Apple admin account password 15 minutes (900 seconds) after viewing it, and it will automatically rotate all passwords every day (86400 seconds).响应正文显示更新的设置。Jamf Pro 将在查看计算机后 15 分钟(900 秒)轮换计算机的托管 Apple 管理员帐户密码,并且每天(86400 秒)自动轮换所有密码。
Apply LAPS settings to a computer将 LAPS 设置应用于计算机
Before Jamf Pro applies its LAPS settings, computers must submit an inventory report. By default, they submit inventory once per week.在 Jamf Pro 应用其 LAPS 设置之前,计算机必须提交库存报告。默认情况下,他们每周提交一次库存。
To force an inventory update on a test computer, open its Terminal application and run the following command:若要在测试计算机上强制更新清单,请打开其终端应用程序并运行以下命令:
sudo jamf recon sudo jamf 侦察
Alternatively, create a new Jamf Pro policy and enable Update Inventory
in the Maintenance
payload. In the General
payload, set Trigger
to “Recurring Check-in” and Execution Frequency
to “Once per computer”. Scope the policy to a test computer and save. The computer will update its inventory as soon as it checks in with Jamf Pro. (This is also a quick way to apply LAPS to a group of computers or an entire fleet.)或者,创建新的 Jamf Pro 策略并在维护负载中启用更新清单。在“常规”有效负载中,将“触发器”设置为“定期签入”,将“执行频率”设置为“每台计算机一次”。将策略范围限定为测试计算机并保存。计算机将在 Jamf Pro 签入后立即更新其库存(这也是将 LAPS 应用于一组计算机或整个车队的快速方法。
Verify LAPS is applied to a computer验证 LAPS 是否应用于计算机
How does an administrator know LAPS is working?管理员如何知道 LAPS 正在工作?
Jamf Pro uses the Apple Push Notification service (APNs) command SetAutoAdminPassword
to change the account’s password. Within seconds of submitting an inventory report, Jamf Pro should send the command to the computer and receive a response.Jamf Pro 使用 Apple 推送通知服务 (APNs) 命令 SetAutoAdminPassword 更改帐户的密码。在提交库存报告后的几秒钟内,Jamf Pro 应将命令发送到计算机并收到响应。
To verify the command, click Computers > Search Inventory. Click the computer name to view its inventory. Then click History > Management History. The SetAutoAdminPassword
command should appear under Completed Commands.若要验证该命令,请单击“计算机”>“搜索清单”。单击计算机名称可查看其清单。然后单击“历史记录”>“管理历史记录”。SetAutoAdminPassword 命令应显示在“已完成的命令”下。
Another way to verify Jamf Pro applied LAPS to a computer is to test authenticating to the local admin account. The easiest way to do this is to use Terminal again to attempt to log in as the account. Run the su
(substitute user) command on the computer using the name of the managed Apple admin account:验证 Jamf Pro 是否将 LAPS 应用于计算机的另一种方法是测试对本地管理员帐户的身份验证。执行此操作的最简单方法是再次使用终端尝试以帐户身份登录。使用托管 Apple 管理员帐户的名称在计算机上运行 su(substitute user) 命令:
su localadmin 您的本地管理员
When prompted, enter its known password. If Terminal responds with “Sorry”, the known password is no longer valid, indicating Jamf Pro has changed it.出现提示时,输入其已知密码。如果终端响应“对不起”,则已知密码不再有效,表明 Jamf Pro 已更改密码。
Note:
The computer itself isn’t aware it’s being managed by LAPS. As far as it knows, it received a command telling it to change the password for the managed Apple admin account.注意:计算机本身并不知道它是由 LAPS 管理的。据它所知,它收到了一条命令,告诉它更改托管 Apple 管理员帐户的密码。
Retrieve the local admin username and password检索本地管理员用户名和密码
Viewing the current LAPS password requires putting a few pieces together.查看当前的 LAPS 密码需要将几个部分放在一起。
First, the Jamf Pro administrator must retrieve the computer’s management ID
. This is an ID created at the time of enrollment and it’s unique to each computer. It’s only stored in Jamf Pro and only visible using the Jamf Pro API.首先,Jamf Pro 管理员必须检索计算机的管理 ID。这是在注册时创建的 ID,对于每台计算机都是唯一的。它仅存储在 Jamf Pro 中,并且只能使用 Jamf Pro API 查看。
