Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Solution Framework
  3. Security Posture & Compliance

Category filter

Securing Cloud-Native Hardware: Manage LAPS on Non-Domain Macs

Jump To

In the modern “Work from Anywhere” era, many macOS devices are no longer bound to a traditional On-Premises Active Directory (AD). While this offers flexibility, it creates a massive security gap: Local Admin Password Persistence. Without a domain controller to manage credentials, local administrator passwords often remain static, becoming prime targets for lateral movement attacks.

macOS LAPS (Local Administrator Password Solution) Orchestration via Hexnode UEM solves this by securely automating the generation, rotation, and escrow of local admin credentials. Hexnode acts as the central authority, ensuring that cloud-joined or standalone macOS hardware is protected against credential misuse.

1. The Operational Logic

LAPS Orchestration moves away from “set and forget” passwords. Instead, it follows a continuous security loop:

  • Generate: Hexnode triggers the creation or takeover of a local admin account.
  • Rotate: On a set schedule (e.g., every 30 days) or after every use, the password is automatically randomized.
  • Escrow: the new password is encrypted and sent back to the Hexnode UEM portal.
  • Audit: Every time an admin views the password in the portal, a log is generated for compliance.

2. Configuration Modes: Basic vs. Advanced

Hexnode splits macOS LAPS into two distinct routing paths depending on your organizational needs:

Option A: Basic LAPS (Quick Setup)

Basic LAPS is designed for rapid deployment with minimal configuration, enforcing a strict security baseline.

  • Target Account: Automatically targets a pre-set account named Hexnode Admin (this cannot be changed).
  • Rotation Schedule: Fixed at a 60-day rotation interval.
  • Password Length: Fixed at 8 characters.
  • Password Retention: Automatically stores the last 3 passwords to prevent immediate reuse.
  • Customization: You can only define the password complexity (uppercase, lowercase, numbers).

Option B: Advanced LAPS (Granular Control)

Advanced LAPS offers detailed administrative control over existing accounts, new accounts, and post-usage actions. It contains four sub-policies:

  • Existing Admin Accounts: Targets specific existing admin accounts. Rotation is triggered securely when the matched account logs into the Mac.
  • Managed Admin Accounts: Instructs Hexnode to create new admin accounts. You can create a static account name or toggle Generate Unique Admin Account to create randomized, unique admin names for every single device (customizable by length, character types, and prefix).
  • Password Rotation Settings: Customize the exact rotation interval, length, and complexity of the passwords.
  • Password Access Controls (Crucial for Zero Trust):
    • Rotate password after viewing: Automatically forces a password rotation after a technician views it in the Hexnode portal (with a configurable delay).
    • Disable admin account if inactive: Automatically disables the admin account if it remains inactive for a set duration after login.

3. Implementation Workflow

Step A: Configure the Policy

  1. Log in to the Hexnode UEM console.
  2. Navigate to Policies > New Policy > Create a fully custom policy (or edit an existing one).
  3. Go to macOS > LAPS.
  4. Select either Basic LAPS or Advanced LAPS and click Configure.
    1. Managed Account Name: Enter the short name of the local admin account you wish to manage (e.g., admin_support).
    2. Password Mapping: Choose whether to rotate the password after a specific time interval or upon a manual “Reset” action from the portal.
    3. On-Demand Rotation: Enable this to allow technicians to trigger an immediate password change after a support session is completed.

Step B: Associate and Deploy

  1. Navigate to Policy Targets.
  2. Select your target Devices, Device Groups, Users, User Groups or Domains/OUs.
  3. Click Save to deploy the policy. Hexnode will silently apply the LAPS configuration to the targeted macOS endpoints.

4. Accessing Managed Passwords

When a technician needs to perform an administrative task on a remote Mac, they must retrieve the current password from the UEM:

  1. Navigate to Manage > Devices and select the target Mac.
  2. Go to the Device Details page.
  3. Goto Local Accounts > LAPS.
  4. Here, you will see the Account Name, LAPS Status, Last Rotated On, and Next Rotation On.
  5. Click the Eye icon under the Password column to reveal the credentials.

    Note: If “Rotate password after viewing” is enabled in Advanced LAPS, doing this will trigger an impending password reset.

5. On-Demand Password Rotation (Incident Response)

If an admin password is inadvertently exposed, shared, or you simply want to rotate it outside of the scheduled policy, technicians can trigger a manual rotation:

  1. Go to Manage > Devices and select the target Mac.
  2. Click Actions > Security > Rotate Local Admin password.
  3. Confirm the action.

    Note: This immediate remote action automatically resets the standard rotation timer. For example, if your policy is set to rotate every 30 days, triggering a manual rotation today shifts the next automatic rotation to 30 days from today. If the device is offline, it will rotate the moment it reconnects.

6. Comparison: Traditional AD vs. Hexnode LAPS Orchestration

Historically, managing local admin passwords required binding Macs to an Active Directory domain—a practice Apple no longer recommends. Hexnode’s LAPS orchestration shifts this workload to the cloud, aligning with modern Apple device management frameworks.

Feature Traditional On-Premises AD LAPS Hexnode UEM LAPS Orchestration
Architecture Requires line-of-sight to an On-Premises Domain Controller (via LAN or VPN). Cloud-native. Works anywhere the device has an internet connection.
macOS Compatibility Poor natively. Often requires third-party plugins, complex scripting, or deprecated AD binding. Built-in via the Hexnode UEM agent and policies. No AD binding required.
Password Escrow Stored in AD computer object attributes (requires AD schema extensions). Securely encrypted and escrowed directly within the Hexnode UEM Portal.
Rotation Triggers Typically script-based or reliant on GPOs polling the domain. Policy-driven (e.g., every 60 days) or event-driven (e.g., immediate rotation after an admin views the password in the portal).
Zero Trust Alignment Low. Static passwords can persist indefinitely if the Mac leaves the corporate network. High. Continuous enforcement and automatic rotation even for remote, roaming devices.

7. Troubleshooting & Security Guardrails

  • Standard Accounts Ignored: Hexnode LAPS policies strictly apply to Administrator accounts. Standard/non-admin accounts targeted by mistake will be bypassed during the rotation cycle.
  • Offline Devices: If a device is offline when a rotation is scheduled or a remote rotation action is fired, the Hexnode agent queues the command and executes the password change immediately upon reconnecting to the network.
  • Audit Logs: To maintain compliance, administrators should routinely check the portal’s audit logs to monitor who is revealing local admin passwords and triggering manual rotations.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Solution Framework