Resetting the PW of a Local Standard User who has Encryption Turned On.

rsteffens
New Contributor III

I am trying to explore my options for resetting the passwords of local standard-user accounts.  File Vault is enabled for these accounts.  There is also an admin management account created by Jamf during enrollment, the user must NOT be allowed to change the management admin PW!  Many of my users are remote and we have no physical access to their computer. System Pref > Users & Groups, and Security & Privacy, are restricted under Jamf Profiles, so standard users cannot change password settings there.  Our computers are all enrolled with user initiated enrollment, if that makes any difference. 

1) The ideal solution would be to just send a command that prompts the user to change the password of the standard local account to anything of their choice. 

2) The next best solution would be for the end user to tell me what password they want set, and I just set that password on their standard local account using Jamf. 

How are others handling this?

 

Thanks!

5 REPLIES 5

sdagley
Honored Contributor II

@rsteffens Do the users know the management admin pw? If not, do you really need to restrict their access to Users & Groups? If you do, which as you've noted eliminates access to the Change Password UI in that panel, then you'll want to look at the `sysadminctl` tool to do a scripted password change. Here's an article with details on that:

https://macnotes.wordpress.com/2019/03/28/user-management-create-remove-change-password-secure-token... 

Note that using this tool will require that an admin account name and password be supplied, so sending those as encrypted parameters to your script would be recommended.

Jason33
Contributor II

There's a couple of ways to accomplish this, depending on your user setup and OS.  If you're on Catalina or above, and machines are not bound to AD and the accounts are local, I'd say use the Apple Kerberos Extension.  You can create the profile, push to your devices, and users can change their password, and it will update and keep FileVault in sync.  You could also look at NoMad or Jamf Connect.

rsteffens
New Contributor III

Thanks!  I will look into these options and report what works best. Appreciate the input!

rsteffens
New Contributor III

So I did some testing and found that it is the FileVault requirement that is restricting the password field. Is something wrong here?  Is requiring encryption not supposed to grey out the password field?

I'm OK to give employees Users and Groups access, as they don't know the master password. But I'm not OK to turn off the FileVault requirement.  When I exclude a test computer on this profile, the password field becomes active!

 

rsteffens
New Contributor III

@Jason33 Regarding the Apple Kerberos Extension, I have never used it, but it sounds like it's worth looking into! Are you aware of a guide I could reference on this?  Something with instructions on where to start, download the program, etc.  All my users are local, and endpoints are running Big Sur.