Management Accounts

You can use a policy to administer the management account.

Using a policy to administer the management account allows you to do the following:

  • Change the account password—This option changes the management account's password, as well as the account's password and FileVault password. It is recommended that you use this option if the management account's login keychain password matches the account password stored in Jamf Pro.

  • Reset the account password—This option only changes the management account's password. This option does not change the management account's login keychain password or FileVault password. For computers with macOS 10.14 or later, you must disable the management account SecureToken to reset the password. For more information on SecureToken, see Using SecureToken in Apple's Deployment Reference for Mac.

    Note: If the management account's login keychain password does not match the account password stored in Jamf Pro, you must use the Reset Account Password option when administering the management account using a policy or the policy will fail.

  • Enable the user for FileVault

    Note: For computers with macOS 10.13 or later, the computer must have a valid personal (also known as "individual") recovery key that matches the recovery key escrowed in Jamf Pro.

  • Disable the user for FileVault

Important: When configuring the management account password settings, selecting the "Randomly generate new password" option for maximum security is recommended.

Administering the Management Account Using a Policy

You can change or reset the management account password using a policy. You can also enable or disable the management account for FileVault.

  1. Log in to Jamf Pro.

  2. Click the Computers tab at the top of the page.

  3. Click Policies.

  4. Click New images/download/thumbnails/81935902/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the policy, including the trigger and execution frequency.

  6. Select the Management Account payload and select an action using the options on the pane.

    Important: When configuring the management account password settings, selecting the "Randomly generate new password" option for maximum security is recommended.

  7. Use the Restart Options payload to configure settings for restarting computers.

  8. Click the Scope tab and configure the scope of the policy.

  9. (Optional) Click the Self Service tab and make the policy available in Self Service.

  10. (Optional) Click the User Interaction tab and configure messaging and deferral options.

  11. Click Save images/download/thumbnails/81935902/floppy-disk.png .

The policy runs on computers in the scope the next time they check in with Jamf Pro and meet the criteria in the General payload.

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.