Posted on 09-26-2018 09:21 AM
I've never had an issue with changing a Management Account password in JAMF Pro 9.
Since we've moved to version 10, (10.4.1 to be exact) ¾ of my Macs are continually failing the policy:
Policy> Management Account > Change Account Password.
The only error I get is "Error: The Managed Account Password could not be changed.".
Any ideas would be great on how to resolve this.
Posted on 09-26-2018 09:34 AM
We're testing 10.14.0 We might be in the same boat.
I have a policy that is set to change both the Local Accounts and the Management Accounts password.
The Management Account Policy works but the Local Accounts policy does not.
I even tested and created a new policy and still Error.
Posted on 09-26-2018 10:55 AM
I'm definitely having this issue, but it's only affecting Mojave machines. JSS is 10.7.1. Are you seeing this on other OSs?
Posted on 09-27-2018 06:49 AM
I see it on macOS 10.11 and 10.12.
Posted on 09-27-2018 07:01 AM
In our environment, we had to make sure the management account wasn't hidden and remove any special characters in the password to resolve this issue.
Posted on 09-27-2018 07:26 AM
Thought about that. The account isn't hidden, nor do we use special characters.
Posted on 10-10-2018 06:59 AM
I get this error after i re-enroll a mac with QuickAdd. It seems like it fails to create the management account, since the account is already present on the machine. This seems to break the password-sync so the policy can't update the management account password.
The only way i found a way around this was to first delete the management account using dscl and then re-enroll:
sudo dscl . -delete "/Users/managementAccountName"
(Replace managementAccountName with your account name).
Any help with getting this policy to update the management account password without re-enrolling the machine is much appreciated!
Posted on 10-11-2018 07:54 AM
Oddly enough, I can "Reset" the Management Account password, but I cannot "Change" the Management Account password.
Posted on 10-12-2018 09:02 AM
@RedWings Do you know if using the "Reset" option will fix the issue?
Posted on 10-12-2018 09:04 AM
@adolfsson So it DID reset it to my new password, but remember if you "reset" the Management Account password, it does not update the Keychain or the FileVault password. So in some ways, it almost causes more issues.
Posted on 10-18-2018 09:41 AM
We managed to get the password sync with the management account working again. You need to change the management account password on the computer locally first, then you send a specific recon command to report the management account password back to the JSS. A this point the password is in sync but with your known password. Now the policy can run to set a random hidden password!
sudo dscl . passwd /Users/jamfmanage newpwd sudo jamf recon -sshUsername jamfmanage -sshPassword newpwd
This is a bit hard to automate since you can't scope this to the computers that has failed the password change policy. It is possible though through the API with a lot of looping.
Posted on 10-18-2018 09:48 AM
@adolfsson yeah, we have 400 Macs. So changing the password locally isn't viable.
Posted on 10-18-2018 09:59 AM
@RedWings You can change it with a script in a policy. What i meant was you need to change the computers management account password and not the management account password reported in the JSS.
Posted on 01-02-2019 02:38 PM
I was informed this is now a known issue with JAMF Pro 10.
Posted on 02-08-2019 10:19 AM
Thanks @adolfsson that recon command just made my day!
Posted on 09-08-2021 03:43 AM
Thanks @adolfsson, your method saves us.
We have that issue mainly (maybe only) on 10.15.7 systems.
Best regards.