Securing your Local Admin account with Password Randomisation

Bart Reardon, CSIRO Part of XW18

Creating a known local admin account across all managed devices is a common way to ensure that when the worst happens, you have a way to service a clients Mac.

Whether its 10 or 1000 devices though, keeping track of local admin passwords can be problematic and the usual outcome is all machine have the same account name and the same password, creating a security problem if the password were to ever be leaked out and an administrative problem changing passwords on all your managed devices to something else.

Microsoft introduced the concept of the Local Administrator Password Solution, or LAPS for Active Directory bound Windows workstations. Individual randomised local administrator passwords for each device, stored in a secure location.

This session will explain how LAPS works in general and introduce some open source tools to achieve the same outcome for macOS for AD environments and other managed systems.

Bart has worked for the CSIRO in their IT department for over 16 years and is based in Canberra.

Bart currently works for CSIRO’s desktop infrastructure team and leads development for the Mac and Linux Desktop SOE’s and manages 900 macOS workstations using Munki and other open source tools.

He has contributed to Munki and macOSLAPS open source projects.