EasyLAPS is a tool designed to regularly rotate the local administrator account password of a Mac and store it in a Mobile Device Management (MDM) solution like Jamf Pro or Jamf School. The main purpose of EasyLAPS is to have unique passwords on a Mac fleet which are centralized in the MDM console.
EasyLAPS offers two functioning logics and is designed to manage transparently a change between the two.
Logic #1 — The password is stored in encrypted form in the MDM and is stored in clear text form in a local protected file. EasyLAPS uses the locally stored password as the current password to manage the rotation gracefully to the new generated one which is then written in the MDM. The public key used for the encryption is part of the EasyLAPS configuration file. The private key is not present on the device and must be kept in restricted access. This logic fits best when a large number of technicians have access to the MDM console and only those who own a copy of the EasyLAPS-Toolkit with the private key can reveal a rotated password.
Logic #2 — The password is stored in clear text form in the MDM and is never stored locally. EasyLAPS reads the password stored in the MDM and uses it as the current password to manage the rotation gracefully to the new generated one which is then written in the MDM. The logic fits best when a restricted number of technicians have access to the MDM console and then are able to reveal a rotated password.
After the first successful rotation, the new password is visible in the device inventory record, with Jamf Pro in an Extension attribute named "EasyLAPS", with Jamf School in the field named "Notes".