If you work with Microsoft Intune and Apple devices, this is the news you’ve been waiting for: LAPS for macOS is finally available! It’s a feature long requested by many IT Specialists, and today I’ll walk you through how it works and what’s different compared to the Windows version.
📰 What do you prefer? Video or article?
Here are a few notes to help you get the most out of this content.
If you’d rather watch the full video, easy: you’ll find it right above in the header.
If you prefer reading, that’s just as easy: keep scrolling here. For each step, I’ve included the exact video snippet, so you’ll only see the screens that matter—without my face talking in between.
Either way, make sure to subscribe to the newsletter so you won’t miss any of my upcoming tutorials.
Perfect, let’s get started!
What is LAPS
LAPS, short for Local Administrator Password Solution, is a technology that allows you to securely and automatically manage the local administrator account password on a device.
What is it for? Its purpose is to prevent the same password from being reused across multiple devices, reducing the risk of lateral movement and improving the overall security of your infrastructure.
Things to consider before implementing LAPS for macOS
Before you start configuring LAPS for macOS, here are three key points to keep in mind:
You cannot choose the length or complexity of the password: it is defined by Microsoft and will always be 15 characters long, including uppercase and lowercase letters, numbers, and special characters.
Password rotation is fixed: it occurs every 6 months, with no customization options.
Configuration takes place in the enrollment profile associated with the Enrollment Token Program: therefore, the Mac must be supervised, enrolled via ADE, and registered in Apple Business Manager.
Note: Points 1 and 2 represent a major difference compared to the configuration options available with LAPS for Windows. At the time of writing this article (September 2025), this is the current state of the technology. It may change in the future, but for now, this is how it works.
Configurazione del LAPS nel profilo di enrollment
Now let’s go into Intune to see how to configure LAPS for macOS. In the following example, I used a mix of static text and variables for the local administrator username, choosing the format admin-. I also chose to hide the administrative account in the Users & Groups panel as an additional measure to obscure the presence of the admin account.
These configurations are just an example to illustrate the customization possibilities: it’s important to select the most appropriate settings for your own infrastructure. Remember that this option is only available if the Mac has been properly enrolled via ADE and is supervised.
Final Result
Once everything is configured, here’s what happens on the Mac at the time of enrollment: the local administrator account password is generated automatically, it is unique for each device, and you can view it directly in Intune whenever you need it for technical interventions.
Configuring LAPS by modifying an existing enrollment profile has no effect on Macs that are already associated with that profile and enrolled. The configuration will only take effect once the Mac is reset and re-enrolled.
Role Based Access Control for the new macOS LAPS
With the release of the new feature, the corresponding RBAC controls have also been introduced, allowing you to grant permissions to rotate the local Mac admin password without necessarily being an Intune Administrator.
The settings can be found under the Enrollment programs category:
Rotate macOS admin password
View macOS admin password
Attached Documentation
To explore further, here are some links to Microsoft’s official documentation:
Takeaways
Thank you for reading this article! I hope it helped you understand how LAPS for macOS works and how you can start using it right away in your infrastructure.
If you’d like to support my work and stay up to date with the latest IT news, subscribe to ITSpecialist.News, your support is essential to keep creating content like this.
See you soon… LEGENDARY!
Riccardo