- In the computer’s inventory record in Jamf Pro, click Inventory > General and note the
Jamf Pro Computer ID
. (This is not the management ID, but computer ID helps identify the computer next.)在 Jamf Pro 中计算机的清单记录中,单击“清单”>“常规”,并记下 Jamf Pro 计算机 ID。(这不是管理 ID,但计算机 ID 有助于识别接下来的计算机。 - Return to the Jamf Pro API by appending “/api” to the end of the Jamf Pro server’s URL and reauthorize if necessary.通过在 Jamf Pro 服务器的 URL 末尾附加“/api”返回到 Jamf Pro API,并在必要时重新授权。
- Scroll down and click
computer-inventory
to view its endpoints.向下滚动并单击 computer-inventory 以查看其端点。 - Click
GET /v1/computers-inventory-detail/{id}
, click Try It Out, and enter the Jamf Pro computer ID from inventory.单击 GET /v1/computers-inventory-detail/{id} ,单击“试用”,然后输入清单中的 Jamf Pro 计算机 ID。 - Click Execute. 单击“执行”。
- In the Responses section just below, locate the response body. It’ll display information about the computer.在下面的“响应”部分中,找到响应正文。它将显示有关计算机的信息。
- Scroll down the response body slightly and locate managementId. Copy its value.稍微向下滚动响应正文并找到 managementId。复制其值。
- Scroll down the Jamf Pro API page back to
local-admin-password
.向下滚动 Jamf Pro API 页面,返回 local-admin-password 。 - Click
GET /v2/local-admin-password/{clientManagementId}/accounts
, click Try It Out, and paste the management ID into the clientManagementId field.单击“获取 /v2/local-admin-password/{clientManagementId}/accounts”,单击“试用”,然后将管理 ID 粘贴到 clientManagementId 字段中。 - Click Execute. 单击“执行”。
- In the Responses section just below, locate the response body. It’ll display the username of the managed Apple admin account. (This is the same admin account username from the PreStage enrollment.)在下面的“响应”部分中,找到响应正文。它将显示受管理的 Apple 管理员帐户的用户名。(这与 PreStage 注册中的管理员帐户用户名相同。
- To retrieve the LAPS account’s password, scroll up the Jamf Pro API page just slightly.要检索 LAPS 帐户的密码,请稍微向上滚动 Jamf Pro API 页面。
- Click
GET /v2/local-admin-password/{clientManagementId}/account/{username}/password
, click Try It Out, and paste the management ID into the clientManagementId field, and enter the local admin account username in the username field.单击“获取 /v2/local-admin-password/{clientManagementId}/account/{username}/password”,单击“试用”,然后将管理 ID 粘贴到 clientManagementId 字段中,然后在用户名字段中输入本地管理员帐户用户名。 - Click Execute. 单击“执行”。
- In the Responses section just below, locate the response body. It’ll display the password of the managed Apple admin account.在下面的“响应”部分中,找到响应正文。它将显示受管理的 Apple 管理员帐户的密码。
Remember, this password is valid only for the length of time specified for passwordRotationTime when enabling LAPs. Work quickly.请记住,此密码仅在启用 LAP 时为 passwordRotationTime 指定的时间长度内有效。快速工作。
Audit LAPS access 审核 LAPS 访问
Protecting data end user privacy requires knowing who accessed a password and when. Jamf Pro’s LAPS implementation provides auditing to disclose this information.保护数据最终用户隐私需要知道谁访问了密码以及何时访问。Jamf Pro 的 LAPS 实施提供审计以披露此信息。
For successful auditing, Jamf Pro administrators themselves must never use a shared user account when logging into the server. Instead, one administrator should set a long and complex password that only one person knows and keeps in a secure location. (Consider also enabling Jamf Pro’s Password Policy
