Yes, Passwords suck.
Two-factor authentication really helps, but we’re still using passwords
for everything. And now they have to be complex:
8-characters, mixed case, alphanumeric… pretty soon it will require Cyrillic
characters and a blood test. But what
happens when one of your Super Users or Administrators forget?
We gotcha covered…
So some of you might be under the impression that the
usernames in the MAX RM dashboard only need to be in the format of an email address and not actually a real email
address. While I don’t know how anyone would have ever gotten the idea that
these usernames wouldn’t be used for anything else … OK. So it was me. I’m
sorry. I used to say that in our Tech Walks; it was true then. Things change, y’know? Mea culpa.
Usernames in the RM dashboard should now all be valid
email addresses for actual human beings that will log on to the
dashboard. The mechanism for resetting a
user password entails sending an email message to the user, and the dashboard
confirms the username prior to doing so.
You can see details about the Password Reset steps on
MAXStatus release notes.
A couple of items should be known about this mechanism.
- This password change goes along with an Agent: version 9.8.3 has added functionality that is quite important.
- You can now change password of the Primary Access Key. As such, the description of this user/password combination has been changed to Agent Key. It isn’t really ‘primary’ anything any longer. It is still used to build a Site Installation Package (I still can’t get them to rename these “silent installers!!”) from within the dashboard.
Agent 9.8.3 (and beyond)
This agent brings in a new way to open & edit the local
device’s settings. Instead of the
“Password” prompt in the old agent –
Now any user in the dashboard with proper administrative privilege
can open – “log in to” – the local agent –
Previously, the password used to install the agent was
required. This still remains, as you can
log on with the Agent Key credentials, or your own credentials if they’re
different.
Changing the Agent Key Password
As the Agent Key can now be changed like any other user, you
want to be aware of the Site Installation (aka Silent Installer) Packages that
are built, and what they are built with.
If you were to change the Agent Key, any previously built package will no longer install agents properly. The Site Installation (aka Silent Installer)
Package uses the password compiled within the package for its initial check-in
to the dashboard. Be sure to record
where you’ve deployed the agent/s via Group Policy or had Remote Client
installers dispersed. They’ll need to be replaced if the Agent Key is changed. This
would be recommended in order to deploy a newer version of the agent on new
devices as well.
Putting these two items together, if you forget the Agent
Key and then change it, the only way you’re going to be able to log onto an
agent locally is to update it to v9.8.3 (or beyond).
This makes it possible to keep the Agent Key PRIVATE now; it
is no longer needed for typical (manual) installation of the agents. Previously,
MAX “Best Recommendation” effectively treated the PAK as a product key used for installation only. First disable the PAK Dashboard Logon and
create your own Super User account, but provide the PAK to people who would
need to install agents.
While it is still recommended, disabling the Agent Key
Dashboard Logon settings is no longer necessary if you do change it and keep it
private.You can also force a password reset if you want from the dashboard as well:
Clicking this button will prompt the user in question for a NEW Password after they enter their old one the next time they connect to the dashboard. This can be an effective way to enforce a password "rotation" if you have the need.
