How to Set Up LAPS for macOS Devices with Microsoft Intune  

Microsoft Intune now supports macOS LAPS, so you can manage local admin passwords for macOS devices directly in Intune. Many of us have been waiting for this feature—it’s great to see it finally here. If your macOS users are local admins today, stick around. We’ll convert those users to standard and create a dedicated local admin account with a unique, random password that IT manages. 

In this step-by-step guide, we’ll set up macOS LAPS and reduce unnecessary admin rights. First, a quick look at capabilities and prerequisites. 

LAPS for macOS Current Capabilities 

macOS LAPS securely stores randomized, encrypted local admin passwords in Microsoft Intune. It assigns unique passwords to a designated local admin account. LAPS supports a zero trust approach: remove everyday admin rights while keeping a controlled path to local elevation when needed. 

Today, macOS LAPS applies to devices enrolled via new Automated Device Enrollment (ADE). It’s a strong strategy for new macOS devices joining Intune. 

After enrollment, Intune rotates the LAPS-managed password every six months. Admins can also rotate it on demand. Intune generates a 15-character password using upper- and lowercase letters, numbers, and symbols. You can’t change this format today. 

Now let’s go over some of the requirements we’ll need to cover before we can set this up.  

Prerequisites 

• macOS 12 or later  
• Devices must be assigned in Apple Business Manager (or Apple School Manager) and synced to Intune 
• Devices must enroll through a macOS Automated Device Enrollment profile 

With that covered, let’s set this up in Microsoft Intune. 

Create the Automated Device Enrollment (ADE) Profile 

Go to Microsoft Intune > Devices > Device onboarding > Apple > Enrollment program tokens. 

Select your token. 

Select + Create profile > macOS. 

Enter a Name and Description. Select Next. 

In Management settings, choose the options that fit your org. For this demo, we’ll use the following. Select Next when finished. 

Affinity & Authentication Method  

User affinity: Enroll with User Affinity  

Authentication Method: Setup Assistant with modern authentication 

Configure Management Settings 

Await final configuration: Yes  

Locked Enrollment: Yes  

Note: The locked enrollment is to prevent users from unenrolling devices from Intune, so you can set to “No” if you’re just testing.  

On Setup Assistant, enter Department and Department phone. Choose which setup items to show or hide. Select Next. 

On Account settings, choose whether to create a local administrator account. For this guide, select Yes. 
 
Enter the admin Username (default is admin). You can also use supported variables. 

Enter the Full name (default is admin). 

Choose whether to hide the admin account in the login window and Users & Groups. For this demo, select Not configured. 

Hide in Users & Groups: Not configured. 

In Local user account, define the account created for the enrolling user. 

Set Create a local primary account to Yes to control its permissions and naming. 

For Account type, choose Standard. 

Set Prefill account info to Yes. Using {{partialupn}} creates the account name from the user’s email (e.g., john.smith@contoso.com → john.smith). 

Set Primary account full name to {{username}} (e.g., john smith). 

Finally, set Restrict editing to Yes so users can’t change their username. 

We have finished our configuration you can now click Next and Create.  

Assign the Enrollment Profile to Devices 

Next, assign a macOS device to the new enrollment profile.  

Go to Enrollment Program Tokens.  

Select your token > Devices. Search for the device, then choose Assign enrollment profile and select your macOS LAPS profile. 
 

End-User Experience  

IT Admin Experience 

We are able to view the Local Administrator account/password inside of Microsoft Intune by going to the device that has that policy.  

Go to Devices > macOS. 

Select the device > Passwords and keys. 

Select Show local admin account password to reveal the credentials.  

To rotate the password on demand: open the device Overview, select the More actions (⋯) menu, then choose Rotate local admin password. 

Wrap-up and Next Steps 

With macOS LAPS in Intune, we can remove everyday admin rights, keep a controlled path for elevation, and rotate local admin passwords on a schedule. We covered prerequisites, creating the ADE profile, configuring local and primary accounts, and where to view or rotate credentials. 

Next steps: 

• Pilot with a small set of new ADE-enrolled Macs and validate the flow end to end. 
• Document the help desk process for password retrieval/rotation and lock down RBAC access. 
• Monitor rotation events and device compliance; add alerts where needed. 
• Plan migration for existing Macs (re-enroll via ADE or move during hardware refresh) and notify users about the change.