Posted on 02-16-2022 03:48 AM
I am just trying to uderstand how macOS and Jamf Pro manage local accounts/passwords and domain accounts.
I am working in a company that dosn't have Jamf Connect enabled as far as I am aware.
The company I work for has there own 2FA tool for users to logon. (I have been told that it would be a long term project to get it's APis to intergate into Jamf Connect). Not something I will be getting involved with as too technical for me.
Anyway the process is at the moment we have a default admin account. So once the Macbook is built we logon with admin account and make sure FileVault is enabled.
Next we create a local non admin account for the user. Obviosuly this account will need a password so I rest it to a new one. I will actually reset it to the default password I set for the user in Active Directory. However when I reset the password I get the error:
Resetting the account password doesn't reset the password for the user's 'login' keychain.
To reset the password for the "login" keychain, use Keychain access located in Utliiaties folder.
So I wil follow that advice. But how or when does the AD password sync with MacOS?
In Windows you get a pop up saying to lock the screen and log back on.
Cheers
Paul
Posted on 02-16-2022 04:03 AM
Hello ukmercenary,
the passwords of the local account and the AD account will not sync unless you bind the mac to Active Directory (I won't recommend this) or you use a tool like NoMAD.
NoMAD tries to authenticate the user against AD whith the local password. If this fails, it will display a message that the passwords are out of sync, as for the AD password and sync it whith the local password. As the action is done by the user, it will not affect the keychain password.
kind regards
Andreas
02-16-2022 04:06 AM - edited 02-16-2022 04:07 AM
Ok yes makes sense, @Andreas42 does NoMAD work with Active Directory in Hybird mode with Azure?
Posted on 02-16-2022 04:17 AM
Yes, but it will query the local AD only. In most cases, this requires the users to establish a vpn connection first.
Posted on 02-16-2022 04:23 AM
Apparently we are using Jamf Connect which replaced NOMAD. So I assume so long as the user connects to VPN then local password should sync with AD ?
Posted on 02-16-2022 06:30 AM
If you are using Jamf Connect, you are probably already connected to an IdP? (Maybe Azure). That should keep your passwords in sync. If you also want to connect to AD, you need to make sure you configure the Kerberos settings in the Jamf Connect profile.