Contents x
    Introduction and LAPS Configuration
    • 07 Nov 2025
    • 8 Minutes to read
    • Print
    • PDF
    Contents

    Introduction and LAPS Configuration

    • Updated on 07 Nov 2025
    • 8 Minutes to read
    • Print
    • PDF
    Article summary

    OneIdP’s LAPS feature automatically manages and rotates local administrator passwords across managed devices, ensuring each device has a unique, secure credential while giving IT admins centralized control and visibility from the Scalefusion Dashboard.

    LAPS eliminates the risks of shared credentials, enhances endpoint security, and supports compliance with organizational and regulatory standards. Administrators can easily configure LAPS policies, monitor password activity, and retrieve credentials when needed—all through the Scalefusion Dashboard.

    Benefits

    1. Strengthens device and account security by preventing shared or reused local admin credentials.

    2. Reduces manual effort with fully automated password generation and rotation.

    3. Meets compliance and audit requirements with detailed activity tracking.

    4. Integrates with Scalefusion’s Zero-Trust and Identity Management framework for enhanced security.

    Overview and Key Features of Scalefusion LAPS

    • Automatic Password Rotation: Scalefusion LAPS regularly creates a random, complex password for the Managed Admins Accounts and any other configured Admin accounts on each enrolled device.

    • Secure Storage: The password is securely stored in the Scalefusion Dashboard and encrypted during transmission and storage.

    • Controlled Access: Only authorized IT admins can view or retrieve passwords from the Dashboard when needed.

    • Policy-Based Management: Admins can configure password settings such as rotation interval, complexity, and storage method through Scalefusion policies.

    How It Works

    The following steps outline how the LAPS feature functions within Scalefusion

    1. Create a LAPS Configuration: Go to the LAPS Configuration tab in the Scalefusion Dashboard and create a new configuration. Configure the following parameters as needed:

      1. LAPS Scope: Define the administrator accounts for password management.

      2. Rotation Settings: Set the password rotation interval and complexity requirements.

      3. Password Reset Settings: Configure reset behavior and related options.

    2. Publish the Configuration: After creating the configuration, publish it to the relevant Device Profiles. This ensures that the defined LAPS policy is applied to all associated devices.

    3. Access on Devices: On devices, open the LAPS tab in the Scalefusion MDM Agent. Enter the One-Time Password (OTP) retrieved from the Device Summary section of the Dashboard to securely view the admin account password on the device.

    4. Recommendations: The Recommendations section provides an overview of administrator accounts across devices and offers guidance for optimal configuration and security management.

    5. Device Summary: The Device Summary section displays device-specific details, including the current password status, last rotation time, and access history for audit purposes.

    Supported Platforms

    • Windows 10/11 (Home, Professional, Enterprise, Education)

    • macOS

    Important Points to Note

    Windows LAPS

    1. Exclusion of Scalefusion-Created Admin Accounts: Administrator accounts created by Scalefusion, such as “Scalefusion1ID”, and accounts generated during EXE-based deployment are excluded from LAPS password management.

    2. Exclusion of Keycard-Created Admin Accounts: Admin accounts created through Keycard, corresponding to the logged-in user’s email, are also not managed by LAPS.

    3. LAPS Applies Only to Local Administrator Accounts: LAPS manages and rotates passwords only for local administrator accounts. Any Domain Admin or Azure AD account that is added to the local Administrators group will be excluded from LAPS password rotation.

    4. Impact on Other Credential Mechanisms
      When a password rotation occurs, any alternative authentication methods—such as PIN or Fingerprint login—will become invalid. These credential mechanisms must be reconfigured using the new password after rotation.

    macOS

    1. Works for Global and ADE admins

    2. Managed local accounts (Keycard login accounts) are excluded from the LAPS scope and will not be managed or rotated by LAPS.

    Pre-requisites

    1. Your account should have access to LAPS feature

    2. Scalefusion MDM Agent versions:

      1. Windows: v16.6.0 or above

      2. macOS: v5.1.10 (495) & above

    Creating LAPS Configuration in Scalefusion

    Follow the steps below to create a new Local Administrator Password Solution (LAPS) configuration in the Scalefusion Dashboard.

