Scenario:
We are not using DEP/ABM at this time.
Macs are brought in, ran through setup assistant manually where a single local admin account is created; our "build account".
Techs login as this user, install AD certs and enroll via QuickAdd.
They then run a Self Service provisioning job which installs the base application stack.
They then Bind the device to AD and encrypt it with FV. The FV key is stored in Jamf Pro. This local account is tied to the SecureToken.
Issue:
We now need to change the local account PW on all Macs.
Possibly after that it will need to be changed hourly/daily/weekly/monthly. Unsure as to the time frame as of yet that InfoSec will mandate
Question:
Has anyone had to do this??
We need to figure out if changing this PW across all of the devices is possible through Jamf natively or through a scripted approach.
If possible, what will the PW change do to the account itself?
If possible, what will the PW change do to the ability for this account to manage its SecureToken job role?
We have combed through posts and feel like we have bits and pieces of answers, but not the whole picture.
Management wants cases opened with Apple and Jamf to clear this up but reaching out here as well hoping that this has been worked through before.
Thank you.
