What kind of script would I need?

mrrobertbuss
Contributor

I am testing a reset local user password Policy in case a user forgets his macbook login password. I see this as a trigger option: 

"Startup - When a computer starts up. A startup script that checks for policies must be configured in Jamf Pro for this to work"
What kind of Startup Script would I need for this policy to take effect? This may come up in the future and would like to have this available for a real situation.
 
OTW, the trigger is Recurring Check-in but it doesn't seem to check-in after I reboot ans wait 15 minutes. I don't believe Recurring Check-In will happen until after the user logs in. This won't help if I can't reset the password through Policy. Any help/advice is always greatly appreciated. 
2 ACCEPTED SOLUTIONS

Tribruin
Valued Contributor II

PRK = Personal Recovery Key or, sometimes known as FileVault Recovery Key. If you have FileVault enabled, then you will not be able to rotate the user's password. When you boot the computer, the computer boots to a pre-OS environment to unlock the drive. The user's password is used to unlock the drive. Until the drive is unlocked and the O/S is booted, it is unable to receive MDM command. So, by deduction, If the user forgets their password, you won't be able to reset it using Jamf. 

 

So, instead you need a work flow that utilizes the PRK to reset the user's password. Hopefully you are escrowing the PRK in to Jamf. If a user forgets their password, they would need to follow these steps:

Boot to recovery

Unlock the drive using the FileVault PRK

Reset the user's password

Reboot the computer and login using the new password. 

View solution in original post

AJPinto
Honored Contributor III

The start-up script you are revering to is a function of Jamf Pro. It's enabled in settings when you enable login hooks. Basically, it's a LaunchDaemon that runs on the Mac to kick the Jamf things off when the device restarts. 

 

Be aware with account passwords. If the user has a Secure Token (which they likely do), Jamf cannot reset their password as you need a Secure Token to reset a Secure Token holding accounts password. This is by apples design.

 

To reset a user's password:

  • You will need to provide the user the FileVault recovery key
  • They enter that recovery key into FileVault.
  • The Mac will reboot into recovery.
    • The user will need to be provided the recovery lock password if enabled.
  • MacOS Recovery will walk the user through resetting their password.

There is no way to automate this process in MDM for a Secure Token holding account, period. Yes, Apple has a LONG way to go with enterprise identity management. 

View solution in original post

4 REPLIES 4

jamf-42
Valued Contributor II

your not using FileVault? Normally if the user forgets password, issue PRK, then rotate PRK. 

mrrobertbuss
Contributor

Thank you. I am using FileVault.  What is PRK? 

Tribruin
Valued Contributor II

PRK = Personal Recovery Key or, sometimes known as FileVault Recovery Key. If you have FileVault enabled, then you will not be able to rotate the user's password. When you boot the computer, the computer boots to a pre-OS environment to unlock the drive. The user's password is used to unlock the drive. Until the drive is unlocked and the O/S is booted, it is unable to receive MDM command. So, by deduction, If the user forgets their password, you won't be able to reset it using Jamf. 

 

So, instead you need a work flow that utilizes the PRK to reset the user's password. Hopefully you are escrowing the PRK in to Jamf. If a user forgets their password, they would need to follow these steps:

Boot to recovery

Unlock the drive using the FileVault PRK

Reset the user's password

Reboot the computer and login using the new password. 

AJPinto
Honored Contributor III

The start-up script you are revering to is a function of Jamf Pro. It's enabled in settings when you enable login hooks. Basically, it's a LaunchDaemon that runs on the Mac to kick the Jamf things off when the device restarts. 

 

Be aware with account passwords. If the user has a Secure Token (which they likely do), Jamf cannot reset their password as you need a Secure Token to reset a Secure Token holding accounts password. This is by apples design.

 

To reset a user's password:

  • You will need to provide the user the FileVault recovery key
  • They enter that recovery key into FileVault.
  • The Mac will reboot into recovery.
    • The user will need to be provided the recovery lock password if enabled.
  • MacOS Recovery will walk the user through resetting their password.

There is no way to automate this process in MDM for a Secure Token holding account, period. Yes, Apple has a LONG way to go with enterprise identity management.