- Jamf Nation Community
- Products
- Jamf Pro
- Help! User forgot his passcode; can't log in
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Help! User forgot his passcode; can't log in
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I have an employee who reset his passcode on his laptop and then immediately forgot it. I don't have the option to reset his passcode (in the management section where you would typically lock it). It's managed by jamfusermanagement and we generated that 1 hour passcode to log in and that didn't work. FileVault says it's off one place and on in another. But it's managed by jamf. I can see that. Shouldn't I be able to help him??
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
@hollyfox If you select the Disk Encryption section under Inventory for the computer in your Jamf Pro console do you see a "Show Key" button to the right of the Personal Recovery Key label? If so clicking it should display the FileVault Recovery Key for that Mac. If it doesn't offer that button then Jamf Pro doesn't have a key escrowed.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
I just looked and he doesn't. He was able to get in in a round about way. We checked his users on his terminal and jamfusermanagement was listed as a user so we should have been able to use that temp password it generates? If he did have a recovery key would I be able to reset the passcode from the management tab?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
2 weeks ago
You don't reset user passwords directly from within Jamf Pro. The management section you're looking at is primarily for managing the Jamf Pro server itself and pre-stage enrollment accounts, not the regular user accounts on the Macs.
The temporary one-hour passcode generated by jamfusermanagement is typically for initial login or specific administrative tasks tied to Jamf's management framework, not for general user password resets after they've logged in and changed their password.
Regarding FileVault:
- If the FileVault Recovery Key is Escrowed in Jamf Pro: As @sdagley mentioned, you would normally see a "Show Key" button in the Disk Encryption inventory section for that computer. This key is what's used to unlock the drive and subsequently reset the user's macOS password on the Mac itself, not through Jamf. The user needs to enter their FileVault password incorrectly multiple times at the login screen. macOS will then present an option to use the recovery key. Once entered, macOS will guide them through resetting their macOS user password.
- If the FileVault Recovery Key is NOT Escrowed in Jamf Pro: If there's no "Show Key" button in Jamf Pro, and the user doesn't have their personal recovery key, and there isn't another administrator account on the Mac with a FileVault token, then unfortunately, the only way to regain access to the data is usually a complete reinstall of macOS.
- Ensuring Future Recovery Keys are Escrowed: For future situations, if Jamf Pro should be escrowing the FileVault Recovery Keys, you'll want to ensure your FileVault configuration profile is correctly set up to redirect those keys to Jamf. Turning FileVault off and then back on the Mac (after verifying the profile settings) should trigger the escrow process again, provided the configuration profile is configured to do so.
