Help

Change Password for Filevault-Enabled Management Account on Ventura and Sonoma?

Go to solution
dungeonadept
New Contributor III

Posted on ‎10-18-2023 06:58 AM

I'd love to be able to have a script to update the password for our local admin account on all devices. I know some people here were able to get this working, but that thread is a few OSes old and I assume based on the age that it's no longer applicable.

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
TrentO
Contributor II

Posted on ‎10-18-2023 03:26 PM

I'm pretty sure @AJPinto is correct. 

Have you looked into using LAPS? Jamf has a built in solution for management accounts (https://learn.jamf.com/bundle/technical-paper-laps-current/page/Local_Administrator_Password_Solutio... ). There are also 3rd party implementations such as PezzaD84/macOSLAPS

 

These are not quite what you're asking as they would require either making a new account or using an existing management account. Still, it might be your best option.

View solution in original post

7 REPLIES 7

Go to solution
AJPinto
Honored Contributor II

Posted on ‎10-18-2023 09:05 AM

This is not possible anymore as far as I am aware. FileVault generates a Secure Token, and you need a secure token to rotate the password of an account with a Secure Token. 

0 Kudos

Go to solution
TrentO
Contributor II

Posted on ‎10-18-2023 03:26 PM

I'm pretty sure @AJPinto is correct. 

Have you looked into using LAPS? Jamf has a built in solution for management accounts (https://learn.jamf.com/bundle/technical-paper-laps-current/page/Local_Administrator_Password_Solutio... ). There are also 3rd party implementations such as PezzaD84/macOSLAPS

 

These are not quite what you're asking as they would require either making a new account or using an existing management account. Still, it might be your best option.

Go to solution
dungeonadept
New Contributor III
In response to TrentO

Posted on ‎10-19-2023 05:37 AM

We use LAPS on our Windows machines, and I never even considered there'd be a similar implementation for MacOS.

Honestly, that second one, with the self-service options, looks great for what we need. We already have a local admin on each device, it's just a matter of setting it up with that account from the sounds of it. Thanks for the links!

 

 

0 Kudos

Go to solution
TrentO
Contributor II
In response to dungeonadept

Posted on ‎10-19-2023 06:56 AM

Glad to help. There was a great talk at JNUC on it this year. I don't think the video is on youtube yet, but it should be soon-ish.

0 Kudos

Go to solution
iresco
New Contributor

Posted on ‎10-31-2023 04:04 PM

Hello,

@TrentO Thanks for sharing! This is looking great indeed.

I need a sanity check for PezzaD84/macOSLAPS solution. This needs to have LAPS enabled in the Jamf Pro API first correct?

Thank you!

0 Kudos

Go to solution
TrentO
Contributor II
In response to iresco

Posted on ‎10-31-2023 04:18 PM

No actually. This is a completely separate LAPS implementation and only relies on Jamf to deploy the policies.

0 Kudos

Go to solution
iresco
New Contributor

Posted on ‎10-31-2023 04:31 PM

@TrentO Thanks so much for confirming! Really appreciate it.

I'll be testing on a couple laptops first then :)

0 Kudos