Update local admin password and enable for FileVault

Question

We have a local admin account that we want to be enabled for FileVault. We need to be able to rotate this password, but have found that when changing the password through Jamf, it does not update the filevault password.

Would a viable solution be to delete the entire in its' entirety, then re-create the account in jamf (set password and enable filevault2)? Is there a better way to do this? There's nothing stored in this account. It's just a way for our help desk members to gain local admin access into these machines.

Note: We are aware of the management account playing better with password resets using jamf, but we prefer to keep two separate local admins due to the fact that some admin users remove the local admin account. If we enable our management account for fv2, users will be more aware of this account and may increase the likelihood of someone removing the management account.

koalatee · Answer

This is how I update our local admin (remove and re-create).

I agree that if your management account is seen, it would probably increase in how much it's removed. My recommendation is to have a smart group that has criteria of "does not have $admin account" and then have an ongoing policy to add the admin account to machines in that group. That way, you should have a machine that does not have that admin account for as long as your inventory policy is.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded