Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Managing Mac Devices
  3. LAPS

Category filter

Configure LAPS for macOS devices via Hexnode UEM

Jump To

Hexnode UEM allows you to configure Local Administrator Password Solution (LAPS) for macOS devices using policy-based controls. LAPS helps secure local administrator accounts by automatically rotating passwords and restricting access, reducing the risk of credential misuse and lateral movement. With Hexnode UEM, LAPS is enforced on Macs through device policies, providing centralized control over administrator account security.

LAPS Settings in Hexnode UEM

The LAPS configuration in Hexnode is divided into two sections:

  • Basic LAPS: A quick, recommended setup with minimal configuration.
  • Advanced LAPS: Granular controls for complex administrative requirements.

Each section addresses different administrative needs, from quick baseline protection to advanced, customizable security controls.

Basic LAPS

Basic LAPS provides a recommended, minimal-configuration setup for managing a local administrator account on macOS devices.

What it does

  • Automatically creates and manages a default local administrator account on the device.
  • Uses Hexnode-recommended default settings.
  • Automatically rotates the administrator password at regular intervals.

Why it matters

Basic LAPS eliminates static administrator passwords and ensures baseline security and compliance without requiring manual configuration, making it ideal for quick and standard deployments.

How to configure

  1. Log in to your Hexnode UEM portal.
  2. Navigate to Policies > New Policy > Create a fully custom policy to create a new policy (or make edits to an existing one).
  3. Go to macOS > LAPS > Basic LAPS and click Configure.

Basic LAPS Settings

  • Admin Account
    • Target admin account: In this setting, you can find the admin account “Hexnode Admin” already pre-set on which the LAPS settings will apply. This cannot be changed.
  • Password Rotation Settings

    These settings control how the administrator password is created and how often it changes.

    • Rotation interval: Determines how often the administrator password is automatically changed by Hexnode. In Basic LAPS, the password is rotated every 60 days. This interval is fixed to ensure a secure baseline.
    • Password length: Specifies the total number of characters in the generated password. In Basic LAPS, the password length is fixed at 8 characters.
    • Password complexity: Defines the character types included in the password. You can choose whether the password must contain uppercase letters, lowercase letters, and numbers. The selected options directly affect password strength.
    • Password retention count: Specifies how many previously used passwords are stored by Hexnode. Basic LAPS retains the last 3 passwords to prevent immediate reuse. This value is fixed.

Advanced LAPS

Advanced LAPS offers fine-grained control over administrator account management and password handling. It supports both existing administrator accounts and newly created, managed accounts. This section allows you to customize password rotation rules, manage multiple administrator accounts, and define how administrator credentials can be accessed and used.

Advanced LAPS includes the following sub-policies:

  • Existing Admin Accounts
  • Managed Admin Accounts
  • Password Rotation Settings
  • Password Access Controls

Existing Admin Accounts

This section allows you to bring local administrator accounts that already exist on macOS devices under centralized management through LAPS.

Note:


The Password Rotation Settings policy must be configured to apply LAPS through this policy.

What it does

  • Accepts credentials for existing Secure Token-enabled admin accounts.
  • Authenticates the device using provided credentials.
  • Automatically rotates passwords for specified admin accounts.

Why it matters

This ensures that pre-existing administrator accounts are secured and brought under centralized password management without disrupting existing device setups.

How to configure

  1. Navigate to Policies > macOS > LAPS > Advanced LAPS > Existing Admin Accounts.
  2. Click Configure.

Settings to configure

  • Provide Admin Account Credentials: Select this option to enable LAPS for specific existing Secure Token-enabled admin accounts present on the device.
    • Username: Enter the username of the admin account.
    • Password: Enter the password of the admin account.
    • Then, click +Add Admin. Hexnode will use these admin account credentials to authenticate and rotate the passwords.
  • Defer until admin signs in: Enable this option to ensure that LAPS becomes active only after a Secure Token-enabled admin account logs in to the device. The password rotation is deferred until then.
    • Admin name: Use comparators to define which admin account login should trigger the LAPS policy. When the admin accounts that satisfy the comparator criteria log in, Hexnode securely uses the credentials of that account to perform the first password rotation. If no match is found, LAPS remains inactive on the device.
    • Target admin accounts: Specify the admin accounts that the LAPS policy should target.
      Note:


      Standard or non-admin accounts will be ignored during password rotation.

  • Include default admin account: Enable this option to include the default admin account on the device during password rotation.

Managed Admin Accounts

This section allows Hexnode to create new local administrator accounts on macOS devices and manage password rotation for those accounts.

Note:


Standard or non-admin accounts will be ignored during password rotation.

