Help

Jamf Managed Admin Account promting to reset password

iamadix
New Contributor

Posted on ‎06-12-2025 03:13 AM

We have a configuration policy that requires all users to set a password. When a user forgets their password, the only option I have is to log in using the JAMF managed admin account to reset the user's password. However, when I attempt to log in with the JAMF-managed admin account, the configuration policy for password reset kicks in, prompting me to change the password upon first-time login. If I change the password, it will become static and will no longer be part of the rotation. What would be the solution to this issue?

0 Kudos
Reply
3 REPLIES 3

Gonzalo-Gomez
New Contributor
New Contributor

Posted on ‎06-12-2025 09:14 AM

I haven't tried this myself and would probably take some testing but, try going into the configuration profile with the password policy > Scope tab > Exclusions section. Here you use the "Directory Service/Local Users" section and exclude the JAMF-managed admin account and see if this works for you. 

0 Kudos
Reply

helen628young
New Contributor

a month ago

Hello,

Use sudo in Recovery or Target Disk Mode (No GUI Login)
Avoid logging into the account via the GUI. Instead, do the following:

Boot into macOS Recovery or connect the machine in Target Disk Mode.

Use Terminal and authenticate with the JAMF admin account via sudo.

Run a command to reset the user's password: sudo dscl . -passwd /Users/username newpassword
This method does not trigger the GUI password change policy, thus preserving JAMF's rotation.

Use Screen Sharing or SSH (Remote Access Only)
Enable Remote Login (SSH) or Screen Sharing on devices.

Connect using: ssh admin@hostname
Once connected, reset the user's password from the command line as above.

This avoids GUI login and keeps the password rotation working.

Note: Ensure SSH is enabled in your configuration profiles or prestage settings.

Use JAMF Policy with “Reset Local Account Password” Payload
Create a self-service policy or on-demand JAMF policy that allows IT to reset a user's password remotely:

Scope to your IT team or specific device.

No login required on the device.

This avoids using the local admin account altogether.

Create a Second Admin Account (Manual/Non-Rotating) for Emergency Access
Create a separate local admin account not subject to the password rotation or policy that forces a change on login.

Use this account only when GUI login is necessary.

Keep this account well-protected and documented for emergency use only.

 

Best Regard,

Helen

 

 

prepaid gift balance
0 Kudos
Reply

junjishimazaki
Valued Contributor

4 weeks ago

I'm assuming these user accounts are local and are not a managed domain bound Macs. If that is the case, then the easiest way to reset a local user account password is boot the Mac to recovery mode, if you enforce Filevault then you select Forget all Passwords option, enter or provide the user the Filevault key, select the account you want to reset then the user can enter a new password. Once completed, they reboot and login with the new password. I do this at my org and never had any issues. 

0 Kudos
Reply