The startup scripts section in the JSS is just to enable the script at startup, one functionality of that is to run Polices at startup. Once confirmed that all machines have ran the policy to create that account you can view your entire inventory in the JSS and at the bottom of the page use the ‘Action’ button and ‘Edit the Management Account Information’ to change all machines to the new account. Side note: its very important to specify the username at the end of the home path otherwise the last directory mentioned, e.g. Jamf createAccount -username -realname -password -home /private/var/ -admin -hiddenUser You could use a policy to run a variation of the following command: You dont need the password, only the JSS and computer need to know it. This is typically created with the quickadd package or at imaging time.Īs the people above mentioned, having a hidden management account that is solely used for the JSS is a good idea since you can randomize the password so that drops the risk of it being compromised. The local management account is listed in each computer record in the General section as ‘Managed: Managed by ’ Everything else now is handled by our daemons and agents, including Self Service policies. Side note: As of 9.23 we only use the management account for Casper Remote tasks since that requires us to SSH in to the machines. So set it to recurring check-in and the next time the machine checks in, it will get its management account password changed regardless of what is currently on the machine. If you create a policy to reset the management account (to a specific or random password) it will do this even if the password differs on the machine than what is stored in the JSS since the policy is kicked off via the launchDaemon and is running as ROOT. Just to chime in with a few verbose pieces of information about your questions and goal.įor question 1 (remotely reset management account): I guess my thought was to have the password reset to what it should be every time the computer is powered on somehow, if we can't access it remotely in any way. I have noticed there is a startup script section in the web interface, but it looks limited and doesn't seem capable of the same things a policy is. Is the local management account setting stored in the JSS somewhere or does it use whatever account is used to add it to the JSS using QuickAdd.pkg? What can I do to remotely reset the local management account password without knowing what that password is, whether I can do it right now or if I need to do something different with future deployments?Ģ. Please reset the password using the SSH Account section." when I use "sudo jamf policy".ġ. Then I thought to try creating a policy to execute that will reset the password, but it fails with "Error: This is the Remote Management Account for this computer. My first thought was to use Casper Remote to reset the password, but it turns out it can't connect because it no longer has the password for the local management account it connects to via SSH. However, in the future I would like to have this problem taken care of remotely. I have it straightened out by using that user's account to reset the management account password to what it should be. Thanks in advance for any help with this issue.Ī user with administrator rights changed our local management account password on a Macbook Air.
0 Comments
Leave a Reply. |