Help

Can't retrieve local admin password set by Pre-stage enrollment

keenan710
New Contributor II

Posted on ‎10-25-2023 04:50 AM

Hi all,

I am managing all of our company macs through Jamf however the pre-stage enrollment was previously set up by someone no longer in the company so I don't know what the password is for the local admin account.

Screenshot 2023-10-25 at 12.43.36.png

 

1. Is there a way to view the already set password

or

2. If I change what is in the password boxes, will it then sync and change the password for the local accounts on the machines already enrolled?

Thanks

Reply
3 REPLIES 3

joshuasee
Contributor III

‎10-25-2023 09:17 AM - edited ‎10-25-2023 09:22 AM

Unfortunately my recollection is that, no, it won't sync the change, it'll just break features using the management account, which are mercifully few at this point.

Try an API LAPS pull on a machine with that account, with AutoRotateEnabled set to false if you want to keep that password, and see what you get. If the problem isn't pressing 11.1 will probably put that feature within the GUI by EoY.

Changing the password without the existing one is difficult to impossible on newer versions of macOS and especially Apple Silicon machines, but you could create another account, then change the management account settings to use that one. Just make sure the new one gets admin rights, SecureToken, volume ownership, etc before switching over.

If you are an on prem user you could in theory pull the encrypted password from the database, but that is totally undocumented.

Reply

AJPinto
Honored Contributor III

Posted on ‎10-25-2023 10:23 AM

The account you are creating with PreStage likely has a Secure Token. MacOS requires a Secure Token to change the password of an account with a Secure Token. Sudo (ie JAMF policies or scripts) uses bootstrap tokens, not secure tokens and cannot change the password or delete the account of a Secure Token holder.

 

JAMF does have LAPS which you can look in to. Beyond LAPS JAMF has no way to know what the local accounts PW is as its not recorded in JAMF anywhere. 

0 Kudos
Reply

keenan710
New Contributor II

Posted on ‎10-31-2023 07:32 AM

Apologies for the delay in responding! It seems like LAPS will be the way to go as we want to use it for things when we're teamviewer'ing on and want to do admin things etc.

However LAPS doesn't seem that simple to setup so if anyone had a good link to share that would be great!

Thanks so much!

0 Kudos
Reply