Management Account Authentication Issues

cforte
New Contributor

I've been running into authentication issues with Casper Remote with machines I've been re-enrolling and re-imaging lately. A bit of background info - we created a QuickAdd installer back at version 9.3-something with a local admin as the management account and used that to enroll many of our systems. When we upgraded to JSS 9.61 we created a new QuickAdd installer with the same local admin username, but with a different password.

Now when I re-run the enrollment installer on test machines or other systems that needed to be re-enrolled I cannot do anything with Casper Remote. Authentication fails almost immediately with nothing useful in the Remote log. I had added the new QuickAdd installer to our DeployStudio imaging workflows, and now authentication fails on newly reimaged machines as well.

My guess is that since the management account exists on these machines already, the installer doesn't try to create it. However, since the existing account has a different password than what the enrollment installer has, the JSS has the wrong credentials and Remote just doesn't want to work. Does that sound plausible?

EDIT: This seems to be the case. I took a problematic test machine and used dscl to remove the management account and then re-ran the QuickAdd installer. Remote worked just fine after that.

The big question, naturally, is how would one go about fixing this? How would I change the management account password on 700+ machines without having to touch each one?

Any advice would be appreciated.

2 REPLIES 2

mm2270
Legendary Contributor III

Are you looking only to change the password that the JSS stores for each Mac's management record? Or do you need to change the actual password for that account on the Macs themselves? I'm guessing you want to change the actual account password on the systems. If so, you may or may not be able to do this a policy to change the management account password. In the JSS when creating a policy, add the "Management Account" item in, and then choose Specify new password from the drop down menu. Enter the new correct password and add the scope to push to.
Only thing is, it might require an existing valid password for the management account before it can change it, but its been a while since I've used this, so I can't recall now. Worth a try however.

If you only need to change the password for the systems in the JSS record, there is also a way to do that from an Action drop down after a search. I think its referred to as Take Action On results.

dbrodjieski
New Contributor III

I think @mm2270 is right, since the jamf policy process runs as root, it should be able to set the new password for the management account.