This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Changing Password on a Mac on an Active Directory Network with Sophos / Filevault installed

I just deployed a new Macbook Pro to a user that didn't have a password change requirement.  So I turned on the 90 day button and then asked the user to change his Mac password.  It seemed rather difficult to get done correctly and I'm not sure the password propagated down to the filevault pre-boot screen.

Is there a particular method that works best with Macs / FileVault / Sophos / Active Directory ?



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hey Adam,

    There are several improvements done with SGN 7, which are related to the users password within the keychain.
    Due to this, we highly recommend updating the environment and using SGN 7. 

    It's best to reset the password via Account Preferences, resetting a user password without using Account Preferences (for example resetting the password via Active Directory) leads to problems described in OS X Support KBA TS5362. As long as you do not apply the solution mentioned in the OS X Support KBA, you will not be able to read encrypted files and will get errors like "A keychain cannot be found to store KEK"

    To solve the issue, you need to do the following:

    1. In the SafeGuard Management Center, the certificate for the user also needs to be removed
    2. Log in with the new password
    3. The user is asked to change their password
    4. They will be asked to create a new keychain or update their keychain
    5. Select "Create New Keychain"
    6. Delete or rename keyring.plist. from /var/sg/config/Users/username. Sudo rights is needed
    7. Enter the new password to request a new certificate. A new keyring.plist will be created for the user

Reply
  • FormerMember
    0 FormerMember

    Hey Adam,

    There are several improvements done with SGN 7, which are related to the users password within the keychain.
    Due to this, we highly recommend updating the environment and using SGN 7. 

    It's best to reset the password via Account Preferences, resetting a user password without using Account Preferences (for example resetting the password via Active Directory) leads to problems described in OS X Support KBA TS5362. As long as you do not apply the solution mentioned in the OS X Support KBA, you will not be able to read encrypted files and will get errors like "A keychain cannot be found to store KEK"

    To solve the issue, you need to do the following:

    1. In the SafeGuard Management Center, the certificate for the user also needs to be removed
    2. Log in with the new password
    3. The user is asked to change their password
    4. They will be asked to create a new keychain or update their keychain
    5. Select "Create New Keychain"
    6. Delete or rename keyring.plist. from /var/sg/config/Users/username. Sudo rights is needed
    7. Enter the new password to request a new certificate. A new keyring.plist will be created for the user

Children
No Data