Hi you all.
We are just starting to rollout jamf and are currently trying to remotely change the password of the local admin accounts on our users devices without losing access to the keychain and/or fv2.
The local Admin is the only secure token holder on the devices.
Simply changing the password via a script payload destroys both of those.
Same thing happens if we try to change the credentials by policy.
I myself am new-ish to scripting this sort of things.
That being said, I had some sort of success by
- creating a new temp-admin user
- escrowing the token onto the new user
- changing the password of our old admin
- giving the old admin a new token
- deleting the temp-admin
This seemingly keeps the fv2 and keychain access intact, but it feels like a hack job and a catastrophe waiting to happen.
We'd be really grateful for any less jerry-rigged approach to this.