Apple @ Work: How EasyLAPS secures local admin accounts on macOS

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Apple IT teams have long struggled with the balance between local admins accounts on macOS and static or shared passwords across multiple devices. On one hand, these accounts are generally needed for updates, troubleshooting, and device recovery, but on the other, a static or shared password across multiple devices is a security problem waiting to happen. If someone leaves, you really should update them, but I suspect this often doesn’t happen. EasyLAPS aims to solve that problem by automatically rotating and securely storing each Mac’s local admin password in your device management system (more on how later). It’s a set-it-and-forget-it approach that removes one of enterprise Mac deployments’ most common weak points.

About Apple @ Work: Bradley Chambers managed an enterprise IT network from 2009 to 2021. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, thousands of Macs, and thousands of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, share stories from the trenches of IT management, and suggest ways Apple could improve its products for IT departments.

How EasyLAPS works

At its core, EasyLAPS rotates the local admin password on a schedule you define and stores it in your device management system or your password manager. The account keeps its SecureToken and Volume Owner status, so it can still unlock the Mac, install macOS updates, change startup security, or wipe the device. IT can always retrieve the latest password from the device management service record, but end users never see it.

Two ways to store passwords

EasyLAPS offers two modes, and you can switch between them.

Logic 1 stores the password in encrypted form in the device management system and in the EasyLAPS Keychain. Only someone with the EasyLAPS Toolkit and the private key can decrypt it. This is ideal when many technicians have device management system access, but only a few should be able to see the password.

Logic 2 stores the password in clear text in your device management system, with no local copy unless a rotation fails. This is simpler but requires tighter control over who can access the device management system.

Supported device management solutions

EasyLAPS works with Mosyle, FileWave, Jamf Pro, Jamf School, JumpCloud, Meraki, Microsoft Intune, Miradore, SimpleMDM, and Omnissa. It can also integrate with Passwordstate if you use it as your password management system.

Why this matters for Apple IT

Static admin passwords are a real security risk if they aren’t properly managed. If one is compromised, it can be used across multiple devices. EasyLAPS removes that problem by ensuring every Mac has a unique, regularly rotated password. That password is still available to IT teams when needed, but without the overhead of manual resets or the risk of a shared credential floating around with local admin access.

Wrap up

For IT teams, EasyLAPS improves your security posture for local admin accounts. You do not have to track which devices have been updated or manually set passwords after deployment. For security teams, it closes a gap that anyone with the static admin password could exploit, whether that’s an ex-employee or an attacker. It’s one of those tools that quietly does its job in the background, making your Mac fleet safer without creating more overhead.

Learn more about EasyLAPS.

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage & protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

Keep track of your essentials with the Apple AirTag 4 Pack, the ultimate tracking solution for your belongings. With over 5,972 ratings and a stellar 4.7-star average, this product has quickly become a customer favorite. Over 10,000 units were purchased in the past month, solidifying its status as a highly rated Amazon Choice product.

For just $79.98, you can enjoy peace of mind knowing your items are always within reach. Order now for only $79.98 at Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!