Skip to main content
Question

Local Account Payload Change Password Does not Update FileVault

  • February 9, 2015
  • 6 replies
  • 36 views
B
Forum|alt.badge.img+7

We were looking to create a policy that would change our Admin account's password. I created a policy and used the "Local Account" payload with the Action Taken as "Reset Account Password". So far, I only made available in Self Service.
I executed the Self Service policy as a different user. It executed without any issues and the local admin password changed but the FileVault preboot still only accepts the previous password. I assume this is an issue with the KeyChain not updating.

Is there a way to get the local password to sync with FileVault?

Thanks,
Brian

    6 replies

    davidacland
    Forum|alt.badge.img+18
    • davidacland
    • Valued Contributor
    • February 9, 2015

    Not sure if this is related but it it sounds similar to this thread: https://jamfnation.jamfsoftware.com/discussion.html?id=12741

    J
    Forum|alt.badge.img+11
    • Josh_S
    • Contributor
    • February 9, 2015

    @bkramps Take a look here: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3074

    Bug with Mac OS 10.10. There are a couple workarounds suggested.

    R
    Forum|alt.badge.img+33
    • rich.trouton
    • Hall of Fame
    • February 9, 2015

    Yup, this is a Yosemite bug that affects dscl (and also sysadminctl.) Oddly, it doesn't seem to affect passwd. Aside from a general "No school like the old school" statement, I'm not sure why changing a password with passwd will update the FileVault 2 pre-boot login while the others don't.

    J
    Forum|alt.badge.img+11
    • Josh_S
    • Contributor
    • February 9, 2015

    @rtrouton

    I see this same thing happen with passwd when invoking it as root, when it doesn't prompt for your old password. It also happens when you use the GUI via System Preferences when using one user's admin rights to change the password of a different local user. Basically, any method of changing a user's password that does not require knowledge of the user's old password.

    And, unlike mobile accounts, a successful login to the login screen does not update the FileVault cached password. To re-sync, you have to log in and go through the steps of changing the password - even if you set it back to what it was already set to.

    B
    Forum|alt.badge.img+7
    • bkramps
    • Author
    • Contributor
    • February 9, 2015

    Thank you @davidacland and @Josh_S. The old password field in the Local Account payload would be a great feature.

    I will try the suggestion of a script with old and new password.

    G
    Forum|alt.badge.img+10
    • gregneagle
    • New Contributor
    • February 9, 2015

    "And, unlike mobile accounts, a successful login to the login screen does not update the FileVault cached password."

    That seems like the key bug/missing feature here.

    If local accounts were treated like mobile accounts in this regard it would be a marked improvement.

    I've seen variations of this same issue all the way back to Lion -- this isn't really new with Yosemite.

    Terms & ConditionsCookie settingsAccessibility statement