joshua-d-miller
commented
4 years ago This would require a restructuring to no use the Open Directory framework and the computer record to write the password to AD. At this point that is not in the plans but it has been a feature request that I myself have considered since everyone isn't binding like they used to.
staze
Will admit I haven't tried this, but looking at a LAPS option for our Macs. Given it sounds like the admin password is stored in the System keychain (so SecureToken works), I'm curious if this will work without the machine being bound to AD.
Apple's stated advice at this point is to NOT bind to AD in most cases, and we've found this solid advice (to prevent split brain situations). We intend to use NoMAD, but it sounds like that won't allow macOSLAPS to write to the computer record (since one won't exist). We'd then want to pull the LAPS password into a jamf EA (though I'll admit, not sure how you read the system keychain without a local admin password, and unsure how you'd read the new LAPS password if all you have in Jamf is the old one.
Thanks!