Posted on 03-24-2022 02:03 AM
Hi you all.
We are just starting to rollout jamf and are currently trying to remotely change the password of the local admin accounts on our users devices without losing access to the keychain and/or fv2.
The local Admin is the only secure token holder on the devices.
Simply changing the password via a script payload destroys both of those.
Same thing happens if we try to change the credentials by policy.
I myself am new-ish to scripting this sort of things.
That being said, I had some sort of success by
This seemingly keeps the fv2 and keychain access intact, but it feels like a hack job and a catastrophe waiting to happen.
We'd be really grateful for any less jerry-rigged approach to this.
Posted on 03-25-2022 07:27 AM
Take a look at https://github.com/joshua-d-miller/macOSLAPS
If you have an existing local admin account this will allow you to update that password and the bootstrap token for that user.
Posted on 03-28-2022 12:44 AM
We have managed to keep FV2 and the Secure intact. But even LAPS locks our local admin out of his keychain.
Is there any way to avoid that?
Posted on 03-28-2022 10:49 AM
Have you asked the same within the mac Admin Slack? In particular the #macoslaps?