Skip to main content

Addigy Managed Admin (LAPS) via OS Users

Addigy Managed Admin accounts deployed via OS Users is a Local Admin Password Solution (LAPS) that allows for secure end-user machines administrator accounts with rotating, unique, randomized passwords while also preserving the ability to have an administrator account available for the IT technician.

Please note that Addigy's Managed Admin (LAPS) feature is not compatible with AD-bound macOS devices. If a Mac is AD-bound, the Managed Admin user will not be visible in GoLive, given that users will be created by the OS as a mobile/network account.

Deploying a Managed Admin Account

  1. Navigate to Catalog -> OS Users -> New
  2. Select Managed Admin from the Type dropdown
 
Screenshot 2025-06-19 at 20.01.46.png
  1. Configure the desired Full Name, Account Name, and Rotation Cadence from the dropdown.
  2. Save the account values
  3. Add this OS User to a policy and deploy

Once deployed the OS user will have a unique password per device that will be rotated in the cadence set in the OS User set up after the cadence period passes, the backend service marks it for rotation, and the device hits it's next audit check-in run.

Note: A Managed Admin OS User cannot be changed/demoted to a regular admin once saved and deployed.

 

Viewing and rotating per device the password for an Addigy Managed Admin

The OS User password can be viewed on the devices GoLive page after the policy containing the Managed Admin account is deployed from the scoped OS Users in the policy.

  1. Navigate to the desired device's GoLive page

  2. Under the Users tab there will be an account that has the Managed Admin tag

     
  3. Click on the to the right of the destined Managed Admin account under the actions
  4. To view the password, choose View Password. The account Username, Full Name, and Password items will appear. To see the unique per-device password, click on the Show link to the right of the redacted password in the View Password modal. Once the password has been viewed it will rotate after at least one hour.
  5. To rotate the password or view when it was last changed, select Rotate Password from the actions dropdown referenced in step 3. The Rotate Password modal will appear on screen, that modal will show the cadence of the password rotation for the user in question, and when the password was last rotated. To rotate on demand, choose Rotate Now from the lower right of the Rotate Password modal.
 

Audit password changes

The Dashboard > Events page will show when a password is manually rotated and when an Addigy user views a password in the Addigy portal. These specific events will not show in GoLive > Events. 

 

Addigy will also log when a LAPS account is created. This is both in GoLive and Dashboard > Events.

 

 

FAQ

  • Does the Managed Admin have a Secure Token?
    • Yes, but only after a login on an already unlocked disk, and if the Bootstrap Token is escrowed (which is escrowed automatically upon Addigy MDM enrollment). If the disk was unlocked via a FV2 bypass code or using another FV2 enabled user, the Managed Admin will then have a Secure Token for the duration of that rotation cadence on macOS.
  • Will rotating the password break Secure Token?
    • Yes. If the password is manually or automatically rotated, Secure Token will be broken until another login is performed via the regular macOS login window, so long as the Bootstrap Token is escrowed (this is escrowed automatically upon Addigy MDM enrollment).
  • When is the Managed Admin user created around ADE (Automated Device Enrollment)?
    • The Managed Admin is made after ADE completes and the Addigy binary is installed on the device.
  • Can I overwrite a pre-existing user, like the ADE user, with a Managed Admin?
    • Yes, you can, so long as user information (minus the password) matches the pre-existing user. Deploying a Managed Admin, or any OS User over an already existing user will break Secure Token. Secure Token can be re-obtained after performing a login at the standard macOS login window, so long as the Bootstrap Token is escrowed (which is escrowed automatically upon Addigy MDM enrollment).
  • Are there reporting events for when a password is shown?
    • Yes, see the above section titled Audit password changes
  • What happens if I reveal a password while a device is offline?
    • We have logic that the password will be automatically rotated 1 hour after it is revealed; however, this rotation will not happen in the Addigy GUI if the device is offline when the password is revealed. If the device is offline and that happens, the password will rotate after it comes online and it will update in the GUI.

 

Didn’t find what you’re looking for?

Contact our Support Team