"Managed Account Password could not be changed"

RedWings
Contributor

I've never had an issue with changing a Management Account password in JAMF Pro 9.

Since we've moved to version 10, (10.4.1 to be exact) ¾ of my Macs are continually failing the policy:
Policy> Management Account > Change Account Password.

The only error I get is "Error: The Managed Account Password could not be changed.".

Any ideas would be great on how to resolve this.

15 REPLIES 15

Just_Jack
Contributor

We're testing 10.14.0 We might be in the same boat.
I have a policy that is set to change both the Local Accounts and the Management Accounts password.
The Management Account Policy works but the Local Accounts policy does not.
I even tested and created a new policy and still Error.

masanoriyusa
New Contributor II

I'm definitely having this issue, but it's only affecting Mojave machines. JSS is 10.7.1. Are you seeing this on other OSs?

RedWings
Contributor

I see it on macOS 10.11 and 10.12.

emalee
New Contributor

In our environment, we had to make sure the management account wasn't hidden and remove any special characters in the password to resolve this issue.

RedWings
Contributor

Thought about that. The account isn't hidden, nor do we use special characters.

adolfsson
New Contributor III

I get this error after i re-enroll a mac with QuickAdd. It seems like it fails to create the management account, since the account is already present on the machine. This seems to break the password-sync so the policy can't update the management account password.

The only way i found a way around this was to first delete the management account using dscl and then re-enroll:

sudo dscl . -delete "/Users/managementAccountName"
(Replace managementAccountName with your account name).

Any help with getting this policy to update the management account password without re-enrolling the machine is much appreciated!

RedWings
Contributor

Oddly enough, I can "Reset" the Management Account password, but I cannot "Change" the Management Account password.

adolfsson
New Contributor III

@RedWings Do you know if using the "Reset" option will fix the issue?

RedWings
Contributor

@adolfsson So it DID reset it to my new password, but remember if you "reset" the Management Account password, it does not update the Keychain or the FileVault password. So in some ways, it almost causes more issues.

adolfsson
New Contributor III

We managed to get the password sync with the management account working again. You need to change the management account password on the computer locally first, then you send a specific recon command to report the management account password back to the JSS. A this point the password is in sync but with your known password. Now the policy can run to set a random hidden password!

sudo dscl . passwd /Users/jamfmanage newpwd sudo jamf recon -sshUsername jamfmanage -sshPassword newpwd

This is a bit hard to automate since you can't scope this to the computers that has failed the password change policy. It is possible though through the API with a lot of looping.

RedWings
Contributor

@adolfsson yeah, we have 400 Macs. So changing the password locally isn't viable.

adolfsson
New Contributor III

@RedWings You can change it with a script in a policy. What i meant was you need to change the computers management account password and not the management account password reported in the JSS.

RedWings
Contributor

I was informed this is now a known issue with JAMF Pro 10.

masanoriyusa
New Contributor II

Thanks @adolfsson that recon command just made my day!

schiemsk
New Contributor III

Thanks @adolfsson, your method saves us.

We have that issue mainly (maybe only) on 10.15.7 systems.

Best regards.