Help

Lost password - reset after changing externally

Go to solution
ScouseCoxy
New Contributor

Posted on ‎03-07-2024 06:12 AM

I know this has been asked previously but want to know if there is any work being done to fix it apart from working directly on the affected Macs?

The school has Jamf Connect synced with Google. If a student forgets their password it gets reset at Google but then they cannot log onto a Mac that they'd previously worked on as the old password is needed. Only fix is to login as a local admin on that mac and either reset the password or delete that user. This seems to be a known issue. Is there any work being done that can somehow sync passwords when the students are not logged in so we don't have to go around manually fixing it all the time?

Thanks

Andrew

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Honored Contributor III

Posted on ‎03-07-2024 06:57 AM

This is not a Jamf problem to fix, it's an Apple Problem to fix. Jamf Connect uses MacOS's Authchanger to handle password rotations. For a password to sync, the user must log in to the account (using their old password), and then sync the account with Authchanger. There is nothing Jamf can do about this behavior as its hooking in to Apple frameworks.

 

Platform SSO added functionality in macOS 14 to do what you are wanting. However, Google has announced they will never support PSSO. Heck, Okta and Microsoft PSSO is still in private preview, but MS has announced it will be moving to the production lanes in the next few months. As far as I am aware Okta and MS are using PSSO framework from macOS 13 which does not have the on-demand account creation functions. I have a feeling Jamf Connect will have a lot of changes to make to be relevant once PSSO takes hold, however Jamf Connect exists now and PSSO does not.

 

TL;DR: Apple has made managing accounts on macOS very painful, and there is nothing Jamf or any IDP can do about it.

 

authchanger - Jamf Connect Documentation 2.32.0 | Jamf

View solution in original post

Reply
1 REPLY 1

Go to solution
AJPinto
Honored Contributor III

Posted on ‎03-07-2024 06:57 AM

This is not a Jamf problem to fix, it's an Apple Problem to fix. Jamf Connect uses MacOS's Authchanger to handle password rotations. For a password to sync, the user must log in to the account (using their old password), and then sync the account with Authchanger. There is nothing Jamf can do about this behavior as its hooking in to Apple frameworks.

 

Platform SSO added functionality in macOS 14 to do what you are wanting. However, Google has announced they will never support PSSO. Heck, Okta and Microsoft PSSO is still in private preview, but MS has announced it will be moving to the production lanes in the next few months. As far as I am aware Okta and MS are using PSSO framework from macOS 13 which does not have the on-demand account creation functions. I have a feeling Jamf Connect will have a lot of changes to make to be relevant once PSSO takes hold, however Jamf Connect exists now and PSSO does not.

 

TL;DR: Apple has made managing accounts on macOS very painful, and there is nothing Jamf or any IDP can do about it.

 

authchanger - Jamf Connect Documentation 2.32.0 | Jamf

Reply