Change local adminpassword without losing access to Keychain and FV2

Raiden
New Contributor

Hi you all.

We are just starting to rollout jamf and are currently trying to remotely change the password of the local admin accounts on our users devices without losing access to the keychain and/or fv2.

The local Admin is the only secure token holder on the devices.

Simply changing the password via a script payload destroys both of those.
Same thing happens if we try to change the credentials by policy.

I myself am new-ish to scripting this sort of things.

That being said, I had some sort of success by

  1. creating a new temp-admin user
  2. escrowing the token onto the new user
  3. changing the password of our old admin
  4. giving the old admin a new token
  5. deleting the temp-admin

This seemingly keeps the fv2 and keychain access intact, but it feels like a hack job and a catastrophe waiting to happen.

We'd be really grateful for any less jerry-rigged approach to this.

 

3 REPLIES 3

caffine247
New Contributor III

Take a look at https://github.com/joshua-d-miller/macOSLAPS

If you have an existing local admin account this will allow you to update that password and the bootstrap token for that user.

We have managed to keep FV2 and the Secure intact. But even LAPS locks our local admin out of his keychain.

Is there any way to avoid that?

caffine247
New Contributor III

Have you asked the same within the mac Admin Slack? In particular the #macoslaps?