Help

Change local adminpassword without losing access to Keychain and FV2

Raiden
New Contributor

Posted on ‎03-24-2022 02:03 AM

Hi you all.

We are just starting to rollout jamf and are currently trying to remotely change the password of the local admin accounts on our users devices without losing access to the keychain and/or fv2.

The local Admin is the only secure token holder on the devices.

Simply changing the password via a script payload destroys both of those.
Same thing happens if we try to change the credentials by policy.

I myself am new-ish to scripting this sort of things.

That being said, I had some sort of success by

  1. creating a new temp-admin user
  2. escrowing the token onto the new user
  3. changing the password of our old admin
  4. giving the old admin a new token
  5. deleting the temp-admin

This seemingly keeps the fv2 and keychain access intact, but it feels like a hack job and a catastrophe waiting to happen.

We'd be really grateful for any less jerry-rigged approach to this.

 

0 Kudos
3 REPLIES 3

caffine247
New Contributor III

Posted on ‎03-25-2022 07:27 AM

Take a look at https://github.com/joshua-d-miller/macOSLAPS

If you have an existing local admin account this will allow you to update that password and the bootstrap token for that user.

0 Kudos

Raiden
New Contributor
In response to caffine247

Posted on ‎03-28-2022 12:44 AM

We have managed to keep FV2 and the Secure intact. But even LAPS locks our local admin out of his keychain.

Is there any way to avoid that?

0 Kudos

caffine247
New Contributor III
In response to Raiden

Posted on ‎03-28-2022 10:49 AM

Have you asked the same within the mac Admin Slack? In particular the #macoslaps?

0 Kudos