In our environment, we have DEP managed MacBooks with a management account that has a username of administrator and a password we set to be used to help use as an admin account on all machines.
We have a policy running to change the management account password with one we set, but we have some computers that fail to run the policy and give an error of "Error: The Managed Account Password could not be changed."
I know I've seen a few posts saying this is an issue with machines running 10.14.x or some other OS issue, but we've been able to update the passwords on machines running any OS, and see this issue happening among various OS's as well.
I'm a bit of a novice to Jamf/Macs in general, but am hoping to get any insight I can into any solutions/leads!
We have FileVault enabled for both the administrator and local user account and most drives are AFPS or Mac Journaled.
I think you may be confusing 'management account' and 'administrator account.'
Generally speaking, the 'management account' is the account used by Jamf Pro to execute management tasks on managed devices. Personally, I think best practice is to have this password set to a random value on all managed devices (Jamf Pro will know what the password is, and that is all that is required.):
As for the administrator account, if you so choose, you can set this to a fixed value in the PreStage enrollment (in 'Account Settings,' check the 'Create an additional local administrator account' checkbox:
One could argue that having and using a local admin account on a managed device is a bit of a security risk. If you type a shared admin password on an untrusted device, you run the risk of having that password captured by a key logger. Devices outside of your direct control should always be considered untrusted. If the device is managed, you shouldn't need to ever access the device directly.
Just my $0.02
the 'management account' is the account used by Jamf Pro to execute management tasks is slightly misleading, it is only used for Filevault changes and something I can't remember... The binary or MDM performs most operations.
As for a separate admin account a lot of people don't use one now for security reasons. Also with secure token it's a PITA getting it all to work, especially with 10.15 coming up when it just won't work probably. FV password is available in Jamf so you can always unlock a device if user forgets their password.
Thanks for the response guys! Very helpful. You are right, we are using a management account. Do you happen to know why we would get getting "Error: The Management Account Password Can't Be Changed" when running our policy to change the password. Attached is a photo of our settings.