Local Admin Password

Raiders18
New Contributor II

Hi Everyone!

In our environment, we have DEP managed MacBooks with a management account that has a username of administrator and a password we set to be used to help use as an admin account on all machines.

We have a policy running to change the management account password with one we set, but we have some computers that fail to run the policy and give an error of "Error: The Managed Account Password could not be changed."

I know I've seen a few posts saying this is an issue with machines running 10.14.x or some other OS issue, but we've been able to update the passwords on machines running any OS, and see this issue happening among various OS's as well.

I'm a bit of a novice to Jamf/Macs in general, but am hoping to get any insight I can into any solutions/leads!

We have FileVault enabled for both the administrator and local user account and most drives are AFPS or Mac Journaled.

Thanks!

4 REPLIES 4

jcarr
Release Candidate Programs Tester

I think you may be confusing 'management account' and 'administrator account.'

Generally speaking, the 'management account' is the account used by Jamf Pro to execute management tasks on managed devices. Personally, I think best practice is to have this password set to a random value on all managed devices (Jamf Pro will know what the password is, and that is all that is required.):

44c2025fb36c4c4cb1f68ff6d825ba96

As for the administrator account, if you so choose, you can set this to a fixed value in the PreStage enrollment (in 'Account Settings,' check the 'Create an additional local administrator account' checkbox:

ad87581cdf3e4ca8bee6f7b5dc17efd3

One could argue that having and using a local admin account on a managed device is a bit of a security risk. If you type a shared admin password on an untrusted device, you run the risk of having that password captured by a key logger. Devices outside of your direct control should always be considered untrusted. If the device is managed, you shouldn't need to ever access the device directly.

Just my $0.02

marklamont
Contributor III

the 'management account' is the account used by Jamf Pro to execute management tasks is slightly misleading, it is only used for Filevault changes and something I can't remember... The binary or MDM performs most operations.
As for a separate admin account a lot of people don't use one now for security reasons. Also with secure token it's a PITA getting it all to work, especially with 10.15 coming up when it just won't work probably. FV password is available in Jamf so you can always unlock a device if user forgets their password.

Raiders18
New Contributor II

Thanks for the response guys! Very helpful. You are right, we are using a management account. Do you happen to know why we would get getting "Error: The Management Account Password Can't Be Changed" when running our policy to change the password. Attached is a photo of our settings.

36f9e9b5f59c4500bc9ccd7a5bd2f707

brandon_-_autob
New Contributor III

@Raiders18 Did you ever get this resolved? im in the same boat on Catalina with fv2 enabled (for context).