Jamf Nation Community

pty10 · ‎01-15-2015

added a policy to add a local account in casper to use as an admin account to login to the MacAir computers we have here at school. I enabled both 'Allow user to administer computer and Enable user for FileVault 2' and added the computers to the scope.

Once the policy is created and I restart the computer ( I can see the computer(s) check-in casper,) I can login to the computers as the admin with no issues

The weird thing is that if I re-enrol a computer more than once (using sudo jamf enroll -prompt or using casper suite) the local admin account that I created stops working, Can't login to any of the computers as that local admin account. It happened once, created a new local account, it fixed the problem but I had to do a another re -enrolment more than once and the local account stopped working again.

Any idea how to solve the problem? anything I'm doing wrong? Hope what I just said makes sense.

Cheers,

Henry

davidacland · ‎01-16-2015

The triggers would be ok but an ongoing execution frequency will cause the policy to run every time any of the triggers occur. If its creating an account you will probably want it set to once per computer.

View solution in original post

davidacland · ‎01-16-2015

As long as the account gets created initially and works I haven't had any on-going problems.

The policy frequency / execution settings could be causing it to re-run (or mess something up) when a Mac is re-enrolled?

Is the account still present after you re-enroll? (you can check with ```
id username
``` in the terminal). If it is there you could try resetting the password (locally in system preferences) just to determine how bad the damage is when it goes wrong.

pty10 · ‎01-16-2015

Hi David,

Glad you mentioned about the policy frequency. General policy currently setup as follow:

1.Triggers enabled:
Startup
Enrollment Completed
Recurrent Check-in

Execution Frequency: Ongoing

Maybe I'm doing a bit of overkill having so many triggers enabled and the frequency ongoing? Should I setup the policy using Startup as the only trigger and the Execution frequency once per computer? Not sure..

I will check on Monday to see if the account still present after I re-enroll and also try resetting the password in system preferences using an admin hidden account I created and see if that way I can reset the password for the admin account that isn't working

Cheers,

Henry

davidacland · ‎01-16-2015

The triggers would be ok but an ongoing execution frequency will cause the policy to run every time any of the triggers occur. If its creating an account you will probably want it set to once per computer.

pty10 · ‎01-16-2015

Will try that. can I ask you, If I need to change the password of the local account, should I use:
1. The 'reset password' option within local account to change the password
2. Use 'create account' option and change the password to something different
3. Or use Management account to change the password?

Thanks

davidacland · ‎01-16-2015

Option 1 would apply in that scenario.

Option 2 might succeed (if it tramples all over the previous account), but its more likely it would fail as there is an account there already.

For option 3, if you mean the section that lets you change the management account password, that would only apply to the management account itself.

pty10 · ‎01-16-2015

Thanks, will give it a try

pty10 · ‎01-20-2015

Couldn't get the current admin account to work again but I created a new one, set the frequency to 'once per computer' and it works fine now, thanks

Henry

Jamf Nation Community

Local Admin password corrupted after re-enrollment