Jamf Connect password sync - "Your local password is incorrect"

eliu01
New Contributor II

I changed my password via Jamf Connect yesterday, but when the prompt to sync passwords appeared it did not accept my previous password, giving me the "Your local password is incorrect" message. Rebooting showed that I needed my previous password to log in to FV. Once at the desktop, logging into Jamf Connect used my new password but still would not accept the old one when trying to sync passwords. Based on this Jamf Nation thread (https://www.jamf.com/jamf-nation/discussions/35744/jamf-connect-login-with-okta-local-password-issues), I manually changed my local password using the diskutil apfs changePassphrase command. This worked in that my FV password now matches my Jamf Connect password, but after the FV login I now get a Jamf login screen, where the old password is required. When I get to the desktop, Jamf Connect works with the new password as before, but still prompts to sync passwords. I've tried multiple passwords to no avail. As a result, I cannot complete a login to Jamf Connect, which prevents access to some of our company resources (e.g. things that require Kerberos tickets).

5098455d1f004c9384a289a59004b11f

e5a633f695a84c54ad7c70c884e0e441

587691114b72464da39f0e084cd20332

ae7319677c744e10850e6b2b4b62d1e8

1 ACCEPTED SOLUTION

abrunner
New Contributor III

I just resolved this in my environment. When I checked the Jamf Connect logs it was giving me this error:

Password change failed! Error: Password change failed because password does not meet minimum quality requirements.

I had already checked my Okta and my Jamf Connect password policies and made sure they were the same. What I didn't check was the Jamf Passcode settings in my Default Passcode Configuration Profile. That what was causing the problem. I updated that setting and when I connected to Jamf Connect and it prompted to sync my password, I entered the old password and they synced. Hopefully this is your issue as well.

View solution in original post

9 REPLIES 9

abrunner
New Contributor III

I'm having the same issue. I am on Jamf Connect version 2.4.0 Build 4. I know my local password is correct because I entered it to unlock FileVault and as my sudo password in terminal. Did you ever find a solution for this? I'm on Monterey beta 3 and I can't login at all from the Jamf Connect login window. I have to reboot each time to unlock FileVault, so I can't test if Jamf Connect is taking the password at all.

abrunner
New Contributor III

I just resolved this in my environment. When I checked the Jamf Connect logs it was giving me this error:

Password change failed! Error: Password change failed because password does not meet minimum quality requirements.

I had already checked my Okta and my Jamf Connect password policies and made sure they were the same. What I didn't check was the Jamf Passcode settings in my Default Passcode Configuration Profile. That what was causing the problem. I updated that setting and when I connected to Jamf Connect and it prompted to sync my password, I entered the old password and they synced. Hopefully this is your issue as well.

View solution in original post

Can you please describe how you did this?

abrunner
New Contributor III

In the configuration profile you use for Passcode, verify that your settings match or are less restrictive than your SSO password policy.

eliu01
New Contributor II

This issue persists for me.  The only thing that Jamf support was able to identify was an error stating "no UUID found" in the Jamf Connect logs, an error they hadn't seen before.  The proposed solution was to recreate my Okta account, which I have yet to try.  Based on your last post, I did find a local password complexity configuration profile that does not match our current password complexity policy, and we're going to modify that to see if it changes anything.  Thanks for the suggestion!

Scotty
Contributor

I'd like the follow up on this. I was running into the same problem. The issue for me was my Passcode Policy config profile on the machine. It was set to match okta/AD fully, 16ch and specifically "Password History of 24".

 

It was the password history part of the config profile killing the Connect Sync and giving me "your local password is incorrect." The logs heled me here. It was actually correct, but it was failing to sync the password with okta because the password was already used on the mac so the okta password coming down form high did not meet complexity requitements I needed to turn this feature off in order for syncing to work. This was because the password had previously matched Okta before the user changed it manually. 

droolman7
New Contributor

We had an instance of this in our environment. Lots of head scratching and bashing. Found something simple to fix this, and verify everything was synced after it was completed, including FileVault.

Open system prefs, Users and groups, and unlock it with an admin account, then change the password while its unlocked. Please try this out in your environment if you can and let me know if you have success or not, thanks!

eliu01
New Contributor II

It turns out this was the solution for us as well.  We had previously modified a local password policy in Jamf that didn't help, but one of my coworkers found a different password policy that did fix this. 

abrunner
New Contributor III

Actually just ran into this issue again. We are implementing a new password policy, so users are being required to update their Okta password, which syncs to Jamf Connect for their local user password. My director changed his password in Okta, logged in to Jamf Connect with the new password, got the prompt to enter the local password, entered the local password, got told it was incorrect. Logs showed nothing. I tested with my account on two different machines, had no problems. We ended up having him boot into Recovery and use the FileVault Recovery key to reset the password to the new one. I'm just wondering if we're going to have to do this every time he resets his password now....