Change Management Account on multiple computer at once...

Sean_Ginn
New Contributor II

Is there a way to change the Management Account for multiple computers? The original enrollment process wasn't managed by one person, and a lot of our machines were enrolled with different accounts. We created a policy to change our admin account on the computers, which we use for ARD, and discovered that the policy keep failing due to "Error: This is the Remote Management Account for this computer. Please reset the password using the SSH Account section."
At first I didn't realize what was happening, then recently I discovered that on the computers that failed the Management Account was the account we were attempting to change the passwords to. Sorry for the long back story, I am just trying to see if there is a way to do this all at once or am I forced to do this one by one.

5 REPLIES 5

pblake
Contributor III

You can change all the computer in a search at once. You the Actions Button at the bottom.

mm2270
Legendary Contributor III

The method is slightly different depending on which version of the JSS you're using, but generally speaking the way to do this is to run an Advanced Search to pull up the Macs you would like to change the Management account on, then use the Take Action on Results menu and choose "Edit Management Accounts"

The above wording is from JSS version 8.x. The process is a little different in version 9, but the same general steps should apply.

The thing is, make sure you change the settings to an account name and password that actually exists on those Macs or you'll mess up the manageability of them until you fix it.

Also, you should consider using the EA I outline here to grab the Management Account used on the Macs. https://jamfnation.jamfsoftware.com/discussion.html?id=7575
Although you can see the information for each Mac individually its not something you can build Smart Groups on. I had thought version 9 added this as an option, but it doesn't appear that they did.

Sean_Ginn
New Contributor II

Okay so I may need to have this spelled out.

Even though you change the Management Account under General>Edit. The account still needs to exist on the machine? Is there a way to distribute a hidden account? Our JSS has had now three management accounts and we have multiple machines which could have one of the three. It's not all that many, but for peace of mind I would like to consolidate, and not create another account, but I am not sure how to make that happen. Would you need to re-enroll with a quick add package, that creates the desired management account?

mm2270
Legendary Contributor III

Yes, the account must exist if you plan to still have the Macs manageable. Even though that option lets you set a new management account, its not going to create it on them. The management account, whether hidden or not, is used by Casper Suite to elevate its privileges to root when running certain operations so it can do what it needs to do, like install software, change settings, etc.

There are a few ways you can address this. You could run a policy on your Macs to re-enroll them with a new QuickAdd.pkg that uses an existing account if present, or creates it if its not there and uses that as the management account. Or, you could use a policy to create a new account under the Accounts tab. Only problem is I don't think that lets' you make a hidden account. Might be better to script it from the get-go if you go that route. This would only make the account but not necessarily switch the Mac to use that as its management account.

If you're not opposed to simply pushing out a new QuickAdd in a run once policy to all machines, that might be the easiest way. Its slightly overkill since some of them may already be using that account anyway. As such, I suggest first creating the Extension Attribute and letting your Macs submit new inventory. Then you can have a better feel for which ones are actually using the correct account as opposed to an old one and take more selective action.

bjohnson
New Contributor

You can create the account and allow it to be hidden by using the jamf binary. Running jamf -help createAccount in terminal will bring up the following information for you.

Usage: jamf createAccount -username <username> -realname <Real Name> [-password <password>] [-passhash <passhash>] [-home </path/to/home/directory>] [-hint <hint>] [-shell <shell>] [-picture <picture>] [-admin] [-secureSSH] [-hiddenUser] [-networkUser]

-username The user's user name

-realname The user's real name

-password The password of the user

-passhash The hashed password of the user

-home The location of the user's home directory

-hint The hint displayed to the user

-shell The user's default shell

-picture The user's picture for the Login window

-admin This flag adds the user to the admin group.

-hiddenUser Creates an account with a UID under 500 and hides it

-networkUser Creates an account with a UID over 1025

-secureSSH Modifies the /etc/sshd_config file to lock out all other users In Mac OS X 10.5 and later, the group com.apple.ssh_access is modified instead of sshd_config.