macOS Mojave and AD password changes

kowsar_ahmed
Contributor

Hi Guys,

When our users change passwords (not via nomad) - IT change via AD etc, when a user logs in using the new password on the network, updates keychain password etc and restarts. It still doesn't update the FileVault login. distil apfs updatePreboot / works 10% of the time, we are having to update fdesetup by removing the users and re-add via terminal to sync the passwords. Is there any known fix?

thanks

8 REPLIES 8

diradmin
Contributor II

Use local accounts.

mark_mahabir
Valued Contributor

I've just started seeing this in my shop on 1-2 Macs, including my own MBP. Do you not see the problem when changing the password in NoMAD then? In my case, I changed my password via a domain-joined linux system.

We use NoMAD, but using local accounts is not yet an option here.

kowsar_ahmed
Contributor

@mark.mahabir Nomad seems fine at the moment, even though I haven't tested much. Our issue is we cannot use local accounts (Security etc) and users either let their passwords run down past zero and First line IT reset it remotely for them and/or in cases of security breach, IT Security reset the account passwords. This is beginning to become a major issue for us.

Thanks,

sshort
Valued Contributor

@kowsar.ahmed Yes, there was a big thread on this topic in the MacAdmins Slack a few weeks ago. If you have an Apple support agreement, or have an Apple rep assigned to your org it would be great for you to add to the pile of complaints.

The problem will occur if the password is changed off the Mac in something like Active Directory or Okta (but I'm not sure if there's a difference if on-network/off-network). The workaround is to remove the secure token, then re-assign the securetoken to the affected user.

Apple's current response is that they're aware of the problem, however there was not a full commitment to resolve the issue until macOS 10.15 (at the earliest).

kowsar_ahmed
Contributor

@sshort thanks - yes I'm aware we can fdesetup remove and re-add however we will have this issue globally now and it's a nightmare!

10.15!? wow. Hoping someone comes up with a script at some point!

sshort
Valued Contributor

@kowsar.ahmed If fdesetup isn't always working for you, others reported success with sysadminctl

sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOff $ADUserNameHere -password $ADUserPasswordHere

sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOn $ADUserNameHere -password $ADUserPasswordHere

swhps
Contributor III

How do you re-sync the FV password with AD when the user does have a token? We have a user with 2 Macs so when he changes on 1 with users&groups, the other one goes out of sync. FV says they have a token on both machines.

ClassicII
Contributor III

@swhps

Be sure to have your users change the password in Users & Groups. When they do this the password is changed in 3 places.

  1. Active directory
  2. Local Offline Cache (for offline login)
  3. FileVault

You can still change the password off the Mac but have to meet certain OS criteria.

Will work
1. 10.10-10.12
2. 10.13.4-10.13.6
3. 10.14.4 >

Will NOT work
10.13.0-10.13.3
10.14.0-10.14.3

You can read more here.
https://mrmacintosh.com/macos-mojave-10-14-4-update-fixes-ad-mobile-account-filevault-password-chang...