Jamf Local Password Change Setting in Config Profile

tdharris
New Contributor

I'm using JamfPro MDM in cloud to manage computers on a campus. I wanted to allow users (employees) to be able to change their local user password (99% are standard, non-admin users) via the mac computer's Users & Groups settings user "Change Password" button while at the SAME TIME NOT ALLOWING them to change the "Allow this user to administer this computer" toggle listed on the same popup window. I tested by creating an duplicate config profile for security & privacy settings with the only change being to allow password change. This policy was applied to a test machine and unfortunately it gives users the ability to decide if the user can administer the computer which defeats the purpose. I don't understand why this one change password setting in the security & privacy config profile section does more than give password change permission. Any thoughts or suggestions with this?

A while ago, I resorted to a self-service app script, that the user would trigger, that would require password for a specific user. The issue with this is that it gets messy with some computers only being used by one employee and others being shared with shared user accounts where we don't want password change allowance for shared user accounts. I currently have policies that each get an argument passed to it (policy containing script with a specific username as argument) that is given to the included script for password change requirement. There is one policy for each target computer and the policy is in the self-service for the user to launch to change a specific user password (based on the argument passed to the script in the policy). Right now this is only applying on non-shared computers with individual employee local account.

I'm trying to find an easier way to allow password change for these users on these managed mac computers.

Thanks in advance

4 REPLIES 4

jamf-42
Valued Contributor II

the user needs to be an admin to toggle the 'allow admin', so if they are standard users, they can't promote the account. 

Thank you for the response.

When I tested with a limited user (standard local user), the user was able to change the allow administer computer toggle and the required restart popup came up which told me that it did go into effect. It didn't trigger an administrative credential prompt like I hoped it would. I'd rather that the option stayed greyed out.

jamf-42
Valued Contributor II

whats the OS ver? I tested this on 14.x 

Mac mini 2023 (M2)
13.6.1

I will eventually test on more computers but will not move forward if not consistently working, as desired, across at least 12, 13 and 14 macOS.