Posted on
07:55 AM
- last edited
a week ago
Hello all,
I was thinking of nightmare scenarios for end users and came up with this one.
A user has forgotten their password, the computer is still FV encrypted, and the device is off-site. What, if anything can we do to assist them getting access to the device?
Thanks in advance, -Pat
Posted on 01-28-2020 08:03 AM
I'm assuming because its worst case nightmare scenario the FV Key is not reporting to Jamf?!
Posted on 01-28-2020 08:22 AM
The Filevault key should be assigned to the user machine in Jamf. If they enter their password in wrong too many times on the login box they should be prompted with a message to reset their password using the Filevault recovery key. They'll need to enter in their filevault recovery key which you can ping over and that should allow them to change there local password and enter into the machine.
Posted on 01-28-2020 11:00 AM
@nomad123 What about if it is an AD account? I'm thinking the same thing, but just in case you already know. :-)
Posted on 01-28-2020 11:08 AM
Just got a user who did change their AD pw and is remote. Filevault won't take any pw and the admin account pw was changed so now we can't get in :/
Posted on 01-28-2020 01:21 PM
Filevault password won't update automatically when it's changed via AD. You can try to walk them through remote stuff with the recovery key, but in the situations i've been in with that I've ended up telling the user "if you can't remember which password gets you into the computer I need to ship you a new computer" and all but one time they've figured out that password. That time I provisioned them a new laptop and shipped it to them, they shipped theirs back to me I grabbed the files they needed worked with them to transfer them back to their new computer.
Posted on 01-28-2020 05:47 PM
@strayer That is similar to this one case we had recently. Basically the user had to change their password because of password expiration rules. They did so in the Okta portal, but that doesn't autoupdate the password to login to their Mac. Now the user has restarted their device and cannot remember the old password.
If I understand correctly, I could have the user "reset the password" at the FileVault login screen, give them the FV key from Jamf server. Will that get them into their account? The only thing I can think of from that point is to have the device connected to the internet (wired) and use Jamf to push out a new user account or force a password change to their local account. Thoughts?
Posted on 01-29-2020 02:05 AM
Because Active Directory is used via a network, and Filevault is used via a cache I think that it shouldn't matter if the user is remote because they are changing the cache password on there machine. Once there back in the office in the network vicinity thats when it might give issues and may need to change it via Active Directory, this is what I think but I've seen before.
Posted on 01-29-2020 08:03 AM
@ferrispd In Theory that would work, however I'm not sure on the exact steps. I do also know if you try to change a password to an AD account via the Recovery partition it gives you an error, so it's possible that even the filevault key won't get them in completely.
Posted on 01-30-2020 05:46 AM
@ferrispd @strayer i have been trying to work out the same scenario, where the user is on road/travelling and forgot their password to log in to the mac. how i would get them into mac?. i am performing the test myself- i have a mac book pro, Catalina 15.2.3 OS, AD pound and FV encrypted. we used jamf pro for build/imaging, i used the FV key to get in to the password reset assistant by putting in the FV key and then clicking on forgot password- and i get the list of profiles to reset password for , i choose my profile(AD account/mobile) , try to create a new password but i get the : Error: authentication server could not be contacted. i tried this with LAN cable and mobile hotspot./guest- network and i still get the same error. please see screenshots below.
any thoughts on how to solve this error?