Skip to main content
In normal usage, users enrolled with TruU should be able to complete their daily tasks using the PIN they created as part of enrollment. If the user needs to change their PIN, the recommended method is via the “Change PIN…” option in the TruU menu. If a user forgets their PIN, it is necessary to change the underlying Open Directory password for the user. This will un-enroll the user from TruU, and allow them to enroll again and set a new PIN. Below are the steps to follow to change the user’s Open Directory password and prepare the system for a new enrollment.

Remove Password Policy if Configured

You will need to ssh or login to an admin account. Follow these steps to clear TruU’s password policy. (This is now an optional flag in the config file: odPwdChangeAllowed. If you have this flag set to true, or the flag is missing entirely, you can skip this step). NOTE: TruU’s password policies are set per user.
  1. Get user’s account policies (username is the user’s short name for their local Mac account): sudo pwpolicy -u username -getaccountpolicies
  2. Clear user’s account policies: sudo pwpolicy -u username -clearaccountpolicies
  3. Clear global deprecated account policies (sometimes set by third parties): sudo pwpolicy -clearaccountpolicies

Reset the User’s Password (within an admin session or ssh):

You will need to ssh or login to an admin account. NOTE: The dash before setpassword is required for the command to run successfully. 
pwpolicy -u {shortusername} -setpassword

Setting password for {shortusername}`

`Enter new password for {shortusername}: ******  `

`Verify new password: ******`

`Password for authenticator adminuser: *********`
After resetting the user’s password, the user will be unenrolled.

Syncing Keychain to the Newly Set Password

After resetting the user’s password, the keychain password will be out of sync. To get the login password and keychain password back in sync perform one of the following options:
  • Logout and then login to the user account using the new password
  • Restart the Mac and login to the user account using the new password

Resetting the Password if the System Has Been Restarted

A FileVault or iCloud FileVault recovery key is needed. The user’s password can be reset in recovery mode.

Intel Macs

  1. Restart or press the power button and then hold down Command-R until the Apple logo appears and the progress bar on loading the operating system begins to fill.
  2. When the macOS Recovery screen appears, choose Utilities > Terminal.
  3. Enter the text resetpassword and press return.
  4. macOS Recovery launches the special Reset Password assistant. Select the option, “My password doesn’t work when logging in” and click Next, then follow the remaining steps.

Apple Silicon Macs

  1. Shut down the Mac if active.
  2. Hold down the power button to start up and continue holding it until you see the message “Loading startup options.” That takes about 10 seconds.
  3. Release the power button and then click the Options icon.
  4. If presented with a list of accounts you can use to log in to access macOS Recovery, click “Forgot all passwords?
  5. When the macOS Recovery screen appears, choose Utilities > Terminal. Enter the text resetpassword and press return.
  6. macOS Recovery launches the special Reset Password assistant. Select the option “My password doesn’t work when logging in” and click Next, then follow the remaining steps.

Unlocking Keychain

After resetting the user’s password, whether via an admin account, or via recovery mode, it is necessary to unlock the user’s keychain. This will enable apps to read data they have stored in the keychain, and it will allow TruU to store the necessary items when the user enrolls. To unlock the keychain, launch the Keychain Access app. This can be found by searching using Spotlight for “Keychain Access”, or navigating to /System/Library/CoreServices/Applications There may be a prompt to choose between the Passwords app and the Keychain Access app. Choose Keychain Access. The user will be prompted to enter a password (use the new password created during the password reset) or to authenticate with Touch ID if it had been previously setup. Enter the password or authenticate using Touch ID After successfully authenticating, quit the Keychain Access app. Authenticating will unlock the keychain.

Enroll with TruU

The user should now be able to complete the enrollment process with TruU and create a new PIN.
Mac Authenticator Uninstallation ADE Tracker