    1. Navigate to OneIdP → LAPS in the Scalefusion Dashboard.

    2. Under LAPS Configuration tab, click on Create New Configuration to add a new LAPS setup.

    3. When the LAPS Configuration window opens, fill out the following fields:

    1. Configuration Name: Enter a name for the configuration in the text field (5 to 64 characters)

    2. Use the left-hand navigation bar to configure different aspects of LAPS and click Save Configuration

    Section

    Description

    LAPS Scope

    Defines which admin accounts are managed by LAPS.

    Rotation Settings

    Configure password rotation frequency and complexity.

    Password Reset Settings (on macOS)

    Manage password reset behavior and automation options.

    LAPS Scope

    Under LAPS Scope, you can define which accounts are included in LAPS management.

    Account Type Options

    1. Managed Admin Accounts: These are administrator accounts created and managed directly through Scalefusion:

      • Windows: Admin accounts created from the Utilities section in the Scalefusion Dashboard.

      • macOS: Global Admin and ADE Admin accounts configured via Scalefusion.

    2. Other Accounts: If Other Accounts is selected, additional configuration options appear:

      1. Auto-Discovered Admin Accounts: Add user accounts to this exception list and LAPS won’t be applied on them. Click on New user to add the local users.

        If no admin accounts are specified under Auto-Discovered Accounts, the LAPS configuration will automatically apply to all existing admin accounts on the device.

      2. Specified Accounts: Add specific user accounts to be included under LAPS management. LAPS won’t be applied to users other than the ones specified here. Click on New user to add the local users.

        Note: Custom properties can also be used to configure the local user short name

    Configure Admin Account Maintenance

    Define how Scalefusion should monitor and maintain LAPS-managed admin accounts. Select the desired actions below (all unchecked by default):

    Option

    Description

    Reset Password if changed

    Automatically resets the password if it is modified outside of LAPS.

    Create account if deleted

    Recreates the admin account if it is deleted.

    Revert to admin account if downgraded to standard

    Restores admin privileges if the account is downgraded.

    Revert to original name if account is renamed (on Windows)

    Renames the account back to its original name if changed.

    Rotation Settings

    The Rotation Settings allows administrators to define how passwords for LAPS-managed admin accounts are generated, how complex they should be, and how frequently they are rotated, and post-rotation actions for LAPS-managed admin accounts.

    Setting

    Description

    Default

    Range / Options

    Configure Password Complexity

    Define password generation rules for LAPS-managed accounts. If the organization’s password policy differs, it will override these settings.

    Password Length

    Specify the total number of characters in each generated password (8–16 characters)

    8

    8–16 characters

    Enforce Complex Password

    When enabled, passwords include a mix of uppercase, lowercase, numbers, and special characters.

    ON

    ON / OFF

    Number of Special Characters

    Set how many special characters are included in generated passwords

    2

    1–4

    Password Rotation Frequency

    Define how often passwords are automatically rotated on each managed device.

    30

    1–365 days

    Rotation Duration After Password Use

    Determine how long a password remains valid after being accessed or used.

    5

    1–1440 minutes (1 day)

    Post-Rotation Action

    Choose what action should occur immediately after a password rotation.

    No Action

    - No Action

    - Restart Device

    - Logout User

    Allow User to View Password in Just-In-Time Admin Self-Service (for macOS)

    Allow users (standard and admin) to temporarily view and use admin passwords from the Just-In-Time Admin section. All activities are logged for auditing.

    OFF

    ON / OFF

    Password Reset Settings

    The Password Reset Settings allows administrators to define how password resets are handled for LAPS-managed admin accounts on macOS devices. An administrator may enable password reset for macOS devices when:

    • The local admin password stored on the device is out of sync with the Scalefusion Agent.

    • The admin account credentials have been manually changed or corrupted.

    • Routine account maintenance or security audits require a password refresh.

    Configuration Details

    • Enable Password Reset: Turn this on to allow the system to reset the local admin password if the Agent does not have the current password.

      Important Note

      • Resetting the password will also reset the login keychain.

      • Any passwords not synced with the iCloud account will be permanently lost.

    • Prompt Message: Users will be prompted to enter their credentials to reset the password. Enter a message to display in the password reset prompt.

