Jamf Nation Community

Yes, if the user does not remember their local password they would be unable to get past that screen.

That is why it is important to escrow FileVault recovery keys. In the situation where a user does not recall their local password, the Recovery Key can be used to get into recoveryOS and allow the user to change the local password. Once they do that and restart, they will once again be prompted to sync their local and Okta passwords.

This is a dumb question but what would be the users local password. Is it there computer password. When I get to that screen to sync my local password it takes my old Okta password form some reason not sure why it is doing that. And this is our first time setting up Jamf connect. Is there a way to get rid of that part of the process? so that screen to sync local password does not pop up? or is that something that will always show? 

Yes, local password is the user's computer password. And no, you cannot get around that.

In order for Jamf Connect to be able to sync the local computer password with the Okta password, Jamf Connect needs to know what that local computer password is. That will allow Jamf Connect to change the three computer passwords: 1) macOS login, 2) user's Keychain, and 3) FileVault password.

First time you deploy Jamf Connect, Jamf Connect knows nothing. When the user signs into the computer at the Jamf Connect login window using their Okta password, Jamf Connect now knows that user's Okta password but still does not know the local computer password. The user is then prompted for that computer password (local password) so that Jamf Connect can change the computer password to match the Okta password.

If the user does not know the computer password you can either sign into the computer as an admin and change the users password, or use the FileVault recovery key to allow the user to sign into recoveryOS and change the password there.

Hmm alright appreciate the clarification. I am just a little confused. 

So the only time I get to that screen is when I am on the okta login window on jamf connect and I put in my orgs email and a temp password I then create a new okta password. 

Once i have created a new Okta password i get a screen change to verify my password. once i verify my new okta password the last screen brings me to that screen the image i posted above so when i put in my new okta password it doesn’t take it. it takes my old okta password only. 

Not sure why that is the case. in our pre stage we have Skip account creation on not sure if that needs to be on. 

So are these newly provisioned devices or is this on devices that are already in use? You mention the use of a temp password, so am I to assume that this is also for new hires, or is that temp password for if you forget your current password?

For a new device and a new hire, or a user with a temp password, I would suggest putting in an Enrollment Customization with the SSO pane. That would prompt the user for their Okta creds before the login window functions. Since that is a WebKit view, they would be able to set their permanent password without Jamf Connect trying to use it to create their account. 

In the case where a user has forgotten their password and you provide a temp password from Okta, they still need that forgotten password to get Jamf Connect to sync up. So in those cases you will need to change the local account password to something they know, or to that same temp password, so that when they sign into Jamf Connect and they are prompted for the local password, they know what it is.

Hopefully that all makes sense. If it doesn't, might I suggest reaching out to either support or to your account executive to get on a call and discuss the scenario.