- Jamf Nation Community
- Products
- Jamf Pro
- Re: Changing the Password of managed devices
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 10:53 AM
Hi all, how would I change the password of the managed devices inside of Jamf, I know how to instruct them to change it from their end but im not sure how to change it from our end, how would I do this?
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 10:57 AM
MDM is Mobile Device Management; Apple does not want you managing user accounts with MDM.
Account management is done one of two ways:
- Provide user the FileVault Recovery key (and recovery lock password) to reset their own password with macOS Recovery.
- The local admin account to change the user's password from within macOS
- Using the IDP to change the user's password with Platform Single Sign-On
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 01:27 PM
The Jamf Pro console can reset a user's password with a policy, providing the user does not have a secure token. Due to FileVault most all users should have secure tokens.
I figure that makes sense especially because of security/privacy concerns. Is this the cause?
Generally speaking, yes. Apple is attempting to secure and protect user accounts, and their data. Apple relegates identity management such as password resets to:
- Local device functions (mainly consumer focused).
- Resetting Password's with the FileVault recovery key (MDM Workflow).
- The newer workflows with PSSO that allow the IDP to reset the password.
Reply
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 10:57 AM
MDM is Mobile Device Management; Apple does not want you managing user accounts with MDM.
Account management is done one of two ways:
- Provide user the FileVault Recovery key (and recovery lock password) to reset their own password with macOS Recovery.
- The local admin account to change the user's password from within macOS
- Using the IDP to change the user's password with Platform Single Sign-On
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 11:16 AM
Ok so that is not an option when using Jamf to change/control users passwords from our end?I figure that makes sense especially because of security/privacy concerns. Is this the cause? Basically just to protect user info and confidentiality. @AJPinto
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-23-2024 01:27 PM
The Jamf Pro console can reset a user's password with a policy, providing the user does not have a secure token. Due to FileVault most all users should have secure tokens.
I figure that makes sense especially because of security/privacy concerns. Is this the cause?
Generally speaking, yes. Apple is attempting to secure and protect user accounts, and their data. Apple relegates identity management such as password resets to:
- Local device functions (mainly consumer focused).
- Resetting Password's with the FileVault recovery key (MDM Workflow).
- The newer workflows with PSSO that allow the IDP to reset the password.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-24-2024 06:10 AM
@AJPinto Thank you for explaining this. I actually opened up a ticket since I did not know this. Jamf was trying to walk me thru changing the password but it wasnt for the user's password. It was for the Administrator account that is created during enrollment. so for "Security" reasons I attempted to change the password on that one and failed.
But funny thing is that yesterday, I actually try to change the admin account password and I was getting fails ont he password change. I pushed a secondary temp admin account to achive this. The temp account worked to delete and modified other accounts, but not able to do anything to the Admin account. not even delete it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-24-2024 06:41 AM
Check to see if the accounts you are having failures with have Secure Tokens, and if the accounts are successful with dont have Secure Tokens.
The function of Secure Tokens is to dis-empower root. So, accounts that have Secure Tokens, cannot be modified with Root level permissions. Everything Jamf does from CLI is done with Root Level access, which cannot modify Secure Token accounts as that would give a malicious actor a path to get a Secure Token with just Root Access which is what Apple is trying to prevent.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-24-2024 11:35 AM
the accounts do have secure token. so, how can I change the password that I dont know of an account that has secure token, and in this case its the admin account.
