Help

Using Manageable Apple ID with SSO to reset the user forgotten password

VergilBoyanov
New Contributor

Posted on ‎05-22-2023 06:09 AM

Hey All,
Need some help regarding reseting user password on MacOS devices.
I'm trying to avoid separate admin account with LAPS on all company devices. To do that I want to use manageable Apple ID's so the user can reset it by themselves . Unfortunately we are using integration from ABM to Azure with SSO and my problem is that the MacOS recovery window is not visualizing the pop up window in which I have to confirm my credentials. 
Dose anybody find any solution for this ?

0 Kudos
4 REPLIES 4

SCCM
Contributor III

Posted on ‎05-22-2023 09:57 AM

what device are you trying to do this on? if your going into recovery all you should need is the filevault key in order to reset a local account password. But with that the users can rest any account includign management accounts. unless the account has a scure token you cant do what yor trying to do from recovery.
Have a read though this, and the linked pages, it might help: https://travellingtechguy.blog/additional-admin-with-securetoken-or-not/

 

0 Kudos

AJPinto
Honored Contributor II

Posted on ‎05-22-2023 12:40 PM

The most straight forward approach is to use the FileVault Recovery key. When a user enters the FileVault recovery key it triggers a password reset.

 

0 Kudos

VergilBoyanov
New Contributor

Posted on ‎05-23-2023 01:30 AM

Thank you for the suggestion. I'm trying to do this on MacOS. I agree that the easy way is to use the recovery key but unfortunately we have some cases that Jamf dose not store the key. That's the reason why I want to tide my pants and use also the Apple ID for resetting the password. This will also provide the user to open a case to us and ask for support or the recovery key 

0 Kudos

AJPinto
Honored Contributor II
In response to VergilBoyanov

Posted on ‎05-23-2023 03:14 AM

It’s not possible to reset the FileVault password with an appleID. The macOS password itself can be reset at the macOS login screen, but he user would need to get past FileVault first. FileVault recovery keys are apples solution to this. The best course is probably to identify which devices you don’t have a recovery key for and either reencrypt or run a script to escrow the recovery key. 


macOS also has a few options in recovery to reset all passwords. However any of these options represent a significant security risk as anyone who can get in to recovery can exploit these methods. 

https://support.apple.com/en-us/HT202860

 

0 Kudos