Setting up Lithnet LAPS for macOS and Linux

This guide will walk you through the steps to configure the Access Manager service, and the Access Manager agent to support managing the root password for supported macOS and Linux devices.

Step 1: Set up the AMS directory

The Lithnet Access Manager agent uses the Access Manager directory to store passwords for macOS and Linux devices. Follow the steps in the AMS directory setup guide, making sure to enable key-based device registration.

Step 2: Configure Lithnet LAPS for the Access Manager directory

Next, configure Lithnet LAPS for the AMS directory. This process will configure the encryption certificate for the service, and set up the password policies required.

Step 3: Create a registration key

From the Directories/Access Manager directory/Registration keys page, create a new registration key that will be used for agent installations.

Step 4: Install the Access Manager Agent

Following agent installation guide for your operating system, providing the AMS server name and registration key when prompted.

The installation guides provide command lines for silently installing the package, which can be used with automated deployment tools such as puppet and Jamf. Configuring these deployment tools is out of scope for this guide.

Step 5: Validate agent installation

From the Directory configuration/Access Manger Directory/Devices page, ensure that the devices you installed the agent have appeared in the device list. If you configured your registration key to require manual approval, you must approve the devices before they can be accessed.

Step 6: Assign access

Once the agent is deployed, and the policy configured, you can now configure access to individual users and groups using the AMS configuration tool.

From the Authorization rules/Computers page, select Add... to create a new rule. Select either the group or computer you want to grant access to. Access Manager provides some built-in groups, but you can create your own from the groups page.

Select Edit Permissions... to open the ACL editor. Assign the appropriate users and groups permission to read the local admin password.

For macOS and Linux devices, only the `Local admin password` and `Local admin password history` permissions are valid.

You can optionally choose to expire the local admin password a period of time after it has been accessed. This will cause the Access Manager Agent to generate a new password after its next check-in time.

If you'd like to be notified when someone accesses a LAPS password, select the notification channels you'd like to send to for success and failure events.

Step 7: Validate access

Log in to the Access Manager web app as an authorized user, and request access to the password for a computer. If you have performed the steps correctly, you should be able to see the machine's root password.

PreviousSetting up Lithnet LAPS for domain-joined devices NextSetting up Lithnet LAPS for standalone Windows devices

Last updated 2 years ago

Was this helpful?