Jamf Nation Community

roiegat · ‎04-05-2018

So I wrote a script to update the local account password on the computer per new guidelines (it's gotta be longer now and change more often). Since the account is used my JAMF to manage the machine, I've been looking at how to tell JAMF via script of the new password. I know I can go into the console and do it, but trying to automate the whole process since I have to do this on a plethora of machines.

I looked at the JAMF help page, and the change password option seems like it would be correct, but trying to find the correct syntax for it. And also need to be sure it'll update JAMF with new management password. Thanks.

TJ_Edgerly · ‎04-05-2018

@roiegat Any reason why your not using a policy with the management account section? You could set up a policy to change the management account password and re-run the policy based on scope/frequency.

roiegat · ‎04-05-2018

@TJ.Edgerly Because that would be way to easy, an hence deemed unsafe by our security guys. Our management passwords have to use a combination of system variables, so scripting is the only option we have.

But, I think I figured it out. Using the following command:
sudo jamf resetPassword -username <name> -password <password>

Testing it now to make sure JAMF can still manage the machine after that change.

mm2270 · ‎04-05-2018

Testing it now to make sure JAMF can still manage the machine after that change.

I'm fairly certain it won't be able to manage the machine with that account after changing it that way. The point of the policy payload is that after changing the password it updates the computer record with the change in the database. Since the management password is stored in a hash in the db record, it's probably something only the jamf binary can do properly.

Is using a randomly generated password in the above payload not an option? Or is this a case where you need to know what the management password is after it's changed?

roiegat · ‎04-05-2018

@mm2270 So far tested on who machines and it's seemed to have worked. After running the script on the machine (bot without doing a recon afterwards) I was able to log into JAMF Remote and send packages to both machines. I also confirmed it took the new password by SSHing into the machines as well.

As for a random password, while nice in theory, it's still in the vetting process by our security team. So until we get permission to use it, we need to know what the password is for these machines.

benducklow · ‎08-31-2018

@roiegat Just confirming that when you SSH into a machine and run the

sudo jamf resetPassword -username <name> -password <password>

that the JSS is aware of the new password and all is well as far as management, communications, etc afterwards? Your last post stated it was all good. Just trying to confirm...

Have you tried to use Jamf Remote to execute the command?

This might be something to tuck in my toolbelt. I have a few devices that failed with a simple policy to change the management password using a static one ("Error: The Managed Account Password could not be changed.")

Thanks!

ryan_ball · ‎08-31-2018

If the resetPassword does not work, this will.

#!/bin/bash

jssUser=""
jssPass=""
sshUser=""
sshPass=""

/usr/bin/expect >/dev/null 2>&1 <<EOF
    set timeout -1
    spawn /usr/local/jamf/bin/jamf enroll -prompt -verbose -noManage -noRecon -noPolicy
    expect "JSS Username:"
    send -- "$jssUser
"
    sleep 1
    expect "JSS Password:"
    send -- "$jssPass
"
    sleep 1
    expect "SSH Username:"
    send -- "$sshUser
"
    sleep 1
    expect "SSH Password:"
    send -- "$sshPass
"
    expect eof
EOF

Jamf Nation Community

Change management account password via command line