Monitoring Devices and Admin Accounts with LAPS

The Devices Summary and Recommendations sections in LAPS provide administrators with a unified view of all devices and admin accounts managed under the Local Administrator Password Solution (LAPS). These tools enable IT teams to monitor password rotation activity, review admin account configurations

Devices Summary

The Devices Summary section provides a consolidated view of all devices where LAPS (Local Administrator Password Solution) is applied. Administrators can view device details, filter and sort data, and download reports. To access,

1. Navigate to OneIdP → LAPS in the Scalefusion Dashboard.

2. Click on Devices Summary tab
   

   

How to Use the Devices Summary Page

1. Sorting Devices

• Click the Sort By dropdown at the top of the table.

• Select one of the following options:

  • Device Name (Default): Sorts devices alphabetically by name.

  • Configuration: Sorts devices based on the applied LAPS configuration name.

2. Filtering Devices

• Use the filters at the top of the page to narrow down your view:

  1. Configuration

     • Select a configuration to show only devices where it is applied.

  2. Platform

     • Options: macOS or Windows

  3. Pagination

     • Controls how many devices are displayed per page.

     • Default: 100; Options: 200, 300

  4. Search Filter

     • Enter text to search devices by Name or Serial Number.

     

3. Downloading Reports

• Click the Download Report button.

• Select one of the following options from the dropdown:

  1. Device Summary Report: Downloads a CSV file of all devices matching the current filters.

  2. Activity Logs Report: Downloads a CSV file of LAPS activity logs for filtered devices.

     

4. Viewing Device Details

• The table lists all devices where LAPS is applied, under the following columns:
  

  

  1. Device Name: Shows the registered name of the device.

  2. Serial Number: Shows the device’s serial number.

  3. Configuration: Shows the applied LAPS configuration name.

  4. LAPS Admins: Shows the number of LAPS-admin accounts detected on the device. On clicking the LAPS Admins count, a side panel opens displaying the list of managed admin accounts. When expanded, each card provides detailed information for the selected admin account:

     • Account Type: Indicates the type of admin account. Possible values include:

       • Local Admin – A local administrator account.

       • Global Admin – A globally managed admin account.

       • ADE Admin – An admin account created via Apple Device Enrollment (ADE).

     • UUID / SID: Displays the unique identifier for the account. Shown as UUID for macOS and SID for Windows devices.

     • Current Password: Displays the current LAPS-managed password for the account. If available, the password is hidden by default. Click the eye icon to view it.

       • Displays “N/A” if no password is available.

     • Password History: Displays up to the last 5 previously set passwords (if available).

       • If no history is available, displays “N/A.”

       • Each password record includes:

         • Password: Hidden by default; can be revealed with the eye icon.

         • Password Set At: Timestamp of when the password was last changed.

         • Additional Info: Any extra context, such as the reason for password rotation.

     • IT Admins can use the LAPS Admins View to:

       • Verify which admin accounts are managed by LAPS on a specific device.

       • Review password history for compliance and troubleshooting.

       • Confirm password rotations and changes performed automatically by LAPS.

       

  5. Actions: Quick actions for each device:

     • View OTP: Shows the currently generated Time-based One-Time Password (TOTP) for the device to allow IT Admins to securely view and copy the One-Time Password (OTP) generated for a device managed under LAPS. A progress indicator displays the remaining validity time for the current OTP and a new OTP is automatically generated once the current one expires.
       

       

     • View Logs: This provides a detailed record of all LAPS-related activities performed on a specific device. IT Admins can review, filter, and download logs to track password rotations, usage events, and account maintenance actions. To view the logs,

       • Click View Logs from the Devices Summary page.

       • A fullscreen view opens showing all logged LAPS operations for the selected device.
         

       • Use the filters at the top to narrow down results:

         • Action Type Filter: This filter allows IT Admins to view specific types of LAPS activities performed on a device.

           • All Action Types (Default): Displays every LAPS-related action recorded for the device.

           • Periodic Rotation: Refers to automatic password rotations that occur based on the configured schedule, for example, every 30 days.

           • Usage-Based Rotation: Captures password changes triggered after the password has been used, such as when an admin logs in or performs a remote access action.

           • Password Viewed: Logs events when an admin or authorized user views the current password of a LAPS-managed account.

           • Account Maintenance: Includes activities related to maintaining admin accounts, for instance, when passwords are reset, deleted accounts are recreated, or admin privileges are restored.

         • Result Filter: Allows IT Admins to view LAPS activities based on their outcome.

           • All Results (Default): Displays all LAPS activity logs, regardless of whether the operation was successful or not.

           • Success: Shows only the actions that were completed successfully, for example, when a password rotation or account maintenance task was executed without any issues.

           • Failure: Displays actions that did not complete as expected, such as failed password rotations, account sync errors, or permission-related failures.

         Each log entry displays the following details:

         1. Admin Account: Username of the admin account where the action occurred.

         2. Action Type: Type of LAPS action performed — Periodic Rotation, Usage-Based Rotation, Password Viewed, or Account Maintenance.

         3. Source: Origin of the action, such as GUI Login, Remote Login, Terminal, Auth Window, Just-In-Time, LAPS UI, or LAPS Login UI. Displays N/A if not applicable.

         4. User: Name of the user who performed the action. Displays N/A if unavailable.

         5. Result: Outcome of the action - Success or Failure.

         6. Timestamp: Date and time when the event occurred.

         7. Additional Info: Any extra details captured with the event (e.g., reason for password change).
            

         • Only logs from the selected device are displayed.

         • Logs older than 60 days are automatically deleted.

Recommendations

This section provides a summarized view of the Admin Accounts available on the devices. Following details are available:

1. Name: Displays the Device name.

2. Serial Number: Displays the Device Serial number.

3. Total Users: Displays the total number of users on the device.Monitoring Devices and Admin Accounts with LAPS

4. Total Admins: Displays the total number of Admins on the device.

5. Managed Admins: Displays the number of managed Admins, i.e, Global / ADE admins. Currently we do not have Global admins in macOS so it will be 0 for now.

6. LAPS Configuration: Displays the name of the LAPS configuration applied on the device. If no configuration is applied, it will display NA

7. Actions:

   1. Downgrade Admins (on macOS): Select Admin users to downgrade as Standard user. Clicking this will display the following dialog with list of admin users to be downgraded. Select the users (to be downgraded) by selecting the checkbox and proceed.