I have been tasked with finding a way to reset our local admin password on our mac computers. Most of our macs are notebook computers that are file vaulted. I know that I can set up a policy to run that would reset the password for the user account but not for file vault access. I need to be able to get the new password set for the file vault password as well. I need this to be automated, as this change will go to computers already out in the wild. And with 600 + computers, i don't want our help desk staff to have to touch every machine.
If the account is already in FileVault it's fairly easy. You can update or change the password with the jamf policy password payload if you know the previous. Or you could write a script to update using sysadminctl tool, however that's probably less recommended as you'll have to input the passwords into the scripts.
From the jamf policy, it says that it does not update the file vault password when you reset it. I try to reset it but it keeps saying there was an error when trying to reset password. If I remove it from file vault, it will reset the password.
The only options I see for local accounts is to reset password, create local account, or delete local account. I see the management account has an option to change password. Unfortunately(or fortunately however you want to look at it), our help desk doesn't have access to the management account. They have access to the local admin account.
With 10.15 or later, the password reset also requires the jamf management account to have a secure token; which makes the Reset Account Password options in a policy useless.
As we are moving towards zero touch deployment, jamf management account by design does not get a secure token (please correct me if I am wrong), that makes resetting a password in a FileVaulted scenario impossible without a technician on site with the user.
That's the problem, we are following best practices here not to code any credentials into scripts. The reason I want to do this is to reset general used accounts to default passwords in case someone changes it.
I used to be able to do that silently in the background... now is a different time.