How to configure LAPS for MacOS in Microsoft Intune

-
The July 2025 update to Microsoft Intune introduces an intriguing new feature: The Local Administrator Password Solution (LAPS) for macOS. (What’s new in Microsoft Intune: July 2025 - Microsoft Intune Blog)




Below, I'll go through all the prerequisites and actions you'll need to activate this option in Microsoft Intune.

🛠️Prerequisites

  • MacOS version 12 or later
  • Devices must be synced with Apple Business Manager or Apple School Manager
  • Enrollment must use Automated Device Enrollment (ADE) via Intune
  • Admin must have appropriate RBAC permissions in Intune to view or rotate password
    • Category: Enrollment programs
      • Set Rotate macOS admin password to Yes
      • Set View macOS admin password to Yes

📋 Step-by-Step Configuration Guide

1. Create an ADE Enrollment Profile

  • Go to Microsoft Intune Admin Center
  • Navigate to: Devices > macOS > Enrollment > Enrollment Program Tokens
  • Select your token and create a new ADE profile
  • Enable "Create a local admin account" and configure password settings

2. Enable macOS LAPS Settings

  • In the ADE profile, configure:
    • Local Admin Account: Enable creation
    • Password Rotation: Set to rotate every 6 months (default)
    • Password Complexity: Intune generates a 15-character password with uppercase, lowercase, numbers, and symbols

3. Assign the ADE Profile to Devices

  • Assign the profile to devices synced from Apple Business/School Manager
  • Devices must be newly enrolled or re-enrolled to apply LAPS settings

4. Monitor and Manage Passwords

  • After enrollment, go to Devices > macOS > Device Name
  • Under Local Admin Account, view or manually rotate the password
    • Only users with proper RBAC roles can access this information

Popular posts from this blog

How to reset computer in OOBE mode

-
Image
When you receive a new computer, it may contain various applications that are useless in a business context. To solve this problem and start with a clean PC, it may be interesting to reset it.  Here is two procedures that can be performed in OOBE mode Manual process Click CTRL + Shift + F3 , your computer restart. The Windows session is automatically opened Go to Start Menu \ Parameters \ Update & Security \ Recovery and click on Get Started Select Remove everything Select Local reinstall Click Next Click Reset Your computer restarts and proceeds to a complete reinstallation. With Command Line Click  Shift + F10 , your computer restart. Used this command line : systemreset -factoryreset Select Remove everything Select Remove files and clean the drive Click Reset Your computer restarts and proceeds to a complete reinstallation.
Read more »

How to implement Applocker with Microsoft Intune

-
Image
Applocker is tool included in Windows 10 and 11. It permit to set up policies or rules for allow or deny apps from running on your device.  We can create Applocker rules for below file types:  EXE files : .exe and .com Windows Installer files : .msi, mst, and .msp Scripts : .ps1, .bat, .cmd, .vbs, and .js DLLs : .dll and .ocx Packaged apps and packaged app installers : .appx and .msix. Sources :  https://learn.microsoft.com/fr-fr/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections The Applocker solution purpose a multiple possibilities for secure your device. We have possibilities to block or allow apps. By default, it is recommended to allow all applications and add a custom rules for a scpecific application. Prérequisites for used Applocker Device with Windows 10 or 11 for prepare the Applocker rules Application Identity service enabled Enable Applocker For create an Applocker policy, you need t...
Read more »

Rename devices with PowerShell and Microsoft Intune

-
Image
Renaming a device manually is quick and easy when we only have one device to fix. But when it comes to doing a large number of devices, then it is better to automate this action. Today, there is the method via CSP but which can have a rather random behavior, in particular on the reporting, console side. I therefore share with you a PowerShell script which, deployed with Microsoft Intune, will allow you to quickly rename your machines. Script overview This script detects the type of device used:  If it's a virtual machine , it takes the defined prefix  (CCMT in my example)  and adds a numeric complement generated with Get-Random command For physical machines , it retrieves the serial number and adds the prefix  (CCMT in my example) The user is informed that his device has received changes and that it will restart automatically in a few minutes. The script is available on Github :  Link Script integration & deployment Prerequisites The prerequisites are: Conve...
Read more »