Secure Tokens and changing admin passwords

New Contributor

Hello all,

Was hoping someone could chime in on the following. I should preface that I don't have any specific training in JAMF, but work a lot with JAMF managed machines in our IT team. We have a third-party that manages our JAMF fleet for us, so we usually manage to sort everything with them. Now the following has come up and I wanted to get a second opinion outside of that third-party.

We recently let them know we wanted them to change the admin password for all our machines. We have requested this in the past when the admin password hasn't been changed for a while or when the password was compromised. Pretty routine. When we recently requested them to do this again, they let us know it was not possible to do so as the secure token is on the admin user. With the secure token on the admin, it wasn't possible to change the admin password through a push using JAMF. But, we also can't move the token to the user accounts, since those user accounts are not an admin?

Is this catch-22 something we really can't do anything about, other than changing this all manually on the machines themselves? Is it possible to push a new user account that has admin rights to the machines, then move the token to it, then change the admin password and move the token back to the admin?

Not all our machines have FileVault enabled. But if it is how would that impact this process.

Hoping to get some more insight, as the third-party in question said it's just not possible and we want to check if we are overlooking something.

Appreciate your time!


Valued Contributor III

You can change the account password and retain the secure token, but it has to be changed in a certain way. If you use a command/policy that blindly force-changes the password, you will lose the token. If you change it with a command that also requires the original password to be supplied, then you are all good.

You basically need to use a script and supply it with the old and new passwords (which can be obscured via encrypted parameters).

New Contributor II

Could you please help me with the script.