How to Setup macOS LAPS (Local Administrator Password Solution) with Intune

Configure Automated Device Enrollment so new Macs get a managed local admin account with a random password stored in Intune

โ† Back to Home
๐Ÿ“… March 31, 2026 | โฑ๏ธ 5 min read | โœ๏ธ By Allester Padovani | ๐Ÿท๏ธ Policy Configuration, macOS

macOS LAPS (Local Administrator Password Solution) in Microsoft Intune lets you provision a local administrator account on Macs during Automated Device Enrollment (ADE). Intune generates a strong, random password, stores it securely, and you can view or rotate it from the Intune admin center. This is useful for break-glass access, support, or scripts that need admin rights. LAPS applies only when devices enroll through an ADE profile. Existing enrollments do not get LAPS until they are re-enrolled with an ADE profile that has LAPS configured. This guide walks through the prerequisites and how to add LAPS to a macOS ADE profile in Intune.

Prerequisites

To use macOS LAPS with Intune you need:

  • macOS 12 or later on the devices.
  • Devices synced to Intune via Apple Business Manager or Apple School Manager.
  • Devices enrolled using a macOS Automated Device Enrollment (ADE) profile. LAPS is configured inside that profile and runs only during the ADE enrollment flow.

Devices that were enrolled before you enabled LAPS (e.g. via Company Portal) will not get the LAPS local admin account unless they are wiped and re-enrolled through an ADE profile that has LAPS turned on.

Creating a macOS enrollment profile in Intune

Create or Edit a macOS ADE Profile

In the Microsoft Intune admin center, go to Devices โ†’ macOS โ†’ Enrollment โ†’ Enrollment program tokens โ†’ Profiles. Click Create profile โ†’ macOS (or open an existing ADE profile to add LAPS). On Basics, give the profile a Name (e.g. โ€œmacOS with LAPSโ€) and click Next.

Naming the macOS enrollment profile

Management Settings

On the Management settings tab, configure how devices enroll. Common choices include:

  • User affinity . Enroll with User Affinity so the device is linked to the user who completes Setup Assistant.
  • Authentication method . E.g. Setup Assistant with modern authentication.
  • Await Final configuration . Set to Yes if you want the device to wait for final configuration from Intune before the user can use it.
  • Locked Enrollment . Set to Yes to prevent removal of the management profile from the device.

Click Next.

Management settings for macOS ADE profile

Setup Assistant

On the Setup Assistant tab, choose which setup screens users see during enrollment (e.g. language, region, account). Adjust as needed for your environment and click Next.

Setup Assistant configuration for macOS enrollment

Account Settings (LAPS)

On the Account settings tab you configure the local accounts created during enrollment, including the one managed by LAPS. You can create both an admin account (LAPS-managed) and a user account (standard user).

For the admin account: enable the option to create a local administrator. Intune will generate a random password (e.g. 15 characters, mixed case, numbers, symbols), store it in Intune, and display it under the deviceโ€™s Password and keys in the admin center. You can set a display name and optionally prefill or restrict editing of the account name.

Account settings for macOS LAPS admin account

For the user account (standard user): configure the account that the primary user will use. You can prefill the account info and restrict editing so the user cannot change the account or full name. These options are separate from the admin (LAPS) account.

User account settings for macOS enrollment Restrict editing vs prefill account info

Click Next, review the profile, then click Create.

Review and create macOS enrollment profile

Assign Devices to the Profile

After the profile is created, assign devices so they use this ADE profile (and thus get LAPS) when they enroll. Open the new profile and under Manage click Assign devices โ†’ Add. Select the devices from the list of synced devices (from Apple Business Manager or Apple School Manager) and click Add, then Save. If a device was previously assigned to another enrollment profile, it will be unassigned from that profile and assigned to this one.

Assigning devices to macOS enrollment profile Selecting devices from Apple Business Manager Saving device assignment to profile

View and Rotate the LAPS Password

Once a device has enrolled with the LAPS-enabled profile, go to Devices โ†’ macOS โ†’ select the device โ†’ Password and keys. You will see the stored local administrator password (and, if configured, the FileVault recovery key). From there you can Rotate local admin password to generate a new password; the new value is stored in Intune after the device reports back. Test rotation in a pilot before relying on it in production.

Viewing password and keys for macOS device in Intune Rotate local admin password option in Intune Audit log for password rotation

Summary

To set up macOS LAPS with Microsoft Intune: ensure devices are macOS 12+, synced via Apple Business Manager or Apple School Manager, and enrolled with an ADE profile. Create or edit a macOS enrollment profile under Devices โ†’ macOS โ†’ Enrollment โ†’ Enrollment program tokens โ†’ Profiles. Configure Basics, Management settings, and Setup Assistant, then on Account settings enable the local admin account (LAPS) and optionally a standard user account with prefill/restrict options. Assign devices to the profile. After enrollment, view or rotate the local admin password under the deviceโ€™s Password and keys. For official requirements and behavior, see macOS LAPS in Microsoft Intune on Microsoft Learn.