Help

Changing local admin password and FileVault2

AVmcclint
Honored Contributor

Posted on ‎08-12-2015 07:41 AM

I've seen posts here that say I can create a policy to change the password of a local account, but none of the JAMFnation posts I've found address FileVault in the mix. How can I change the Admin passwords on all our managed Macs and that change is automatically sync'd up with the local FileVault2 account info? One requirement is that I am not forced to touch each and every mac because there are several Macs in remote locations 1000 miles away and getting hands-on isn't possible. On a related note, does this password change policy also change the Keychain passwords too? It's not a big deal since the local admin account doesn't really need a keychain for our purposes, but it would be nice if the techs didn't have to deal with a multitude of keychain alerts when they login as the admin account after a change has been pushed.

Labels:
0 Kudos
2 REPLIES 2

nessts
Valued Contributor II

Posted on ‎08-12-2015 08:37 AM

I know you can script changing the keychain password with the security command.

in perl it looks like this

system("security set-keychain-password -o '$symcpw' -p '$password' "$loginkeychain"");

so you could add a script or a command line to your policy to change it, however you may want to investigate the encrypted password stuff that was posted last week.
We do not have local admin accounts able to unlock file vault on any of our machines I might have to test that to see what happens, I would hope that Apple has all password changing methodologies updating the FV pw too.

0 Kudos

AVmcclint
Honored Contributor

Posted on ‎03-16-2016 09:58 AM

I'm bringing this back up again because I learned that our InfoSec team absolutely will not allow passwords sent in the clear over the network. If I create a policy using Options > Local Accounts > Reset Account Password, can anyone tell me if that password is sent in the clear or if it is encrypted?

I've seen scripts on JAMFnation that create completely random passwords on each computer locally... we can't do that. When we need to fix something, we need to be able to sit at any given computer and immediately login using the admin password.

0 Kudos