Capabilities
The capabilities listed below are the ones that are currently actively supported by EasyLAPS.
Any idea to enrich EasyLAPS capabilities or being able to adopt EasyLAPS ? Feel free to send a feature request via the form available on the Introduction page.
Password rotation | |
Commitment | • EasyLAPS operates a true rotation of the local administrator password, so the account keeps its cryptographic status • Once the password is changed, the account is still a Crypto user and Volume owner, able to unlock the device, install macOS updates, make changes to the startup security policy, initiate an Erase All Content and Settings, and more |
Execution logics | • Logic #1 : The password is stored in encrypted form in the MDM and in the EasyLAPS Keychain. EasyLAPS uses the locally stored password as the current password to manage the rotation to the new generated one which is then written in the MDM. The public key used for the encryption is part of the EasyLAPS configuration file. The private key is not present on the device and must be kept in restricted access. • Logic #2 : The password is stored in clear text in the MDM and is not stored locally unless a password reversion fails. EasyLAPS reads the password stored in the MDM and uses it as the current password to manage the rotation to the new generated one which is then written in the MDM. The logic fits best when a restricted number of technicians have access to the MDM console and then are able to reveal a rotated password. |
Rotation frequency | The password rotation process is triggered after a specified number of days until it is successful |
Rotation deferral | • The first rotation can be set to happen after the Mac has been enrolled in the MDM for more than a defined number of days (the reference is the installation date of the MDM Profile) • This capability enables EasyLAPS to be installed at the time of onboarding, leaving technicians time to complete a setup without having to use a unique password |
Forbidden characters | A list of characters disallowed to be used in the new password generated can be configured to prevent reading difficulties |
Required symbols | A defined or random number of symbols, randomly selected from a list of symbols and randomly positioned in the newly generated password, replacing letters and numbers, can be added to match the local account password policy set by your organization |
Passphrase | • The password can be a passphrase defined by a minimum number of characters or an exact number of words • Passphrases can be complexified with capital letters and defined or random numbers of symbols and digits |
Prefix | The prefix « easylaps- » can be added to the password stored in the MDM |
Determined password | A determined password can be used instead of a randomized password to allow a scenario where all the Mac or a group of Mac share the same new unique password after the next rotation |
Local Administrator account | |
Account creation | • The defined local administrator account is created automatically if missing • The local administrator account parameters include Account name, Full name, UID, Shell, Home folder, Password and Hidden flag |
Account remediation | The Full name, Shell and Hidden flag parameters are reverted to the targeted ones if detected as modified |
Account picture | The local administrator account can be customized with a picture provided by your organization (PNG file) |
Administrative privileges | • EasyLAPS can be configured so only the local administrator account has administrative privileges on the device • In this context, the other accounts lose their administrative privileges if they have any • It is still possible to specify account and group names which escape this degradation |
Secure Token | • The rotation preserves the Secure Token of the account • The account remains a Crypto user and a Volume owner : it can unlock the device, install macOS updates, make changes to the startup security policy, initiate an Erase All Content and Settings |
EasyLAPS Gateway | • This feature makes available to EasyLAPS the current management account password managed by another LAPS solution, so that a true rotation is possible • The password collection is managed by MacOnboardingMate (MOM) during an MDM migration workflow • Two scenarios are currently supported : – MDM migration from any supported MDM with the current management account password managed by EasyLAPS – MDM migration from Jamf Pro with the current management account password managed by the native Jamf Pro LAPS solution |
Integrations | |
Slack / Microsoft Teams | • EasyLAPS can report to a dedicated channel the status message of its execution • Messages can be customized with strings, expected variables and emojis • This integration requires the implementation of Slack Incoming Webhooks, or a Teams workflow of the type « Post to a channel when a webhook request is received » |
Bootstrap Token | The rotation can trigger the escrow of a Bootstrap Token in the MDM that supports this feature when it is detected as missing while the local administrator account has a SecureToken |
Implementation | |
Logs | • By default, EasyLAPS is executed silently and does not produce Logs • The production of Logs, used for information and debugging purposes and stored only locally on the device, must be explicitly requested |
Trust | EasyLAPS is signed and notarized so you are confident that the software has been checked for any malicious code |
macOS support | EasyLAPS supports macOS 15 (Sequoia), macOS 14 (Sonoma), macOS 13 (Ventura), macOS 12 (Monterey), macOS 11 (Big Sur), macOS 10.15 (Catalina), macOS 10.14 (Mojave) and macOS 10.13.4 or later (High Sierra) |
Processor support | EasyLAPS supports Apple silicon and Intel processors |