- Jamf Nation Community
- Products
- Jamf Pro
- Re: What kind of script would I need?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2024 11:50 AM
I am testing a reset local user password Policy in case a user forgets his macbook login password. I see this as a trigger option:
"Startup - When a computer starts up. A startup script that checks for policies must be configured in Jamf Pro for this to work"
What kind of Startup Script would I need for this policy to take effect? This may come up in the future and would like to have this available for a real situation.
OTW, the trigger is Recurring Check-in but it doesn't seem to check-in after I reboot ans wait 15 minutes. I don't believe Recurring Check-In will happen until after the user logs in. This won't help if I can't reset the password through Policy. Any help/advice is always greatly appreciated.
Solved! Go to Solution.
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2024 06:19 PM
PRK = Personal Recovery Key or, sometimes known as FileVault Recovery Key. If you have FileVault enabled, then you will not be able to rotate the user's password. When you boot the computer, the computer boots to a pre-OS environment to unlock the drive. The user's password is used to unlock the drive. Until the drive is unlocked and the O/S is booted, it is unable to receive MDM command. So, by deduction, If the user forgets their password, you won't be able to reset it using Jamf.
So, instead you need a work flow that utilizes the PRK to reset the user's password. Hopefully you are escrowing the PRK in to Jamf. If a user forgets their password, they would need to follow these steps:
Boot to recovery
Unlock the drive using the FileVault PRK
Reset the user's password
Reboot the computer and login using the new password.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2024 05:12 AM
The start-up script you are revering to is a function of Jamf Pro. It's enabled in settings when you enable login hooks. Basically, it's a LaunchDaemon that runs on the Mac to kick the Jamf things off when the device restarts.
Be aware with account passwords. If the user has a Secure Token (which they likely do), Jamf cannot reset their password as you need a Secure Token to reset a Secure Token holding accounts password. This is by apples design.
To reset a user's password:
- You will need to provide the user the FileVault recovery key
- They enter that recovery key into FileVault.
- The Mac will reboot into recovery.
- The user will need to be provided the recovery lock password if enabled.
- MacOS Recovery will walk the user through resetting their password.
There is no way to automate this process in MDM for a Secure Token holding account, period. Yes, Apple has a LONG way to go with enterprise identity management.
Reply
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2024 12:04 PM
your not using FileVault? Normally if the user forgets password, issue PRK, then rotate PRK.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2024 04:29 PM
Thank you. I am using FileVault. What is PRK?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-14-2024 06:19 PM
PRK = Personal Recovery Key or, sometimes known as FileVault Recovery Key. If you have FileVault enabled, then you will not be able to rotate the user's password. When you boot the computer, the computer boots to a pre-OS environment to unlock the drive. The user's password is used to unlock the drive. Until the drive is unlocked and the O/S is booted, it is unable to receive MDM command. So, by deduction, If the user forgets their password, you won't be able to reset it using Jamf.
So, instead you need a work flow that utilizes the PRK to reset the user's password. Hopefully you are escrowing the PRK in to Jamf. If a user forgets their password, they would need to follow these steps:
Boot to recovery
Unlock the drive using the FileVault PRK
Reset the user's password
Reboot the computer and login using the new password.
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 05-15-2024 05:12 AM
The start-up script you are revering to is a function of Jamf Pro. It's enabled in settings when you enable login hooks. Basically, it's a LaunchDaemon that runs on the Mac to kick the Jamf things off when the device restarts.
Be aware with account passwords. If the user has a Secure Token (which they likely do), Jamf cannot reset their password as you need a Secure Token to reset a Secure Token holding accounts password. This is by apples design.
To reset a user's password:
- You will need to provide the user the FileVault recovery key
- They enter that recovery key into FileVault.
- The Mac will reboot into recovery.
- The user will need to be provided the recovery lock password if enabled.
- MacOS Recovery will walk the user through resetting their password.
There is no way to automate this process in MDM for a Secure Token holding account, period. Yes, Apple has a LONG way to go with enterprise identity management.
Reply
