How are you "managing" user passwords? do you use LDAP, AD, or something like that?

@user-CimMKXfEHV , you can disable the hint feature with defaults write com.apple.loginwindow RetriesUntilHint -int 0.. Not sure if it hides the box though..

99% sure it doesn't hide the box or prevent users from adding a hint.. It will just keep it from showing up after failed attempts. And in the past it's been buggy as updated and upgrades in the past from Apple have broken it and then the next update from Apple fixes it..

C

@walt We're authenticating against AD, but are in the process of moving to JAMF Connect.

@eliu01

You can build a config profile
com.apple.loginwindow

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>{RetriesUntilHint</key>
<integer>0</integer>
</dict>
</plist>

@gachowski - does this disable the hint box on the password reset window shown in the original post, or only prevent password hints from appearing on the login screen? The "RetriesUntilHInt" string makes me think it's for the login screen.

Apple doesn't support disabling that window in your post ... The best solution is to keep the hint from showing on failed logins attempts usually that is what the Security teams want. or ... who cares what the hint is if you can't see it when you need it? : )

C

@eliu01 what we do is use AD + the Apple Kerberos SSO plugin, so to help prevent out of sync passwords we restrict the change password via Users & Groups and Security preferences. So that ultimately would prevent the user from changing their password and adding a password hint. you can also hide the Hint for the login window via a config profile.