Jamf Nation Community

cpdecker · ‎07-15-2014

Hello all,

Thanks in advance for any help with this issue.

A user with administrator rights changed our local management account password on a Macbook Air. I have it straightened out by using that user's account to reset the management account password to what it should be. However, in the future I would like to have this problem taken care of remotely.

My first thought was to use Casper Remote to reset the password, but it turns out it can't connect because it no longer has the password for the local management account it connects to via SSH. Then I thought to try creating a policy to execute that will reset the password, but it fails with "Error: This is the Remote Management Account for this computer. Please reset the password using the SSH Account section." when I use "sudo jamf policy".

Now I have two questions:
1. What can I do to remotely reset the local management account password without knowing what that password is, whether I can do it right now or if I need to do something different with future deployments?
2. Is the local management account setting stored in the JSS somewhere or does it use whatever account is used to add it to the JSS using QuickAdd.pkg?

I have noticed there is a startup script section in the web interface, but it looks limited and doesn't seem capable of the same things a policy is. I guess my thought was to have the password reset to what it should be every time the computer is powered on somehow, if we can't access it remotely in any way.

Thanks again,
Cameron

charliwest · ‎07-16-2014

I would have a hidden user as the management account, then the local admin account can be reset by the management account. For example jssadmin is the management account for casper suite, administrator is the local admin account that all it admins can get into if the user forgets their password or we need to install things, does that make sense?

View solution in original post

mike_paul · ‎07-21-2014

Hey Cameron, Just to chime in with a few verbose pieces of information about your questions and goal.

For question 1 (remotely reset management account): -If you create a policy to reset the management account (to a specific or random password) it will do this even if the password differs on the machine than what is stored in the JSS since the policy is kicked off via the launchDaemon and is running as ROOT. So set it to recurring check-in and the next time the machine checks in, it will get its management account password changed regardless of what is currently on the machine. -Side note: As of 9.23 we only use the management account for Casper Remote tasks since that requires us to SSH in to the machines. Everything else now is handled by our daemons and agents, including Self Service policies.

For question 2: -The local management account is listed in each computer record in the General section as ‘Managed: Managed by <management account name>’
-This is typically created with the quickadd package or at imaging time.

As the people above mentioned, having a hidden management account that is solely used for the JSS is a good idea since you can randomize the password so that drops the risk of it being compromised. You dont need the password, only the JSS and computer need to know it.

You could use a policy to run a variation of the following command: jamf createAccount -username <username> -realname <Real Name> -password <password> -home /private/var/<username> -admin -hiddenUser -Side note: its very important to specify the username at the end of the home path otherwise the last directory mentioned, e.g. var, becomes the users home directory.

Once confirmed that all machines have ran the policy to create that account you can view your entire inventory in the JSS and at the bottom of the page use the ‘Action’ button and ‘Edit the Management Account Information’ to change all machines to the new account.

The startup scripts section in the JSS is just to enable the script at startup, one functionality of that is to run Polices at startup.

You could put a policy set at startup to reset the password but that might be overkill depending on how often machines restart. I have seen some organizations do this weekly or monthly. Another possible issue with it being a startup policy is whether your computer is connected to internet prior to login, with laptops it is common that its not unless its wired so that policy wouldnt run. Thats why using the recurring check-in trigger would have the highest probability of success.

View solution in original post

daz_wallace · ‎07-16-2014

Hi cpdecker,

I'm not sure if it will help or not, but I have a manual policy on check-in and custom trigger scoped just to the affected Macs. This policy resets the Management password and runs a Recon to ensure the 'new' password is in the JSS.

Ok, Casper recon cannot issue a command, but the client can still phone in for instructions. Or if you're in front of the device, with admin rights, run a

sudo jamf policy -trigger [custom trigger here]

after you've added the affected Macs to the policy.

Hope that helps / makes sense. Just having my first coffee!

Darren

charliwest · ‎07-16-2014

I would have a hidden user as the management account, then the local admin account can be reset by the management account. For example jssadmin is the management account for casper suite, administrator is the local admin account that all it admins can get into if the user forgets their password or we need to install things, does that make sense?

jarednichols · ‎07-16-2014

Security best practice is to use a sub-500 UID for your admin user and spin the password regularly anyway.

daz_wallace · ‎07-17-2014

Our Standard setups are:

Use "_jssadm" as the name - It looks like a Mac OS X system account
Have a policy to create this in /var/_jssadm with a random password and hide from the login window
Have another policy to change this password to a random one every week / month

Seems to work pretty well.

Darren

mike_paul · ‎07-21-2014