Skip to main content
Solved

New MBP with Touch ID, AD lockouts

  • December 8, 2016
  • 7 replies
  • 39 views
H
Forum|alt.badge.img+16

So I'm testing the Touch ID option on the new MBP in our AD environment. It allows me to log back in from a locked state but when I do Touch ID instead of password entry it sends 2 bad password attempts to AD. So if a user uses Touch ID twice in 10 minute it will lock out their account (we have a 3 strikes lockout policy).

Any idea for me to see what is going on here? This is just in testing phase at the moment since I'm the only one with a new MBP, but without a doubt executives are going to want to use the Touch ID option.

Any and all advice is appreciated.

Best answer by hkabik

Scratch that... it seems to happen even if I login from a lock screen with my password...
However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

Seems to be related to this issue:

https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

    7 replies

    smithjw
    Forum|alt.badge.img+11
    • smithjw
    • Contributor
    • December 8, 2016

    I was actually noticing this the other day but on Macs without TouchID. I'm going through enrolling all DEP Macs into JAMF and ran across issues if they enter their creds incorrectly at the setup assistance stage. Each incorrect user attempt is seen by AD as 3 failed attempts.

    I've expanded on it here

    I upped my lockout threshold to 10 attempts in 1 hours which equals 3 incorrect attempts by a user and hopefully they get it right on the fourth go

    H
    Forum|alt.badge.img+16
    • hkabik
    • Author
    • Honored Contributor
    • Answer
    • December 8, 2016

    Scratch that... it seems to happen even if I login from a lock screen with my password...
    However if I uncheck "Unlocking your mac" I can log in from a lock screen without issue.

    Seems to be related to this issue:

    https://www.jamf.com/jamf-nation/discussions/21320/sierra-ad-account-lockout-when-setting-up-icloud

    M
    Forum|alt.badge.img+9
    • mostlikelee
    • Contributor
    • December 14, 2016

    I saw this exact issue when unlocking using an Apple Watch. 2 bad password attempts to AD, and it bypasses locked out account status.

    H
    Forum|alt.badge.img+16
    • hkabik
    • Author
    • Honored Contributor
    • December 14, 2016

    I can confirm I see the apple watch behavior as well.

    P
    Forum|alt.badge.img+3
    • philburk11
    • New Contributor
    • December 14, 2016

    It's the same problem as the other thread. Any password policy will get locked out if you use your AppleID in the App Store, iTunes or iCloud. AD will be locked if you bind to AD.

    S
    Forum|alt.badge.img+7
    • Shoesmithlc
    • Contributor
    • December 14, 2016

    What about Single Sign-On? Can't you have jss sync the AD account to the Touch ID through Single Sign-On???

    http://docs.jamf.com/9.93/casper-suite/administrator-guide/Single_Sign-On.html

    J
    Forum|alt.badge.img+8
    • jason_bracy
    • Valued Contributor
    • December 15, 2016

    I'm seeing this behavior without using an AppleID at all. On macOS 10.12.2 my account gets locked out any time I try to unlock the Mac after waking from sleep or screen saver. I can login successfully, engage the screen saver and then when I try to log back in I am immediately locked out.

    Terms & ConditionsCookie settingsAccessibility statement