I was thinking of nightmare scenarios for end users and came up with this one.
A user has forgotten their password, the computer is still FV encrypted, and the device is off-site. What, if anything can we do to assist them getting access to the device?
Thanks in advance, -Pat
The Filevault key should be assigned to the user machine in Jamf. If they enter their password in wrong too many times on the login box they should be prompted with a message to reset their password using the Filevault recovery key. They'll need to enter in their filevault recovery key which you can ping over and that should allow them to change there local password and enter into the machine.
Filevault password won't update automatically when it's changed via AD. You can try to walk them through remote stuff with the recovery key, but in the situations i've been in with that I've ended up telling the user "if you can't remember which password gets you into the computer I need to ship you a new computer" and all but one time they've figured out that password. That time I provisioned them a new laptop and shipped it to them, they shipped theirs back to me I grabbed the files they needed worked with them to transfer them back to their new computer.
@strayer That is similar to this one case we had recently. Basically the user had to change their password because of password expiration rules. They did so in the Okta portal, but that doesn't autoupdate the password to login to their Mac. Now the user has restarted their device and cannot remember the old password.
If I understand correctly, I could have the user "reset the password" at the FileVault login screen, give them the FV key from Jamf server. Will that get them into their account? The only thing I can think of from that point is to have the device connected to the internet (wired) and use Jamf to push out a new user account or force a password change to their local account. Thoughts?
Because Active Directory is used via a network, and Filevault is used via a cache I think that it shouldn't matter if the user is remote because they are changing the cache password on there machine. Once there back in the office in the network vicinity thats when it might give issues and may need to change it via Active Directory, this is what I think but I've seen before.
@ferrispd @strayer i have been trying to work out the same scenario, where the user is on road/travelling and forgot their password to log in to the mac. how i would get them into mac?. i am performing the test myself- i have a mac book pro, Catalina 15.2.3 OS, AD pound and FV encrypted. we used jamf pro for build/imaging, i used the FV key to get in to the password reset assistant by putting in the FV key and then clicking on forgot password- and i get the list of profiles to reset password for , i choose my profile(AD account/mobile) , try to create a new password but i get the : Error: authentication server could not be contacted. i tried this with LAN cable and mobile hotspot./guest- network and i still get the same error. please see screenshots below.
any thoughts on how to solve this error?