If the computer is filevault encrypted and has been rebooted then you can't because it needs to be unencrypted to get online.

Otherwise you could push a temporary account and later remove it using the local accounts provision

To avoid the filevault issue I pushed "rescue" accounts with randomized unique passwords to every computer when everyone went remote.

This is exactly what I ended up doing. We have admin accounts with super secret passwords but to hand that out defeats the whole "super secret" thing.

Thanks for taking the time to reply

@strayer Can you please elaborate on how you created the "rescue" accounts? I am particularly interested in how you were able to create the randomized unique passwords for each computer (Were you able to automate this process?).

@emilshouse Everything is automated, there is a setup, and three policies:
SETUP:
A policy installs pass_phrase.py and 3 .txt files to that are random word lists. I put it into /Library/Application Support/COMPANYNAME/passphrase https://github.com/theadamcraig/jamf-scripts/blob/master/pass_phrase.py

There are two extension attributes. One as a text, and the other to read a local file incase the script doesn't use the API successfully. I've included screenshots of both of those.

There is are 3 policies:
One creates the account with a temp password and changes the password. It is scoped to all computers with no rescue account on them.
One changes the password. It is scoped to computers where both extension attributes are blank.

One grabs the password from the -local file and uploads it using the API and deletes it. It is scoped to computers where the RescuePassword-Local is not blank, but the RescuePassword is blank.

This also means that once the RescuePassword is used you can delete the text extension attribute and the password will reset itself.

Here are the other two scripts: https://github.com/theadamcraig/jamf-scripts/blob/master/rescue_account_cleanup
https://github.com/theadamcraig/jamf-scripts/blob/master/Rescue_Account_Password_Change

My Disclaimer: I did not write most of these scripts. I did some major changes to the Rescue Account Password Change scripts, but i linked the github where I found the original script in the comments of it on github.

That's a good overview of how it works. Since my entire company is remote it's been pretty successful.

Take a look at LAPSforMac, you can create a local admin account, routinely update its password and even make the password available to support in the form of device inventory.

Does it work with Big Sur? It looks like it hasn't been updated in years.

I've since rewritten the pass_phrase.py script into zsh to avoid Python dependencies since apple recently removed built in python.

https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account 

but the process is the same

EDIT: Updated Link

where is pass_phrase.sh ? the link does not work anymore

https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account

I re-organized my github when I was talking at JNUC in the fall.

I want to try it out, but it's so hard. Can you take a video of how to set it up?

You should probably start using Jamf built in Laps now

https://learn.jamf.com/bundle/technical-paper-laps-current/page/Local_Administrator_Password_Solution.html

Though there is no GUI yet to view the password. Jamf said they are working on that

Adam Craig's data is currently impossible to implement, right?