Resetting admin account password and syncing with FileVault 2

sara_mccullar
New Contributor III

I have been tasked with finding a way to reset our local admin password on our mac computers. Most of our macs are notebook computers that are file vaulted. I know that I can set up a policy to run that would reset the password for the user account but not for file vault access.  I need to be able to get the new password set for the file vault password as well. I need this to be automated, as this change will go to computers already out in the wild. And with 600 + computers, i don't want our help desk staff to have to touch every machine.

11 REPLIES 11

boberito
Valued Contributor

If the account is already in FileVault it's fairly easy. You can update or change the password with the jamf policy password payload if you know the previous. Or you could write a script to update using sysadminctl tool, however that's probably less recommended as you'll have to input the passwords into the scripts.

From the jamf policy, it says that it does not update the file vault password when you reset it. I try to reset it but it keeps saying there was an error when trying to reset password.  If I remove it from file vault, it will reset the password.

boberito
Valued Contributor

You don’t want to do a reset. 

sara_mccullar
New Contributor III

The only options I see for local accounts is to reset password, create local account, or delete local account. I see the management account has an option to change password. Unfortunately(or fortunately however you want to look at it), our help desk doesn't have access to the management account. They have access to the local admin account. 

Oooh.  Then you’ll have to script it I believe.  

sara_mccullar
New Contributor III

I'm trying to look into how to script the password change and still allow the account to unlock file vault.. The admin account has to be able to unlock file vault.

killer23d
New Contributor III

With 10.15 or later, the password reset also requires the jamf management account to have a secure token; which makes the Reset Account Password options in a policy useless.

 

As we are moving towards zero touch deployment, jamf management account by design does not get a secure token (please correct me if I am wrong), that makes resetting a password in a FileVaulted scenario impossible without a technician on site with the user.

I actually found using pwpolicy to work. granted, I had to hard code the passwords but it does work to change the password and leave the account as file vault enabled.

That's the problem, we are following best practices here not to code any credentials into scripts. The reason I want to do this is to reset general used accounts to default passwords in case someone changes it.

 

I used to be able to do that silently in the background... now is a different time.

@sara_mccullar can you share how you did this working in detail, please? I am having the same issue. not being able to update the admin PW that has FV enabled. TYA

sara_mccullar
New Contributor III

pwpolicy -a username -p currentpassword -u username setpassword newpassword