feature to enable that account for password recovery, just in case.) Then each server administrator should use a uniquely identifiable username with necessary privileges.为了成功进行审核,Jamf Pro 管理员本身在登录服务器时绝不能使用共享用户帐户。相反,一个管理员应该设置一个长而复杂的密码,只有一个人知道并保存在安全的位置。(为了以防万一,还可以考虑启用 Jamf Pro 的密码策略功能,以启用该帐户以恢复密码。然后,每个服务器管理员都应使用具有必要权限的唯一可识别用户名。
To audit who’s accessed a computer’s LAPS-managed password:若要审核谁访问了计算机的 LAPS 管理的密码,请执行以下操作:
- Return to the Jamf Pro API by appending “/api” to the end of the Jamf Pro server’s URL and reauthorize if necessary.通过在 Jamf Pro 服务器的 URL 末尾附加“/api”返回到 Jamf Pro API,并在必要时重新授权。
- Scroll down and click
computer-inventory
to view its endpoints.向下滚动并单击 computer-inventory 以查看其端点。 - Click
GET /v1/computers-inventory-detail/{id}
, click Try It Out, and enter the Jamf Pro computer ID from inventory.单击 GET /v1/computers-inventory-detail/{id} ,单击“试用”,然后输入清单中的 Jamf Pro 计算机 ID。 - Click Execute. 单击“执行”。
- In the Responses section just below, locate the response body. It’ll display information about the computer.在下面的“响应”部分中,找到响应正文。它将显示有关计算机的信息。
- Scroll down the response body slightly and locate managementId. Copy its value.稍微向下滚动响应正文并找到 managementId。复制其值。
- To audit who’s accessed a computer’s LAPS password, scroll down and click
local-admin-password
to view its endpoints.若要审核谁访问了计算机的 LAPS 密码,请向下滚动并单击“local-admin-password”以查看其终结点。 - Click
GET /v2/local-admin-password/{clientManagementId}/account/{username}/audit
, click Try It Out, paste the management ID into the clientManagementId field, and enter the local admin account username in the username field.单击 GET /v2/local-admin-password/{clientManagementId}/account/{username}/audit ,单击“试用”,将管理 ID 粘贴到 clientManagementId 字段中,然后在用户名字段中输入本地管理员帐户用户名。 - Click Execute. 单击“执行”。
- In the Responses section just below, locate the response body. It’ll display the audit history for the LAPS account including the name of the accounts viewing the passwords, the passwords themselves, and when the Jamf Pro administrator viewed them.在下面的“响应”部分中,找到响应正文。它将显示 LAPS 帐户的审核历史记录,包括查看密码的帐户名称、密码本身以及 Jamf Pro 管理员查看密码的时间。
Disable LAPS 禁用 LAPS
Jamf Pro’s LAPS feature is global. It affects all computers with a local admin account created during Automated Device Enrollment. Therefore, administrators can’t easily apply LAPS settings to just a subset of computers.Jamf Pro 的 LAPS 功能是全球性的。它会影响在自动设备注册期间创建本地管理员帐户的所有计算机。因此,管理员不能轻松地将 LAPS 设置仅应用于计算机的子集。
A desktop administrator could disable LAPS for an existing computer by deleting the managed Apple admin account. Recreating the account with the same name won’t reenable it for LAPS because it’ll have a different UUID.桌面管理员可以通过删除托管的 Apple 管理员帐户来禁用现有计算机的 LAPS。重新创建同名帐户不会为 LAPS 重新启用该帐户,因为它将具有不同的 UUID。
To disable LAPS globally, the Jamf Pro administrator should follow a specific order of operations to keep from losing access to the local admin account:要全局禁用 LAPS,Jamf Pro 管理员应遵循特定的操作顺序,以防止失去对本地管理员帐户的访问权限:
- Return to the Jamf Pro API by appending “/api” to the end of the Jamf Pro server’s URL and reauthorize if necessary.通过在 Jamf Pro 服务器的 URL 末尾附加“/api”返回到 Jamf Pro API,并在必要时重新授权。
- Scroll down and click
local-admin-password
to view its endpoints.向下滚动并单击 local-admin-password 以查看其终结点。 - Click
PUT /v2/local-admin-password/settings
, and click Try It Out.单击 PUT /v2/local-admin-password/settings ,然后单击 Try It Out。 - The LAPS settings to update field displays the current settings.要更新的 LAPS 设置字段显示当前设置。
