'Unable to perform the first password change for secureToken admin account <admin>.'

[ClarkRSD]

Hey there,

I'm having an issue on Monterey where on a fresh install of macOSLAPS and deploying out via InTune it will not run the first password change. I can't seem to find any rhyme or reason as to why.

I've deployed a configuration profile that contains everything required for an AD method. I've even gone to the extent of specifying every single parameter with something in there so that I can at least see how or if it works.

These are brand new 2021 Macbook Pros. I don't know that it matters since the wiki didn't seem to indicate it would be an issue on M1's.

Attached is my array of my configuration profile just in case I'm missing something as well as my log. Whenever it does start working and generates a password, it works perfectly and writes to AD correctly. It's just getting to the point where it will actually generate a password is being difficult for me. The configuration profile shows up in profiles and all of the fields are populated correctly. I have InTune configured to run everything as root and setup a shell script that simply just runs the command line portion every hour to get around the issue of LaunchDaemons not working on existing users.

Looking inside of /Library/Managed Preferences/ it seems to be generating the plist file correctly as well.

I put in place of our local admin string. Just as a disclaimer as well, I'm a mac admin newbie still so there could be something fairly straight forward I'm missing here.

    <array>
        <dict>
            <key>DaysTillExpiration</key>
            <integer>30</integer>
            <key>FirstPass</key>
            <string>PASSWORD123</string>
            <key>LocalAdminAccount</key>
            <string><admin></string>
            <key>Method</key>
            <string>AD</string>
            <key>PasswordLength</key>
            <integer>14</integer>
            <key>PayloadDisplayName</key>
            <string>macOS LAPS</string>
            <key>PayloadIdentifier</key>
            <string>edu.psu.macoslaps.cefc01f2-1273-4e1e-9b19-ab70fb386fdd</string>
            <key>PayloadType</key>
            <string>edu.psu.macoslaps</string>
            <key>PayloadUUID</key>
            <string>5902db4d-047c-4d8b-9f33-5dfaa5b237bc</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>PreferredDC</key>
            <string>dc04</string>
        </dict>
    </array>

Info|2022-02-11 08:45:50|macOSLAPS|Password Change is required as the LAPS password for , has expired Info|2022-02-11 08:45:51|macOSLAPS|The local admin: has been detected to have a secureToken. Performing secure password change... Info|2022-02-11 08:45:51|macOSLAPS-repair|macOSLAPS is running. Performing keychain repair Error|2022-02-11 08:45:51|macOSLAPS-repair|Unable to retrieve the password from keychain using the repair utility. You can try running macOSLAPS regulary with a password rotation to ensure that we have access to the keychain entry otherwise please use the sysadminctl command to reset the password for the LAPS account to the FirstPass attribute from the configuration and run macOSLAPS again! Info|2022-02-11 08:45:51|macOSLAPS|Performing first password change using FirstPass attribute from configuration. Debug|2022-02-11 08:45:51|macOSLAPS|Unable to perform the first password change for secureToken admin account .

[ClarkRSD]

I've done some more troubleshooting and if I locally install the configuration profile it works normally, so it's definitely an issue from InTune. Any ideas on what I can try?

[joshua-d-miller]

I noticed that your LocalAdminAccount key has <admin>. Is that the actual name of your admin account or is is just admin?

[ClarkRSD]

It's just placeholder. It's a plaintext string in the actual profile for the username with no symbols.

[joshua-d-miller]

The screen shot you posted above, is that from a profile or the file currently present in /Library/Managed Preferences? If the second, you would need to change your PLIST file to look like this:

<dict>
    <key>DaysTillExpiration</key>
    <integer>30</integer>
    <key>FirstPass</key>
    <string>PASSWORD123</string>
    <key>LocalAdminAccount</key>
    <string><admin></string>
    <key>Method</key>
    <string>AD</string>
    <key>PasswordLength</key>
    <integer>14</integer>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PreferredDC</key>
    <string>dc04</string>
</dict>

It looks like a profile to me but I thought I would double check.

[ClarkRSD]

That's a copy paste from the configuration profile.

[joshua-d-miller]

So judging by your output it looks like a password is present in the keychain that macOSLAPS is unable to read. This might be residual if you were using this product before I left Penn State. PSU unfortunately revoked my signing certificate which broke the ability for macOSLAPS to access keychain items that were made when it was signed by that certificate. If you can remove the keychain entry and use the FirstPass (Needs to be the password to the account) it should work. Let me know if that is helpful.

[wakco]

This is actually a known issue with macOS since Big Sur, and not an issue macOSLAPS should be fixing. When there is only one admin account with a secureToken, that accounts password cannot be changed until there is a second admin account in place with a secureToken.

The fix is to have a second admin account with a secureToken, with Jamf having its own management admin account, I found it was simple to make sure that admin account has a secureToken. Jamf has its own built-in method for randomising the password of its management password, where a policy can then reset it periodically, however I do not know if InTune has anything equivalent, so it might be useful if macOSLAPS could be used on a second account.

[ClarkRSD]

I'm sure it's possible to make something in a shell script to do that with InTune, but that's the only automated functionality it offers when it comes to macOS and I don't know how to make them yet. Been busy with other work duties :(

I will test this out with a Mac that has two admin accounts on it since we typically only use a single admin account.

Regarding the keychain issue Joshua, I just picked up the product about a month and a half ago so I don't believe that would be the case. Regardless, I will keep looking for things and if I find more, I'll update everyone. If I take a freshly setup Mac and push out macOSLAPS and the configuration profile to it, it just doesn't want to reset on it's own. The application files are there as far as I'm aware but it just won't update until I manually populate the configuration profile.

I had an issue with macOS and InTune not too long ago where InTune has some funky permissions with macOS and I found a workaround for it that I didn't apply to our macOSLAPS deployment, so I'm going to start there and see where it gets me.

[joshua-d-miller]

There was an issue where the password would not change automatically when using the Local method. This has been corrected in the 3.0.2 release of macOSLAPS. This may solve your issue it may not as there appears to be another issue with InTune itself.