Jamf Nation Community

reisan · ‎07-30-2024

We have Jamf Pro and the Mac users is connected with the O365 accounts on the device. But suddenly the user can’t log in. I change the password for the user two times but still no luck. Where shall I start searching for error? Can it be sync between O365 and Jamf? Where can I see of the sync is ok? Any tips?

Tangentism · ‎07-30-2024

Are you using Jamf Connect or XCreds? Is the device set up with a local account? Is it encrypted? Is the encryption key escrowed to Jamf?

If its encrypted, is it not prompting to enter the recovery key?

Can you boot into recovery mode then get the user to reset their password there?

reisan · ‎07-30-2024

We are using Jamf Connect.

And yes, I think we can boot into recovery mode, but I want to find a easier solution first.

Tangentism · ‎07-30-2024

Jamf Connect should keep the local password in sync with the network one but if the user has changed their password, get them to try their old one.

If that doesnt work, booting into recovery mode is an easy way to sync it back to the network password as Ive seen the local account lock out at times.

If it hasnt been rebooted so the drive isnt encrypted and can see the network, you could go to the computer inventory record > local accounts > that user > scroll to the right & try the 'unlock account' button.

reisan · ‎07-30-2024

And they are using the account they have in our on-prem AD, with the password from there, and this is synced to O365 and the O365 and Jamf is syncing in some way, I think.

AJPinto · ‎07-30-2024

What can't the user log in to?

Assuming its O365 they can't log in to, you need to check your IDP (likely Entra) authentication logs, and I'd also check conditional access policies. Jamf has nothing to do with O365 and won't have any logging for authentication issues with O365.

reisan · ‎07-30-2024

The machine.
Logging in to O365 is no problem via web for example

But I still think that the process is that, I change password on on-prem AD server, this is syncing to O365 and then Jamf is syncing with O365.
And the user is using the mailaddress and tha password that is in O365.
Can that be correct?

AJPinto · ‎07-30-2024

Jamf What? Jamf has multiple tools. Are you using Jamf Connect?

Honestly, I think they are at the FileVault screen and you are assuming the IDP password syncs down to macOS automatically. Even with Platform SSO (or god forbid domain binding) you cannot just change a users password on the IDP side and have it sync down to update FileVault (at least not until macOS 15 releases). Give the user their FileVault Recovery key and see what happens.

reisan · ‎07-30-2024

Yes, Jamf Connect is what we use.

Where shall she use the FileVault Recovery key?

AJPinto · ‎07-30-2024

You may want to escalate your ticket to whoever usually supports Mac’s at your organization.

Where shall she use the FileVault Recovery key?

The user enters the FileVault password incorrectly, then they will get a link above the password box that says forgot password. They click that, the Mac will boot in to recovery (they need the recovery lock password if enabled), they will be prompted for the recovery password and then allowed to reset their Mac account password (the PW needs to meet any MDM configured account password requirements). Once they finish the Mac will reboot in to macOS for them to log in.

After they get in to macOS with the new password, Jamf Connect will prompt them to sync the macOS password to whatever the IDP password is if configured to do so.

Jamf Nation Community

A user can't log in