Managed mobile accounts are not syncing AD password changes

Number:rdar://47134616 Date Originated:1/8/2019
Status:Closed Resolved:Yes
Product:macOS Product Version:10.14
Classification: Reproducible:Yes
Something not on this list

Summary: If you change your managed mobile password in AD or in our case at an external intranet site we can use the new password when on the network connected to AD but once off the network using the cached mobile account it still uses the old password. FV is also not updated by the keychain update prompt. They never pickup the password change. We can use methods to update FV to the current AD password but haven't found a solution for the mobile managed account. This appears to be some sort of keychain bug or perhaps a macOS service that interacts with it.

Steps to Reproduce:
Bind computer to AD and setup a managed mobile account. Change password in AD. Log out while on the network with AD. Log back in with new AD password and update your keychain password. Then logout and disconnect from the AD network. Your login will take the old password and prompt you to update keychain back to the old AD password.

Expected Results: When AD password is changed the network account, managed mobile account, and FV should be sync'd up once you login with the new/updated AD password and follow the prompt to update the keychain. 

Actual Results: The managed mobile profile is out of sync with AD.

Version/Build: 10.14.1 or 10.14.2

Configuration: macOS bound to Windows active directory using native macOS interface/services.


The fix for this issue is available on macOS Mojave 10.14.4 beta 3 (build 18E194d)

By lmeinecke256 at March 6, 2019, 12:09 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!