Skip to main content
Solved

Reset Management Account Password Remotely

  • July 15, 2014
  • 6 replies
  • 99 views
C
Forum|alt.badge.img+8

Hello all,

Thanks in advance for any help with this issue.

A user with administrator rights changed our local management account password on a Macbook Air. I have it straightened out by using that user's account to reset the management account password to what it should be. However, in the future I would like to have this problem taken care of remotely.

My first thought was to use Casper Remote to reset the password, but it turns out it can't connect because it no longer has the password for the local management account it connects to via SSH. Then I thought to try creating a policy to execute that will reset the password, but it fails with "Error: This is the Remote Management Account for this computer. Please reset the password using the SSH Account section." when I use "sudo jamf policy".

Now I have two questions:
1. What can I do to remotely reset the local management account password without knowing what that password is, whether I can do it right now or if I need to do something different with future deployments?
2. Is the local management account setting stored in the JSS somewhere or does it use whatever account is used to add it to the JSS using QuickAdd.pkg?

I have noticed there is a startup script section in the web interface, but it looks limited and doesn't seem capable of the same things a policy is. I guess my thought was to have the password reset to what it should be every time the computer is powered on somehow, if we can't access it remotely in any way.

Thanks again,
Cameron

Best answer by charliwest

I would have a hidden user as the management account, then the local admin account can be reset by the management account. For example jssadmin is the management account for casper suite, administrator is the local admin account that all it admins can get into if the user forgets their password or we need to install things, does that make sense?

    6 replies

    daz_wallace
    Forum|alt.badge.img+13
    • daz_wallace
    • Contributor
    • July 16, 2014

    Hi cpdecker,

    I'm not sure if it will help or not, but I have a manual policy on check-in and custom trigger scoped just to the affected Macs. This policy resets the Management password and runs a Recon to ensure the 'new' password is in the JSS.

    Ok, Casper recon cannot issue a command, but the client can still phone in for instructions. Or if you're in front of the device, with admin rights, run a 

    sudo jamf policy -trigger [custom trigger here]

    after you've added the affected Macs to the policy.

    Hope that helps / makes sense. Just having my first coffee!

    Darren

    charliwest
    Forum|alt.badge.img+9
    • charliwest
    • Contributor
    • Answer
    • July 16, 2014

    I would have a hidden user as the management account, then the local admin account can be reset by the management account. For example jssadmin is the management account for casper suite, administrator is the local admin account that all it admins can get into if the user forgets their password or we need to install things, does that make sense?

    J
    Forum|alt.badge.img+24
    • jarednichols
    • Valued Contributor
    • July 16, 2014

    Security best practice is to use a sub-500 UID for your admin user and spin the password regularly anyway.

    daz_wallace
    Forum|alt.badge.img+13
    • daz_wallace
    • Contributor
    • July 17, 2014

    Our Standard setups are:

    Use "_jssadm" as the name - It looks like a Mac OS X system account
    Have a policy to create this in /var/_jssadm with a random password and hide from the login window
    Have another policy to change this password to a random one every week / month

    Seems to work pretty well.

    Darren

    M
    Forum|alt.badge.img+22
    • mike_paul
    • Employee
    • July 21, 2014

    Hey Cameron, Just to chime in with a few verbose pieces of information about your questions and goal.

    For question 1 (remotely reset management account): -If you create a policy to reset the management account (to a specific or random password) it will do this even if the password differs on the machine than what is stored in the JSS since the policy is kicked off via the launchDaemon and is running as ROOT. So set it to recurring check-in and the next time the machine checks in, it will get its management account password changed regardless of what is currently on the machine. -Side note: As of 9.23 we only use the management account for Casper Remote tasks since that requires us to SSH in to the machines. Everything else now is handled by our daemons and agents, including Self Service policies.

    For question 2: -The local management account is listed in each computer record in the General section as ‘Managed: Managed by <management account name>’
    -This is typically created with the quickadd package or at imaging time.

    As the people above mentioned, having a hidden management account that is solely used for the JSS is a good idea since you can randomize the password so that drops the risk of it being compromised. You dont need the password, only the JSS and computer need to know it.

    You could use a policy to run a variation of the following command: jamf createAccount -username <username> -realname <Real Name> -password <password> -home /private/var/<username> -admin -hiddenUser -Side note: its very important to specify the username at the end of the home path otherwise the last directory mentioned, e.g. var, becomes the users home directory.

    Once confirmed that all machines have ran the policy to create that account you can view your entire inventory in the JSS and at the bottom of the page use the ‘Action’ button and ‘Edit the Management Account Information’ to change all machines to the new account.

    The startup scripts section in the JSS is just to enable the script at startup, one functionality of that is to run Polices at startup.

    You could put a policy set at startup to reset the password but that might be overkill depending on how often machines restart. I have seen some organizations do this weekly or monthly. Another possible issue with it being a startup policy is whether your computer is connected to internet prior to login, with laptops it is common that its not unless its wired so that policy wouldnt run. Thats why using the recurring check-in trigger would have the highest probability of success.

    C
    Forum|alt.badge.img+8
    • cpdecker
    • Author
    • Valued Contributor
    • August 13, 2014

    I apologize for my late response on this. I want to thank everyone who replied and give special thanks to @mike.paul for the detailed response.

    Here is my current plan based on the points made in this thread:

    -Use a sudo jamf CreateAccount script/policy to create a hidden account with a known password on all previously enrolled Macs. This account will be used for management purposes.
    -Once all computers have checked in and run that policy/script, use the "Edit management account information" feature from the action button on the inventory search list to change the management account to the new one on all Macs.
    -Create a policy to update the management account with a randomized, 15-character password and scope it to all Macs.

    Does this appear to be a sound plan? Thanks again for any input!

    Terms & ConditionsCookie settingsAccessibility statement