Posted on 09-29-2021 01:38 PM
I have been tasked with finding a way to reset our local admin password on our mac computers. Most of our macs are notebook computers that are file vaulted. I know that I can set up a policy to run that would reset the password for the user account but not for file vault access. I need to be able to get the new password set for the file vault password as well. I need this to be automated, as this change will go to computers already out in the wild. And with 600 + computers, i don't want our help desk staff to have to touch every machine.
Posted on 09-29-2021 03:40 PM
If the account is already in FileVault it's fairly easy. You can update or change the password with the jamf policy password payload if you know the previous. Or you could write a script to update using sysadminctl tool, however that's probably less recommended as you'll have to input the passwords into the scripts.
Posted on 09-29-2021 03:49 PM
From the jamf policy, it says that it does not update the file vault password when you reset it. I try to reset it but it keeps saying there was an error when trying to reset password. If I remove it from file vault, it will reset the password.
Posted on 09-29-2021 03:52 PM
You don’t want to do a reset.
Posted on 09-29-2021 04:00 PM
The only options I see for local accounts is to reset password, create local account, or delete local account. I see the management account has an option to change password. Unfortunately(or fortunately however you want to look at it), our help desk doesn't have access to the management account. They have access to the local admin account.
Posted on 09-29-2021 04:05 PM
Oooh. Then you’ll have to script it I believe.
Posted on 09-30-2021 09:55 AM
I'm trying to look into how to script the password change and still allow the account to unlock file vault.. The admin account has to be able to unlock file vault.
Posted on 11-02-2021 09:14 AM
With 10.15 or later, the password reset also requires the jamf management account to have a secure token; which makes the Reset Account Password options in a policy useless.
As we are moving towards zero touch deployment, jamf management account by design does not get a secure token (please correct me if I am wrong), that makes resetting a password in a FileVaulted scenario impossible without a technician on site with the user.
Posted on 11-02-2021 11:03 AM
I actually found using pwpolicy to work. granted, I had to hard code the passwords but it does work to change the password and leave the account as file vault enabled.
Posted on 11-02-2021 01:51 PM
That's the problem, we are following best practices here not to code any credentials into scripts. The reason I want to do this is to reset general used accounts to default passwords in case someone changes it.
I used to be able to do that silently in the background... now is a different time.
Posted on 06-16-2022 09:10 PM
@sara_mccullar can you share how you did this working in detail, please? I am having the same issue. not being able to update the admin PW that has FV enabled. TYA
Posted on 06-17-2022 08:31 AM
pwpolicy -a username -p currentpassword -u username setpassword newpassword