Help

macOS Mojave and AD password changes

kowsar_ahmed
Contributor

Posted on ‎01-09-2019 09:28 AM

Hi Guys,

When our users change passwords (not via nomad) - IT change via AD etc, when a user logs in using the new password on the network, updates keychain password etc and restarts. It still doesn't update the FileVault login. distil apfs updatePreboot / works 10% of the time, we are having to update fdesetup by removing the users and re-add via terminal to sync the passwords. Is there any known fix?

thanks

0 Kudos
Reply
8 REPLIES 8

diradmin
Contributor II

Posted on ‎01-09-2019 09:49 AM

Use local accounts.

Reply

mark_mahabir
Valued Contributor

Posted on ‎01-10-2019 01:25 AM

I've just started seeing this in my shop on 1-2 Macs, including my own MBP. Do you not see the problem when changing the password in NoMAD then? In my case, I changed my password via a domain-joined linux system.

We use NoMAD, but using local accounts is not yet an option here.

Reply

kowsar_ahmed
Contributor

Posted on ‎01-18-2019 08:19 AM

@mark.mahabir Nomad seems fine at the moment, even though I haven't tested much. Our issue is we cannot use local accounts (Security etc) and users either let their passwords run down past zero and First line IT reset it remotely for them and/or in cases of security breach, IT Security reset the account passwords. This is beginning to become a major issue for us.

Thanks,

0 Kudos
Reply

sshort
Valued Contributor

Posted on ‎01-18-2019 08:42 AM

@kowsar.ahmed Yes, there was a big thread on this topic in the MacAdmins Slack a few weeks ago. If you have an Apple support agreement, or have an Apple rep assigned to your org it would be great for you to add to the pile of complaints.

The problem will occur if the password is changed off the Mac in something like Active Directory or Okta (but I'm not sure if there's a difference if on-network/off-network). The workaround is to remove the secure token, then re-assign the securetoken to the affected user.

Apple's current response is that they're aware of the problem, however there was not a full commitment to resolve the issue until macOS 10.15 (at the earliest).

0 Kudos
Reply

kowsar_ahmed
Contributor

Posted on ‎01-18-2019 09:28 AM

@sshort thanks - yes I'm aware we can fdesetup remove and re-add however we will have this issue globally now and it's a nightmare!

10.15!? wow. Hoping someone comes up with a script at some point!

0 Kudos
Reply

sshort
Valued Contributor

Posted on ‎01-18-2019 09:34 AM

@kowsar.ahmed If fdesetup isn't always working for you, others reported success with sysadminctl

sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOff $ADUserNameHere -password $ADUserPasswordHere

sysadminctl -adminUser $LocalAdminWithSecureTokenHere -adminPassword $LocalAdminPasswordHere -secureTokenOn $ADUserNameHere -password $ADUserPasswordHere
0 Kudos
Reply

swapple
Contributor III

Posted on ‎04-19-2019 02:13 PM

How do you re-sync the FV password with AD when the user does have a token? We have a user with 2 Macs so when he changes on 1 with users&groups, the other one goes out of sync. FV says they have a token on both machines.

0 Kudos
Reply

ClassicII
Contributor III

Posted on ‎04-19-2019 06:23 PM

@swhps

Be sure to have your users change the password in Users & Groups. When they do this the password is changed in 3 places.

  1. Active directory
  2. Local Offline Cache (for offline login)
  3. FileVault

You can still change the password off the Mac but have to meet certain OS criteria.

Will work
1. 10.10-10.12
2. 10.13.4-10.13.6
3. 10.14.4 >

Will NOT work
10.13.0-10.13.3
10.14.0-10.14.3

You can read more here.
https://mrmacintosh.com/macos-mojave-10-14-4-update-fixes-ad-mobile-account-filevault-password-chang...

0 Kudos
Reply