Remote reset of user passwords on 10.14.4, broken?

vanschip-gerard
Contributor

I created a profile that would lock a user account after x amount of failed password attempts, then tested it and got nicely locked out. Received a msg to contact the sysadmin which is me so looked at how to unlock the account but could not find anything in Jamf Cloud or Remote, I did see a password reset option so tried that but that fails, both via Cloud as a policy and via remote.

The management password was set to random so thought I would reset that so at least I could dive in via the hidden jamf-admin account but that also fails.

I'm confused now. Does local account password resetting work via Jamf or is that broken in 10.14.4? Not just changing passwords, creating a brand new account will also fail.

4 REPLIES 4

vanschip-gerard
Contributor

Update. AD binding was enabled so I decided to log on via an AD account so I at least can see whats going on. It seems Jamf DOES create the accounts but the passwords I set in Jamf do not work. Even have a password that was just TEST and that still does not work.

vanschip-gerard
Contributor

Checking the jamf.log I see that it runs the policy but it fails at resetting the password. Strange enough I am able to create a new user.

larry_barrett
Valued Contributor

Part of the problem of setting a lockout policy for that user is they are already locked out. That's what the password is for.

We just reset our passwords through AD if it comes up. You're adding an extra step (and extra work for yourself). You don't make new accounts in Jamf, you do it in Active Directory.

Best advice: In Prestage Enrollment setup an account for Administration and keep it hidden. Prestage Enrollment -> Options -> Account Settings. Stop with this local account nonsense.

vanschip-gerard
Contributor

Thanks for the helpful local account nonsense comment @larry_barrett . Sometimes you have certain restrictions to work with or around. In my case a much larger organization that insisted in renting machines from their preferred supplier resulting in machines NOT being available for DEP enrolments plus network restrictions that block access to Jamf at the first stage. Things are changing but changes are slow and for now I need a local account that I can change the password for.

I have emailed with Jamf Support and they are aware of the problem which is due to changes from Apples side. They are working on it.