Change Local "Build Account" Password

Contributor II

We are not using DEP/ABM at this time.
Macs are brought in, ran through setup assistant manually where a single local admin account is created; our "build account".
Techs login as this user, install AD certs and enroll via QuickAdd.
They then run a Self Service provisioning job which installs the base application stack.
They then Bind the device to AD and encrypt it with FV. The FV key is stored in Jamf Pro. This local account is tied to the SecureToken.

We now need to change the local account PW on all Macs. Possibly after that it will need to be changed hourly/daily/weekly/monthly. Unsure as to the time frame as of yet that InfoSec will mandate

Has anyone had to do this??

We need to figure out if changing this PW across all of the devices is possible through Jamf natively or through a scripted approach.
If possible, what will the PW change do to the account itself?
If possible, what will the PW change do to the ability for this account to manage its SecureToken job role?
We have combed through posts and feel like we have bits and pieces of answers, but not the whole picture.
Management wants cases opened with Apple and Jamf to clear this up but reaching out here as well hoping that this has been worked through before.

Thank you.


Contributor II


Contributor III

Have a look at this: Laps for Mac which discusses implementation procedures.
Then this updated version contains what you need to run on SecureToken systems.

I had to make some minor tweaks to get it working. I think I removed something with regards to the check for existing encryption and I had to hardcode append some characters to the generated passcode to make sure it met requirements.

I also had to remove '&' from the regex that creates the temp password. So, the end product is a 16 character password that contains a common ending set and doesn't use &.