We have a local account on all of our Mac systems. It's a full Admin, FV2 enabled account that is used primarily by support. At this point the PW for this account is widely known and we would like to change that PW and put it on a 90 day rotation schedule. Enter (drum roll) the Secure Token. I have an understanding of Secure Tokens and I get it... sort of. So in order to change the password of the existing local account I would have to create a new account and leverage the new account to change the password of the existing account. The only trouble with that is there is no way to grant the new account a secure token. Not without a user interaction anyway. That interaction would defeat the purpose of changing the PW. I'm really surprised that secure tokens have been around since High Sierra and Jamf has done nothing in the product to help manage these.
Secure Tokens - Local Account PW Change
+3My initial recommendation is to not enable FileVault for a static admin account. Since the password is widely known this is another point of entry to Mac itself. Are you also using institutional keys? if so I'd advise to use individual keys managed and rotated by Jamf.
For managing a local admin account, while it may come in handy, can you leverage something like Self Service for technicians to log into when working on a device or use the automation of Jamf to help handle the tasks you'd need to log into a separate account for?
Have you looked into Jamf Connect or NoMAD Login for using multiple user accounts to sign into a Mac?
+3This is an account that has existed for a long time. In order to keep consistency between our PC and Mac endpoints this account needs to stay. Looking at another product to simply change a local account password seems like an over complication. It's just a local account and I'm honestly shocked that it's this difficult.
+4I have updated the tag from Jamf Nation to FileValue to more closely align with the conversation at hand. Please let me know if you disagree.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.