We recently discovered that some of our current local admin accounts on macOS devices are using the same password.
Is there a way to rotate these passwords and prevent credential misuse in the future?
26 Views
Replies (7)
Marked SolutionPending Review
Hexnode Expert
3 days ago
Feb 17, 2026
Marked SolutionPending Review
Hi @zayn_nj ,
You can use Local Administrator Password Solution (LAPS) for macOS in Hexnode UEM to enforce automatic password rotation for local admin accounts. This ensures each device has a unique admin password.
For existing local admin accounts, Hexnode UEM provides Advanced LAPS configuration, which allows administrators to:
-
- Apply password rotation to existing local admin accounts.
- Configure password complexity and rotation intervals.
- Store and manage the rotated passwords securely within the Hexnode console.
This approach eliminates password reuse and reduces the risk of credential misuse across devices.
Best Regards,
Isabel Lora
Hexnode Expert
Marked SolutionPending Review
Participant
3 days ago
Feb 17, 2026
Marked SolutionPending Review
Oh, so password rotation is possible for existing local admin accounts as well? I thought it could only be configured only for new admin accounts.
Marked SolutionPending Review
Hexnode Expert
3 days ago
Feb 17, 2026
Marked SolutionPending Review
Yes, @ace_98 ! Password rotation works for both existing and newly created local admin accounts, as long as the accounts are brought under LAPS management.
Best Regards,
Isabel Lora
Hexnode Expert
Marked SolutionPending Review
Participant
2 days ago
Feb 18, 2026
Marked SolutionPending Review
Okay, got it! But where can admins retrieve the rotated passwords?
Marked SolutionPending Review
Hexnode Expert
2 days ago
Feb 18, 2026
Marked SolutionPending Review
Rotated passwords are accessible in the Hexnode UEM console:
-
Go to Manage → Devices.
-
Select the macOS device.
-
Open Device Details > Local Accounts > LAPS section (visible only if LAPS is configured and applied).
Access is controlled through role-based access control (RBAC), ensuring only authorized admins with the necessary permissions can retrieve the credentials.
Best Regards,
Isabel Lora
Hexnode Expert
Marked SolutionPending Review
Participant
24 hours ago
Feb 19, 2026
Marked SolutionPending Review
Just being a bit curious! I was about to configure Advanced LAPS, but I saw Basic LAPS listed. What exactly is Basic LAPS, how is it different from Advanced LAPS?
Marked SolutionPending Review
Hexnode Expert
23 hours ago
Feb 19, 2026
Marked SolutionPending Review
Hey @haanaa ! In Hexnode UEM, Basic and Advanced LAPS are two sections of macOS LAPS configuration, each designed for different levels of control and flexibility.
1. Basic LAPS
Basic LAPS is designed for minimal-configuration with pre-configured settings and includes the following behaviour:
- Automatically creates and manages a default local administrator account on the device.
- Uses Hexnode-recommended default settings for password management.
- Automatically rotates the administrator password at regular intervals.
Basic LAPS is ideal for quick and standard deployments.
2. Advanced LAPS
Advanced LAPS provides additional flexibility and control, and supports:
- Rotating passwords for existing local administrator accounts.
- Creating and managing custom local administrator accounts.
- Customizing password complexity requirements.
- Configuring password rotation intervals.
Advanced LAPS is recommended for organizations requiring full control over password management.
For more information, please refer to our help doc: Configure LAPS for macOS devices via Hexnode UEM.
Best Regards,
Isabel Lora
Hexnode Expert
Save
