FV is not in sycn with local password

MacJunior
Contributor III

Hey everyone, 

When deploying a new Mac using ADE, the user first login with their Azure AD account then they get a prompt to change their temp password so they choose a new password and verify it, after that they get this window :

LWScreenShot 2023-03-14 at 11.23.31 AM.png

They enter the new password they have chosen and hit "Create account" !! isn't weird that they are getting this!!?

Also if they reboot their Mac, you know they need to enter first their FV password to unlock the disk but it doesn't work !!! I had to use PRK to unlock the disk then I got JC login window, entered the password they've chosen and  booom they logged in !

so it seems we have an sync issue between FV password and local account password! 

to solve it I had to go to Users and Groups preference pane and changed the password to something else and rebooted the Mac, it worked!

So this is happening i think because when the account signed in first using JC login window with Azure, the user got prompted to change their temp password. when their change it they can login but they can't unlock the disk "even if they have a secure token"

What is the solution for that? how can I avoid this from happening?

any thoughts?

 

3 REPLIES 3

AJPinto
Honored Contributor II

I have not tested this specifically, but in the past macOS has not liked temp passwords. There is a chance that the temp password change is breaking something in the workflow between creating the account and making a FV token. 

 

My suggestion is to defer FV enablement, and allow the user to enable FV after 3 logins or whatever number works for you guys. This will allow the temp password be changed and to sync to the macOS keychain before FV is even enabled.  

bwoods
Valued Contributor

Do you have account migration enabled for the Jamf Connect Login screen?

Yes I do but i'm talking here about a new account created in Azure for a new hire/user