Initial Password Reset with Secure Token Not Working

[GabrielKemp]

I am trying to reset the password on a Secure Token enabled Admin account. I have tried passing the argument with -firstPass within the script, within a local command, and within a profile via Jamf and none of them work. I get the below output every time. This happens on half of my devices.

Script result: Info|2023-06-05 11:10:23|macosLAPS|the -firstPass argument was invoked. Using the Configuration Profile specified password or the argument password that was specified. Info|2023-06-05 11:10:23|macosLAPS|The local admin: Admin has been detected to have a secureToken. Performing secure password change... Info|2023-06-05 11:10:23|macosLAPS|Performing first password change using FirstPass key from configuration profile or string command line argument specified. Error|2023-06-05 11:10:24|macosLAPS|Unable to change password for local administrator Admin using FirstPassword Key.

[crsleeth]

I am also seeing this both when I provide firstPass via config profile and when it is provided as an argument at command line manually. The workaround I have is to create a second local admin account, delete the first, recreate the first. Only then does macOSLAPS accept the password provided. My guess is that the initial user account created on the Mac is in some weird state when first setup and is causing this.

Only seeing this issue on some Macs like GabrielKemp said. I have not tested it thoroughly but the difference may be Macs 'fresh from the factory' vs. Macs that have been wiped and re-setup.

[joshua-d-miller]

Interesting. It seems this is happening when a new macOS device is arriving and going through ADE for the first time. How are you creating your local administrator account used with LAPS?

[crsleeth]

Not sure about the original poster but I do not utilize ADE. Macs are enrolled via user enrollment manually--the first account created via Setup Assistant is the macOSLAPS one. I guess I could create it later, but I don't have a need for more than one local admin.

[joshua-d-miller]

Is this account a volume owner or have a secureToken?

[crsleeth]

Both. If I can reliably reproduce the issue I will contact you via Macadmins Slack but it may be a few weeks.

[joshua-d-miller]

That's quite alright. Happy to leave this open 👍

[davisbr1]

I'm experiencing this issue as well. I have a fresh VM with a local admin account configured through Setup Assistant. It's enrolled in our Jamf instance, not using ADE. I can run macOSLAPS with the firstPass argument, but isn't able to set the password. When I include firstPass in a profile and then attempt to reset the password, macOSLAPS is able to complete the reset.

[joshua-d-miller]

@davisbr1 you mention Jamf. I'm curious if you might have Jamf LAPS enabled which would take control of the account. I don't believe Jamf's implementation is selective and is an all or nothing checkbox.

[davisbr1]

Jamf LAPS is not enabled.

[joshua-d-miller]

Ok so the account has secureToken but is not able to rotate the password. According to your error log above it appears that it's trying to use the FirstPass key set or you are specifying it during the run which may not be the correct password.