"Managed Account Password could not be changed"

We're testing 10.14.0 We might be in the same boat.
I have a policy that is set to change both the Local Accounts and the Management Accounts password.
The Management Account Policy works but the Local Accounts policy does not.
I even tested and created a new policy and still Error.

I'm definitely having this issue, but it's only affecting Mojave machines. JSS is 10.7.1. Are you seeing this on other OSs?

I see it on macOS 10.11 and 10.12.

In our environment, we had to make sure the management account wasn't hidden and remove any special characters in the password to resolve this issue.

Thought about that. The account isn't hidden, nor do we use special characters.

I get this error after i re-enroll a mac with QuickAdd. It seems like it fails to create the management account, since the account is already present on the machine. This seems to break the password-sync so the policy can't update the management account password.

The only way i found a way around this was to first delete the management account using dscl and then re-enroll:

sudo dscl . -delete "/Users/managementAccountName"
(Replace managementAccountName with your account name).

Any help with getting this policy to update the management account password without re-enrolling the machine is much appreciated!

Oddly enough, I can "Reset" the Management Account password, but I cannot "Change" the Management Account password.

@RedWings Do you know if using the "Reset" option will fix the issue?

@adolfsson So it DID reset it to my new password, but remember if you "reset" the Management Account password, it does not update the Keychain or the FileVault password. So in some ways, it almost causes more issues.

We managed to get the password sync with the management account working again. You need to change the management account password on the computer locally first, then you send a specific recon command to report the management account password back to the JSS. A this point the password is in sync but with your known password. Now the policy can run to set a random hidden password!

sudo dscl . passwd /Users/jamfmanage newpwd sudo jamf recon -sshUsername jamfmanage -sshPassword newpwd

This is a bit hard to automate since you can't scope this to the computers that has failed the password change policy. It is possible though through the API with a lot of looping.

@adolfsson yeah, we have 400 Macs. So changing the password locally isn't viable.

@RedWings You can change it with a script in a policy. What i meant was you need to change the computers management account password and not the management account password reported in the JSS.

I was informed this is now a known issue with JAMF Pro 10.

Thanks @adolfsson that recon command just made my day!

Thanks @adolfsson, your method saves us.

We have that issue mainly (maybe only) on 10.15.7 systems.

Best regards.