Skip to main content

Log in at Jamf Connect login window if password was forgotten and reset in the identity provider

Updated over a month ago

Description

Ideally passwords should be changed from the Jamf Connect Menu Bar app (or Self Service+ for version 3.0 or later). If a password is changed directly in the Identity Provider and NOT synced with Jamf Connect, the previous password will still be the local account password on the computer.

If the old local password has been completely forgotten and cannot be provided at the Jamf Connect Login window for the password sync, we will need to use standard macOS workflows to regain access to the computer. The workflow differs depending on whether the machine is encrypted with FileVault.

Log in if FileVault is not Enabled

For computers that are not FileVault-encrypted, reset the user's local password with a Jamf Pro policy that leverages the Local Accounts payload.

This only works for user accounts that do not have a Secure Token.

  1. In Jamf Pro, create a new policy by going to Computers > Policies > New.

  2. Configure the General payload with:

    1. a display name.

    2. Set the trigger to "Recurring Checkin" and the frequency to "Once per computer."

  3. Configure the Local Accounts payload.

    1. Select the Reset Password button.

    2. Enter the username and new password.

  4. Click Scope and scope the policy to the affected computer.

  5. Click Save.

  6. After the policy runs, verify the user can log in with the new password.


Log in if FileVault is Enabled

For computers that are FileVault encrypted and the personal recovery key is known or escrowed in Jamf Pro, use the personal recovery key to reset the password.

  1. Disable the Jamf Connect Login window in Terminal, via SSH, or via Jamf Pro policy by running the following command: /usr/local/bin/authchanger -reset

  2. After Jamf Connect Login is disabled, reload the login window to bring up the native macOS screen.

  3. Gather the FileVault key from Jamf and follow the steps in the following article to reset the password: https://support.apple.com/en-us/HT202860

If Jamf Connect is unable to be disabled through this process, you can also reset the authorization database in Recovery Mode which will default the Login Window to the native macOS screen. For more information see Editing the macOS loginwindow Application.



Related Articles
authchanger and Jamf Connect
FileVault Behavior with Jamf Connect
Enabling FileVault via Configuration Profile with Jamf Pro
How to Reset Passwords with the FileVault Recovery Key in Jamf Pro
Disable Jamf Connect Login Using Single User Mode or Recovery
Did this answer your question?