Change management account password via command line

@roiegat Any reason why your not using a policy with the management account section? You could set up a policy to change the management account password and re-run the policy based on scope/frequency.

@TJ.Edgerly Because that would be way to easy, an hence deemed unsafe by our security guys. Our management passwords have to use a combination of system variables, so scripting is the only option we have.

But, I think I figured it out. Using the following command:
sudo jamf resetPassword -username <name> -password <password>

Testing it now to make sure JAMF can still manage the machine after that change.

Testing it now to make sure JAMF can still manage the machine after that change.

I'm fairly certain it won't be able to manage the machine with that account after changing it that way. The point of the policy payload is that after changing the password it updates the computer record with the change in the database. Since the management password is stored in a hash in the db record, it's probably something only the jamf binary can do properly.

Is using a randomly generated password in the above payload not an option? Or is this a case where you need to know what the management password is after it's changed?

@mm2270 So far tested on who machines and it's seemed to have worked. After running the script on the machine (bot without doing a recon afterwards) I was able to log into JAMF Remote and send packages to both machines. I also confirmed it took the new password by SSHing into the machines as well.

As for a random password, while nice in theory, it's still in the vetting process by our security team. So until we get permission to use it, we need to know what the password is for these machines.

@roiegat Just confirming that when you SSH into a machine and run the

sudo jamf resetPassword -username <name> -password <password>

that the JSS is aware of the new password and all is well as far as management, communications, etc afterwards? Your last post stated it was all good. Just trying to confirm...

Have you tried to use Jamf Remote to execute the command?

This might be something to tuck in my toolbelt. I have a few devices that failed with a simple policy to change the management password using a static one ("Error: The Managed Account Password could not be changed.")

Thanks!

If the resetPassword does not work, this will.

#!/bin/bash

jssUser=""
jssPass=""
sshUser=""
sshPass=""

/usr/bin/expect >/dev/null 2>&1 <<EOF
    set timeout -1
    spawn /usr/local/jamf/bin/jamf enroll -prompt -verbose -noManage -noRecon -noPolicy
    expect "JSS Username:"
    send -- "$jssUser
"
    sleep 1
    expect "JSS Password:"
    send -- "$jssPass
"
    sleep 1
    expect "SSH Username:"
    send -- "$sshUser
"
    sleep 1
    expect "SSH Password:"
    send -- "$sshPass
"
    expect eof
EOF