What it does

  • Creates new local administrator accounts using Hexnode UEM.
  • Can generate unique administrator accounts per device.
  • Automatically rotates passwords based on the configured policy.

Why it matters

Managed administrator accounts remove the risks associated with shared credentials and help enforce stronger security practices across devices.

How to configure

  1. Navigate to Policies > macOS > LAPS > Advanced LAPS > Managed Admin Accounts.
  2. Click Configure.

Settings to configure

  • Add New User: Specify the username of the new admin account to be created in the device, and then click Add Admin+.
  • Account Name: Specify the account name for the new admin account. The account name is the short name used for the home folder. This field will be auto-filled with the supported characters from the Add New User field.
  • Generate Unique Admin Account: Enable this option to generate and create local admin accounts with unique and random names on each device.
    • Username Length: Specify the length of the username of the admin account.
    • Username characters: Check the username characters—Uppercase, Lowercase, Numbers, and Special Characters—that must be included in the username.
    • Username Prefix: Specify a prefix that will be attached to the beginning of the randomly generated username.
      Note:


      The username length specified in Username Length will count the username prefix too.

Password Rotation Settings

This section defines how administrator passwords are generated and rotated.

Note:


If the Password Rotation Settings Policy has not been configured, the password rotation settings configured in the Basic LAPS will apply on the device-end.

What it does

  • Controls how frequently administrator passwords are rotated.
  • Defines password requirements such as length, complexity, and retention.
  • Applies to both existing and managed administrator accounts.

Why it matters

Consistent password rotation and strong password policies reduce the risk of credential compromise and help maintain compliance across macOS devices.

How to configure

  1. Navigate to Policies > macOS > LAPS > Advanced LAPS > Password Rotation Settings.
  2. Click Configure.

Settings to configure

  • Rotation Interval: Set how often the admin account password should be rotated automatically.
  • Password Length: Specify the length of the password to be generated.
  • Password Complexity: Set the password complexity by choosing whether the password must contain uppercase letters, lowercase letters, and numbers. The selected options directly affect password strength.
  • Password Retention Count: Specifies how many previously used passwords are stored by Hexnode.

Password Access Controls

This policy controls how administrator passwords are handled after access.

What it does

  • Allows automatic password rotation after a password is viewed.
  • Disables administrator accounts after a specified period of inactivity.

Why it matters

These controls limit the exposure of administrator credentials and ensure that unused or compromised accounts do not remain active.

How to configure

  1. Navigate to Policies > macOS > LAPS > Advanced LAPS > Password Access Controls.
  2. Click Configure.

Settings to configure

  • Rotate password after viewing: Enable this option to automatically rotate the admin account password after viewing from the Device Details page in the Hexnode portal.
    • Rotate after viewing delay: Set the viewing delay or how long to wait after which the password is rotated on viewing.
  • Disable admin account if inactive after login: Enable this option to disable an admin account if it becomes inactive after login.
    • Set inactivity duration: Select the duration of inactivity after which the admin account will be disabled.

Depending on your requirements, you can use Basic LAPS for quick protection or Advanced LAPS for detailed control over administrator accounts and password usage.

Associating the LAPS Policy with Devices

If the policy has not yet been saved:

  1. Navigate to Policy Targets.
  2. Select the target of the policy (Devices, Device Groups, Users, User Groups, Domains/OUs).
  3. Click on +Add Devices.
  4. Select the devices you want to apply the policy to and click OK.
  5. Click Save to apply the policies to the selected devices.

If the policy has already been saved:

  1. Go to the Policies tab.
  2. Select the policy you want to associate with devices.
  3. Click on Manage > Associate Targets.
  4. Select the devices or device groups to which you want to apply the policy.
  5. Click Associate to apply the policy to the selected devices.

Find local admin account details associated with the LAPS policy

To find the local admin accounts and other details of macOS devices associated with the LAPS policy,

  1. Go to the Device Details page of the required macOS device and open the Local Accounts > LAPS section.
  2. Hexnode lists all local administrator accounts on the device whose passwords are managed by Hexnode LAPS, along with relevant details such as:
    • Account Name: The name of the admin account.
    • Account type: The type of admin account.
    • LAPS Status: Indicates whether LAPS is enabled for this account.
    • Last Rotated On: Date and time when the password were last rotated.
    • Next Rotation On: Scheduled date and time for the next password rotation.
    • Rotation Triggered By: Shows whether the rotation was triggered by the configured LAPS policy or via Rotate Local Admin password remote action.
    • Password: The current password of the admin account. To view the latest password for a local admin account, click the password reveal icon in the Password column corresponding to the specified account.
    • Password Retention: Displays the retention count. Clicking the number shows all previously used passwords stored as per the configured LAPS policy.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Managing Mac Devices