kc9wwh / macOSUpgrade

Workflow for doing in-place upgrades.
Other
419 stars 102 forks source link

Big Sur upgrade prompting for System Administrator password reset #171

Open joechang222 opened 3 years ago

joechang222 commented 3 years ago

This script is launched in Self Service by the logged in user. However, the first interaction with the upgraded OS the user is prompted to change the password for System Administrator. It appears this only occurs when there is a Maximum Passcode Age set. This is a payload previously set at enrolment time. If this setting is removed the first interaction the user is presented with is simply the logon screen and all is good. Why is there a password reset prompt for System Administrator? Is there a workaround without removing the Maximum Passcode Age setting in the Passcode payload? Is this due to the script running in the root security context?

kc9wwh commented 3 years ago

Hey, @joechang222 I haven't personally seen this but hopefully, someone can respond that has this setup configured.

joechang222 commented 3 years ago

Update: The same thing occurs when I run the startosinstall manually from terminal so it appears to have nothing to do with running in root security context. I ran the installer using: sudo '/Applications../startosinstall' --agreetolicense --forcequitapps --nointeraction The upgrade runs and does its thing but the first interaction is Big Sur prompting to reset the 'System Administrator' password. Prior to upgrade the Mac has Maximum Passcode Age set to 90 days but the actual number doesn't seem to make a difference. If it's set the passcode reset comes up on first sign-in. If Maximum Passcode Age is not set Big Sur simply displays the logon fields for ID and password.

TSPARR commented 3 years ago

This is a Big Sur bug that Jamf is tracking as PI-009097 wherein the Passcode policy profile key, "maxPINAgeInDays", causes the additional admin account to reset its password on first login attempt. The three options that exist to resolve it are essentially:

  1. Uncheck the "Maximum Passcode Age" setting from the profile and log in with the additional admin account, it can be re-added afterwards

  2. Do not use this key in the passcode Configuration Profile

  3. Change the account's password

At least until this is resolved.