Jamf Nation Community

light-user · ‎08-09-2024

Hi All,

My end goal here is to force the local user (end-user) to update their password upon 2nd login (I will explain). Here is my current workflow for new hires (note: we don't have jamf connect) so I have to work with what I got.

Current Workflow:

1. Enroll the computer into pre-stage enrollment and let it cook.
2. Create the local user (new hire) account in the create local account page in apple setup assistant. in this step we are manually creating a "temp" password
3. Log out of the current user's (local user) account and log into our jamfadmin account to finish manual set up steps (additional privacy permissions, re-naming hostname, enabling FV, etc)
4. Log out of the jamfadmin account and shutdown.
5. Deliver the laptop to the new hire with login information securely enclose. We leave it up to them to update their default password.

So, with that being said, we now want to enforce our users to update their default/temp password to a secure one. After doing some research I came across this cmd which may do the trick, but looking for guidance as to how to implement it properly given our current workflow.

<pwpolicy -u "$(whoami)" -setpolicy "newPasswordRequired=1">

My initial thought on implementing this cmd to my workflow is by running it when Initially log into the local user's account, so that next time they're forced to update it. Some key questions here:

1. Would my password restriction config profile apply in this case?
2. Would Filevault cause any issues? We turn it on afterwards when we log into the jamfadmin account (step 3)
3. What's the best way to implement this to my workflow?
4. Can the user use the same password?

Thanks, any input is appreciated!

AJPinto · ‎08-09-2024

I recommend reworking your entire workflow. You should not be logging in to the device with an admin account and setting privacy permissions and enabling FileVault or installing software.

My suggestions:

Build Configuration Profiles to set all your Privacy Permissions.
1. Some cannot be set by configuration profile such as Screen Recording (Beyond allowing non-admin to enable/disable), and Location Services (which are not necessary for really anything).
Build a Configuration Profile to automatically enable FileVault.
1. This can be done at log in or log out, or even during enrollment with MacOS 14 if you allow a user to create an account during setup assistant.
Automate your configuration.
1. Update any policies you need to run to run automatically when the device enroll, there should be no reason to manually call policies that install security clients, support tools and assets (wall papers, and the such).
Identify how you want users to create accounts.
1. Jamf Connect is an obvious Choice, but xcreds is a similar option.
2. If you use Okta or Entra, look in to Platform SSO, which can create accounts on demand with macOS 14.
3. There is also the option of allowing users to create their own Accounts during Setup Assistant.
Consider setting a Password Requirement Configuration Profile.

Apples's concept for MDM is Mobile Device Management, not user management. Jamf can create accounts using root, but it's not designed to manage those accounts. Once you add things like Secure Tokens in to the mix there is not much Jamf Pro can do to manage accounts.

I don't recommend this, but you can use a password policy to force password changes.

Set your temp password.
Give the device to a user
Have a Configuration Profile drop on the device at some point after the user logs on defining a password policy more complex than what the local account has.
When the user tries to log in to macOS they will be forced to update the password.

light-user · ‎08-16-2024

for step 3 how would i adjust the config profile so it knowns to kick in after the end-user has logged in for the first time?

Jamf Nation Community

Force Password Update for local user best practice