Has anyone had this issue when changing our local admin password via Jamf in the Local Accounts payload and choose 'Reset' I get an error stating 'Error resetting the password for user'
I am using Jamf Pro 10.27
Tested on macOS High Sierra & Mojave, just keeps failing.
Has anyone else had this issue or have some sort of fix
The only reason I can think of is if that account has a secure token and is the only account on the Mac that does. Some versions of the OS will protect the sole secure token holder from losing it, meaning you can't force-reset the password, only change it in a manner which retains the secure token (a method which requires the current password). Similarly, you wouldn't be able to delete that account.
I am looking for a similar solution. We have a local "admin" account on all of our machines. An analyst from our ServiceDesk gave out this password last week to assist with a login issue for an end user. We now need to reset this local account password on all machines. Utilizing the Local Accounts payload in policy results in the same error the original poster is seeing.
Is the only option to run the sysadminctl cmd and expose the old and new password in cleartext in some type of log?(or is that not a concern)?
Right click Computer select Manage
On computer management window under System Tools go to Local Users and Groups and select Users
Right click on “Your User Name” and select properties
Clear (Uncheck) "User cannot change password">>Click apply ad Ok>>Exit Computer Management.
I'm also having this issue. On enrollment, we set up a Local admin account with an initial password. Then when we move it to classroom or lab groups we want to change the password. Then we get the same error 'Error resetting the password for user'. The weird thing is this policy worked fine up until this week.
Same issue here. Remote M1 computers with Big Sur where we need to rotate some admin account password.
Anyone got it working via Jamf Pro policy > Local Accounts > Reset Account Password? I can not use solution where password is so simply visible
Does anything in Jamf ever just work without having to go through some complicated scripts to accomplish what the UI cannot do? It is so frustrating! We are a small shop and went with Jamf for its perceived ease of use in meeting compliance requirements given we do not have IT Help desk resources. We cannot get a simple policy such as deploy a local admin account for assisting in pw resets to work. Account deploys fine, but the pw NEVER works! And we checked the pw policy requirements, we are following the parameters within our PW policy settings so that is not the issue. We've never been able to get this functionality to work. We are probably going to look for an alternative to Jamf; We spend more time troubleshooting this MDM solution than any other corporate/enterprise tool in our suite. This Local Admin account is just one of many challenges we've had with the tool. Following the Jamf help explicitly is not very "helpful" as evidence by the sheer volume of troubleshooting posts in this very forum.
Yes its quiet terrible... Its more so an apple issue in my opinion with FileVault being whats stopping a lot of jamf policies.
I would advice you check out their github for most scripts. My director said no however there is a script that can be deployed via self service that allows admin elevation to a standard user for however long you set it to.
Just ran into this issue as well and discovered it was b/c the local admin account on the Mac was listed as a FileVault 2 Enabled User in Jamf (as shown under the computer record > Inventory > Disk Encryption > FileVault 2 Enabled Users). We followed this technical paper to disable FV for our local admin account and then flushed our password change policy for that account (which leverages the Jamf payload instead of a script for changing the password to the local admin account), and it worked. Hope this helps!
I haven't tried, but I doubt we'll re-enable it since we have to update the password this way and it was only for a few of our Macs that had it enabled. We rarely use the local admin account to physically access Macs; we mainly use it for SSH as needed and we hide the account from users. However, we have an Enable Secure Token policy that we could run on the Mac if we wanted to enable it back. The following post has some info regarding the pros and cons: https://community.jamf.com/t5/jamf-pro/secure-token/m-p/251898
I also forgot to previously mention that I setup a Smart Computer Group as the scope using FileVault 2 User has <local admin account name>.