Help

Reset device passwords using Jamf Pro?

jabal
New Contributor

Posted on ‎01-03-2024 08:58 PM

Forgive by ignorance, but is jamf able to reset passwords if the user is not logged into a local account? I am seeing the option in policies, but I am unsure of how to trigger it before the user logs in. I attempted to set the trigger to startup and change in network state, but both remain pending when restarting the device to the login screen. Also, I am not seeing a network symbol on the login screen for any device and am thinking I need to adjust configuration profile so network access/settings can be accessed before logging in? If so, where do I access this? I am reviewing the restrictions on the devices and I am not seeing them.

Also, is this ill-advised? I can see how doing this sort of thing would be unwise from a security perspective.

0 Kudos
Reply
3 REPLIES 3

sdagley
Esteemed Contributor II

‎01-04-2024 05:31 AM - edited ‎01-04-2024 05:36 AM

@jabal If you are using FileVault drive encryption there is no network access to the Mac before a user logs in, so Jamf Pro would not be able to reset the password.

Even if Jamf Pro has access it may not be able to reset a password because macOS won't allow that for an account if it's the only one with a Bootstrap token (https://support.apple.com/guide/deployment/use-secure-and-bootstrap-tokens-dep24dbdcf9e/web)

0 Kudos
Reply

AJPinto
Honored Contributor III

Posted on ‎01-04-2024 12:44 PM

To add to what sadagley said, JAMF also cannot reset PW's for accounts with Secure Tokens. To change the PW of an account with a Secure Token, you need a secure token and JAMF PW reset workflow uses a bootstrap token.

0 Kudos
Reply

agungsujiwo
Contributor

a week ago

Hi @jabal ,

but I am unsure of how to trigger it before the user logs in. I attempted to set the trigger to startup and change in network state, but both remain pending when restarting the device to the login screen


The first way for your trigger to properly activate "change in network state", what you do so that the profile is accepted by the Mac is to connect your Mac to the internet,
1. Mac Port USB-C = Use USB-C to Ethernet
https://www.belkin.com/p/usb-c-to-gigabit-ethernet-adapter/F2CU040btBLK.html
2. Mac Port USB-A = User USB-A to Ethernet

https://www.apple.com/shop/product/MC704LL/A/apple-usb-ethernet-adapter
wait 1-2 minutes if there is no response in Jamf, restart your Mac so that the "change in network state" trigger runs,

Second way (if you are close to the Mac and can access the Mac)
using LOCAL MAC User from JAMF
Jamf Computer > Device Name > Inventory > Local User Account > Managed Local Administrator Accounts,
User         : _cadmin
Password : Click View will display the passcode
Screenshot 2024-11-14 at 09.23.32.png

0 Kudos
Reply