    Apply LAPS Configuration to Devices

    Once you have saved the configuration:

    1. The configuration with related details will appear under LAPS Configuration tab on Dashboard.

    2. Assign the LAPS policy to device profiles by clicking on Publish icon.

    3. The new LAPS settings will apply to the selected device profiles.

    Managing LAPS Configurations

    You can also perform additional actions such as edit, delete, or unpublish existing configurations from the Actions column.

    Action

    Description

    Edit

    Opens the LAPS configuration in edit mode, allowing administrators to modify existing settings. Any changes made can be saved and applied to associated device profiles.

    Delete

    Permanently removes a LAPS configuration from the Scalefusion Dashboard. You will be prompted to enter your Admin password for verification.

    Important:

    Before deleting the device from the Dashboard, make sure to note down or securely export the passwords of all admin accounts managed under LAPS. Once the device is deleted, these passwords will no longer be accessible from the Dashboard.

    Unpublish

    Removes the configuration from all device profiles where it is currently applied, without deleting it.

    Deleting a configuration also unpublishes it from all associated profiles.

    Next Steps

    Once you have applied the configuration:

    1. The new or updated LAPS settings will apply to the selected device profiles.

    2. You can monitor account and password rotation activity from the Scalefusion Dashboard under:

      1. Devices Summary

      2. Recommendations

      3. Device Details → Full Device Information.

    3. Retrieve Admin Password (When needed)

      1. In the Scalefusion Dashboard, navigate to Devices > [Device Name] > UAM > User Accounts > Actions > User Details

      2. Authorized users can securely view or copy the current password (all actions are logged).

    LAPS on Device

    Accessing the LAPS Section

    1. Open the Scalefusion Agent on your device. From the left-hand menu, select LAPS.

    2. The LAPS screen will appear with a prompt to authenticate access.

    3. Enter the 6-digit One-Time Password (OTP) displayed on the Scalefusion Dashboard (Device Summary section).

    4. Click View Credentials to proceed.

    5. The Scalefusion Agent will validate the OTP. If the OTP is valid, the system will prompt you to select the admin account whose credentials you wish to view. Choose the admin account from the list displayed.

      • The list includes all LAPS-managed admin accounts configured on the device.

    6. Click OK to confirm your selection.

    Viewing Admin Credentials

    After selecting the admin account, a confirmation window appears displaying the following details:

    • Full Name: The name of the admin account.

    • Username: The username associated with the admin account.

    • Password: The current LAPS-managed password for the account.

    The password is automatically copied to your clipboard.
    The alert will close automatically after 10 seconds.

    Accessing the LAPS Section

    1. Open the Scalefusion MDM Client (agent app for macOS) on your device. From the left-hand menu, select LAPS.

    2. The LAPS screen will appear with a prompt to authenticate access.

    3. Enter the 6-digit One-Time Password (OTP) displayed on the Scalefusion Dashboard (Device Summary section).

    4. The Scalefusion Agent will validate the OTP. If the OTP is valid, the system will prompt you to select the admin account whose credentials you wish to view. Choose the admin account from the list displayed.

      • The list includes all LAPS-managed admin accounts configured on the device.

    5. Click OK to confirm your selection.

    Viewing Admin Credentials

    After selecting the admin account, a confirmation window appears displaying the following details:

    • Full Name: The name of the admin account.

    • Username: The username associated with the admin account.

    • Password: The current LAPS-managed password for the account.

    The password is automatically copied to your clipboard.
    The alert will close automatically after 10 seconds.

    How can users view admin passwords through Just-In-Time Admin Self-Service?

    1. Open the Scalefusion Agent on managed macOS device and navigate to the Just-In-Time Admin section.

    2. Click on View Admin Password and enter the 6-digit OTP displayed in the Scalefusion Dashboard → Device Summary.

    3. Upon successful OTP verification, the select the required admin account from the list.

    4. The admin credentials (Full Name, Username, Password) are displayed briefly and the password is automatically copied to the clipboard.

    5. The password view is time-limited, and all credential access events are securely logged in the Scalefusion Dashboard.

    Was this article helpful?
    What's Next
    Ambitious companies around the world trust Scalefusion to secure and manage endpoints including smartphones, tablets, laptops, rugged devices, POS, and digital signages. Our mission is to make Device Management simple and effortless along with providing world class customer support.
    By Business Initiative
    Top Features
    Existing Users
    Connect With Us
    Sales and Support
    Copyright © 2023 Scalefusion. All rights reserved.