Resetting the password in Recovery Mode is a needed resolution for a few scenarios, but the primary reason we suggest this workflow is when a user is unable to decrypt FileVault and log in with a known-good password.
If you are looking to address exactly that, please first have the user try an older password. FileVault will only accept the SecureToken password, and if the user's password was reset improperly, the new password will not be registered with SecureToken, per se. More information on troubleshooting FileVault. Upon resetting the password in Recovery Mode, the user will be granted a SecureToken.
If the older password doesn't work, continue with the following which requires booting up into Recovery Mode. There are 2 options for Step 3.
- Knowing an Admin user password (admin can be deployed via OS Users, created via GoLive > Users, or prompted via TempAdmin but the account must have signed into the device at least once).
- Reset and change all the passwords on the device without needing Admin credentials (but they will create the password for any admins on the device).
For the following instructions, complete step 3a or step 3b, not both.
Step 1: Boot into Recovery Mode
Turn off the device in question and follow the steps below. Be sure to follow the steps relevant to this device's processor type.
Macs with Intel Processors
- Press the power button on the device
- Immediately press and hold Command + R until the recovery screen appears
Macs with Apple Silicon
- Press and hold the power button until you see a screen with the system volume and the options button.
- Select "Options" and click continue
Step 2: Reset password
Once the device boots into Recovery Mode, open Terminal from the Utilities dropdown and type in resetpassword, and click enter. After this click on the window behind the Terminal window.
Step 3: Option A
Select the temporary Admin user you know the password for, enter the password, click Continue. Now select the user you'd like to change the password for and click Next. Enter in the new password, click Next, and then Restart.
Step 3: Option B
IMPORTANT: This option requires you to reset all passwords, not just one. If you do not reset all passwords, the password resets performed will not apply upon reboot and may result in a locked device.
Click Forgot all Passwords. If the device has an Apple Account signed in or is using an Apple Silicon chip, you will be presented with steps to deactivate the Mac. Click deactivate Mac, then click deactivate to confirm (if not already connected to WiFi, use the WiFi icon on the top right to connect). If you see an Activation Lock window, enter your Apple Account information, then click next.
Now, you must set a password for every single user. Be sure to make a note of the password you set for each user. If needed, the other passwords can be set as something temporary and reset via GoLive. Then click Restart.