- Set autoRotateEnabled to false to disable and further password changes.将 autoRotateEnabled 设置为 false 以禁用和进一步更改密码。
Keep in mind LAPS can’t restore the original local admin account passwords on computers and each will have a unique password. While Jamf Pro offers a PUT /v2/local-admin-password/{clientManagement}/set-password endpoint, it’s only available to set one computer at a time. The Jamf Pro administrator will need to create a Jamf Pro API script to set every computer password using LAPS. Only after ensuring all passwords are changed to known passwords should the administrator turn off LAPS:
请记住,LAPS 无法还原计算机上的原始本地管理员帐户密码,并且每个密码都具有唯一的密码。虽然 Jamf Pro 提供了 PUT /v2/local-admin-password/{clientManagement}/set-password 端点,但它一次只能设置一台计算机。Jamf Pro 管理员需要创建一个 Jamf Pro API 脚本,以使用 LAPS 设置每个计算机密码。只有在确保所有密码都更改为已知密码后,管理员才应关闭 LAPS:
- Return to the Jamf Pro API by appending “/api” to the end of the Jamf Pro server’s URL and reauthorize if necessary.通过在 Jamf Pro 服务器的 URL 末尾附加“/api”返回到 Jamf Pro API,并在必要时重新授权。
- Scroll down and click
local-admin-password
to view its endpoints.向下滚动并单击 local-admin-password 以查看其终结点。 - Click
PUT /v2/local-admin-password/settings
, and click Try It Out.单击 PUT /v2/local-admin-password/settings ,然后单击 Try It Out。 - Set autoDeployEnabled to false to disable LAPS.将 autoDeployEnabled 设置为 false 以禁用 LAPS。
- Click Execute. 单击“执行”。
Testing 测试
Now is the time for customers to test LAPS and give Jamf feedback while it’s in its early stages. Any customer can register for the Jamf Pro Customer Feedback Program
and gain access to the private beta forums. Betas are a great opportunity to see what’s coming next and test critical workflows before Jamf releases new versions. Customers planning to use LAPS in their environments should participate.现在是客户测试 LAPS 并在 Jamf 处于早期阶段时提供反馈的时候了。任何客户都可以注册 Jamf Pro 客户反馈计划,并访问内测版论坛。Beta 版是一个很好的机会,可以在 Jamf 发布新版本之前了解接下来会发生什么并测试关键工作流程。计划在其环境中使用 LAPS 的客户应参与。
Administrators should carefully consider whether LAPS is a fit for their environment. Ideally, each Jamf Pro administrator’s account is secured using some combination of a strong password policy, Single Sign-On with a randomized failover URL, and limited access to other administrators' account settings. And while products like Jamf Connect
and Jamf Pro’s LAPS are compatible with each other, both can offer secure and auditable admin access to a computer. Implement one or the other for the sake of simplicity and ease of auditing.管理员应仔细考虑 LAPS 是否适合其环境。理想情况下,每个 Jamf Pro 管理员的帐户都使用强密码策略、具有随机故障转移 URL 的单一登录以及对其他管理员帐户设置的有限访问的某种组合来保护。虽然 Jamf Connect 和 Jamf Pro 的 LAPS 等产品相互兼容,但两者都可以提供对计算机的安全和可审计的管理员访问。为了简单和易于审计而实施其中之一。
Jamf Cloud customers should test LAPS in their free-of-charge Jamf Cloud sandbox instances before enabling LAPS on their production server. Customers can create their sandbox instances in their Jamf Account
or by contacting their Customer Success Manager.Jamf Cloud 客户应先在其免费的 Jamf Cloud 沙盒实例中测试 LAPS,然后再在其生产服务器上启用 LAPS。客户可以在其 Jamf 帐户中或通过联系其客户成功经理来创建其沙盒实例。
And it’s worth repeating that LAPS is an API-first feature. That means it’s only available in the API until Jamf has completed the LAPS feature set. Later, it should move to the Jamf Pro GUI for those who aren’t comfortable with the API.值得一提的是,LAPS 是一个 API 优先的功能。这意味着它仅在 API 中可用,直到 Jamf 完成 LAPS 功能集。稍后,它应该转移到 Jamf Pro GUI 上,供那些不熟悉 API 的人使用。