+9I have no doubt that this has been discussed before but I can't seem to find any discussions relevant to my scenario.
In the event that a user locks themselves out from their machine, how can I push a policy to reset the local account password or even create a new account when the user is unable to login and the administrator is unable to get hands on the machine?
+16If the computer is filevault encrypted and has been rebooted then you can't because it needs to be unencrypted to get online.
Otherwise you could push a temporary account and later remove it using the local accounts provision
To avoid the filevault issue I pushed "rescue" accounts with randomized unique passwords to every computer when everyone went remote.
+9This is exactly what I ended up doing. We have admin accounts with super secret passwords but to hand that out defeats the whole "super secret" thing.
Thanks for taking the time to reply
+2@strayer Can you please elaborate on how you created the "rescue" accounts? I am particularly interested in how you were able to create the randomized unique passwords for each computer (Were you able to automate this process?).
+16@emilshouse
Everything is automated, there is a setup, and three policies:
SETUP:
A policy installs pass_phrase.py and 3 .txt files to that are random word lists. I put it into /Library/Application Support/COMPANYNAME/passphrase
https://github.com/theadamcraig/jamf-scripts/blob/master/pass_phrase.py
There are two extension attributes. One as a text, and the other to read a local file incase the script doesn't use the API successfully. I've included screenshots of both of those.
There is are 3 policies:
One creates the account with a temp password and changes the password. It is scoped to all computers with no rescue account on them.
One changes the password. It is scoped to computers where both extension attributes are blank.
One grabs the password from the -local file and uploads it using the API and deletes it. It is scoped to computers where the RescuePassword-Local is not blank, but the RescuePassword is blank.
This also means that once the RescuePassword is used you can delete the text extension attribute and the password will reset itself.
Here are the other two scripts:
https://github.com/theadamcraig/jamf-scripts/blob/master/rescue_account_cleanup
https://github.com/theadamcraig/jamf-scripts/blob/master/Rescue_Account_Password_Change
My Disclaimer: I did not write most of these scripts. I did some major changes to the Rescue Account Password Change scripts, but i linked the github where I found the original script in the comments of it on github.
That's a good overview of how it works. Since my entire company is remote it's been pretty successful.
+4Take a look at LAPSforMac, you can create a local admin account, routinely update its password and even make the password available to support in the form of device inventory.
+16@emilshouse
Everything is automated, there is a setup, and three policies:
SETUP:
A policy installs pass_phrase.py and 3 .txt files to that are random word lists. I put it into /Library/Application Support/COMPANYNAME/passphrase
https://github.com/theadamcraig/jamf-scripts/blob/master/pass_phrase.py
There are two extension attributes. One as a text, and the other to read a local file incase the script doesn't use the API successfully. I've included screenshots of both of those.
There is are 3 policies:
One creates the account with a temp password and changes the password. It is scoped to all computers with no rescue account on them.
One changes the password. It is scoped to computers where both extension attributes are blank.
One grabs the password from the -local file and uploads it using the API and deletes it. It is scoped to computers where the RescuePassword-Local is not blank, but the RescuePassword is blank.
This also means that once the RescuePassword is used you can delete the text extension attribute and the password will reset itself.
Here are the other two scripts:
https://github.com/theadamcraig/jamf-scripts/blob/master/rescue_account_cleanup
https://github.com/theadamcraig/jamf-scripts/blob/master/Rescue_Account_Password_Change
My Disclaimer: I did not write most of these scripts. I did some major changes to the Rescue Account Password Change scripts, but i linked the github where I found the original script in the comments of it on github.
That's a good overview of how it works. Since my entire company is remote it's been pretty successful.
I've since rewritten the pass_phrase.py script into zsh to avoid Python dependencies since apple recently removed built in python.
https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account
but the process is the same
EDIT: Updated Link
+11I've since rewritten the pass_phrase.py script into zsh to avoid Python dependencies since apple recently removed built in python.
https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account
but the process is the same
EDIT: Updated Link
where is pass_phrase.sh ? the link does not work anymore
+16where is pass_phrase.sh ? the link does not work anymore
https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account
I re-organized my github when I was talking at JNUC in the fall.
+4I've since rewritten the pass_phrase.py script into zsh to avoid Python dependencies since apple recently removed built in python.
https://github.com/theadamcraig/jamf-scripts/tree/master/rescue_account
but the process is the same
EDIT: Updated Link
I want to try it out, but it's so hard. Can you take a video of how to set it up?
+11I want to try it out, but it's so hard. Can you take a video of how to set it up?
You should probably start using Jamf built in Laps now
Though there is no GUI yet to view the password. Jamf said they are working on that
+1You should probably start using Jamf built in Laps now
Though there is no GUI yet to view the password. Jamf said they are working on that
Adam Craig's data is currently impossible to implement, right?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
