Automating password rotation on Monterey with secure tokens

New Contributor III

Hi everyone. Is there any way to reset a Secure Token-enabled account's password via Jamf? I would be comfortable revoking the secure token, if that is necessary, as long as that can be automated.

The closest approach I have that works is to simply delete the account and then recreate it with a new password. Is there a better way?

I know this was a no-go in previous OSes but now that we have bootstrap tokens I wonder if there's a new solution. I know Apple loves making major changes in minor updates so I'm not confident that all the docs I've read are still accurate.

Assumptions: Macs are supervised and enrolled in Jamf. Bootstrap token is escrowed. FileVault is enabled. All local accounts have Secure Tokens, and there are at least two local accounts (end user account and support account). OS is Monterey or later.

Goals: Have a local admin account for support purposes (not necessarily FileVault-enabled since we have recovery keys escrowed). Allow for automated password rotation as needed.

Limitations: Must be automated, meaning it does not require recovery mode or manually entering any passwords. I do not want to hardcode passwords in scripts, because A) that makes me feel dirty, and B) I do not assume that we will always know the old password.