Posted on 09-21-2022 11:46 AM
User was recently removed from old AirWatch MDM and enrolled into Jamf using pre-stage command - sudo profiles renew -type=enrollment. Before I installed the Jamf profiles on the device, I had to re-bind the machine to the domain because the local password and Okta password did not sync. I then removed it from the domain again and verified the local password now matched the users Okta password. Restarted the device and had user log in with newly updated password. Ran command to install Jamf profiles, restarted the device and had user review and install profiles. After all profiles and policies installed I tested Jamf connect (desktop app) and was able to have the user sign in via Okta. On the next restart where the user has to connect the local account to Jamf connect for the first time it does not take the local mac password that was being used. Keeps saying invalid password. Had user try the old and new password that was on the device and still could not connect. Had to create a "Disable Jamf Connect" policy to bypass login screen so user could log back into local account to continue to work. I'm guessing this is most likely an issue with the keychain or the bootstraptoken. User is added to our admin jamf connect group so her local user account should be set to admin.
Bootstrap Token Allowed: Yes
Bootstrap Token Escrowed: No
FileVault 2 Enabled Users: itrunwell (local hidden admin account)
09-21-2022 11:52 AM - edited 09-21-2022 11:53 AM
Yes, this is related to the keychain. Or at the very least it could be. My recommendation is to verify with users and have support see if your end-users have 2 passwords. Removing all third-party authentication like NoMAD and Centrify is also key if that is being used. Are the current profiles all local and admins or are they mobile and admin/standard?
Posted on 09-21-2022 12:21 PM
On this user in particular her account was mobile and an admin. I have a case open with jamf regarding this issue as well. We use Okta as our IDP and authentication.
Posted on 09-21-2022 12:12 PM
Does the user have an admin account in Jamf Pro by chance? If so, after they receive the error try clicking cancel then once you're back on the screen to connect the account, you can click Connect and log them in.
Posted on 09-21-2022 12:23 PM
No admin account in Jamf Pro for this user. This is a standard user who is added to our Okta - Jamf Connect + Okta - Jamf Connect (Admin) AD groups in order to initially enroll and connect to Jamf Connect. They tried clicking cancel and logging back in to connect the local account but still said invalid password. Workaround was to create a disable jamf connect policy and scope to machine to bypass 2nd (Okta) Jamf Connect login screen.