Add "Initial roll" flag

[staze]

With the "firstPass" flag, it would be great if we could have a way to provide the first pass, but not immediately roll the password. So -firstPass initializes LAPS, but then it still waits the 14 days (or a manual trigger) to do the roll.

So basically, machine is set up, macOSLAPS installed, config profile is scoped that says 14 days (in our case) and all that, then a command is run that is just /usr/local/laps/macOSLAPS -firstPass "blah" -stage (or something) that would initialize macOSLAPS to roll in the 14 days specified in the config profile. rather than the current (I assume) behavior of saying /usr/local/laps/macOSLAPS -firstPass "blah" which immediately rolls the password to something new.

[joshua-d-miller]

Hello @staze,

This might be something we could do as honestly just need to store the current password in the macOS System Keychain. I'll take a look at let you know.

Thanks!

[joshua-d-miller]

So one thing you could probably do if you wanted to keep the first password on the device for a time you could use this example in say Jamf Pro:

• Create a Smart Group that's criteria is the device has been enrolled for more than say 2 days
• Target the macOSLAPS configuration profile to that Smart Group This would allow your newly enrolled devices to not rotate the admin password immediately on enrollment.