Hello all. I have a couple of observations to add, as well as a configuration change that I made yesterday that has resulted in over 24 hours without a lockout (knock on wood!).
My configuration: MBP (Retina, 15-inch, Mid 2015), running 10.12.2 Beta (16C41b). Machine is AD-bound to my organization's Active Directory domain.
My Sierra experience: I don't use iCloud; however, I was signed into the App Store when I performed the initial Sierra upgrade and the account lockouts began almost immediately after the upgrade was finished. My account gets locked out on average between 3 - 5 times/day. I have our helpdesk on speed dial and I've called so many times that when they see my extension, they unlock my account before they answer the phone :-P
I've been following this thread and one other at https://discussions.apple.com/thread/7617617, as these are really the only two sources of information on this issue that I've found.
Getting right to the point: after scouring my syslog and Diagnostic Logs looking for any scrap of usable information, the only commonality that I've been able to find is that it seems that my account lockouts are frequently related to locking/unlocking my machine. I had one of our domain admins configure a text message alert whenever my account gets locked out and oddly, my account will frequently lock immediately after locking the screen; well before I come back and attempt to unlock it. Btw, my organization's domain is set to 5 bad passwords attempts before lockout. So yesterday, I configured my machine so that a password is not immediately required to unlock, by doing the following:
- Go to System Preferences > Security & Privacy > General tab
- Check "Require password <x> after sleep or screen saver begins" and set the dropdown to something other than "immediately" (which was my previous setting). In my case, I set it to "1 hour" as I'm rarely away for longer than an hour. The point of making this change was to set it to a high enough value so that I would rarely be prompted for the password; so far, the only time I've been prompted was after lunch and after one overly long meeting.
Results: So far, I've gone 27 hours without a lockout which hasn't happened ONCE since my initial Sierra upgrade.
DISCLAIMER: Is this secure? Definitely and absolutely not. When you "lock" your screen, with this setting enabled, obviously it is not actually locked, so this is the equivalent of walking away from your system and leaving it unlocked for all the world to see (and use), and I certainly am NOT recommending this change for everyone. Your IT admins and security staff will NOT appreciate this setting being changed and you may be violating company policy by changing it. In my case, the change is only temporary, made in an attempt to isolate and identify this particular issue and won't be usable as a long-term (or even short-term) fix, but might help to identify the root cause of the problem.
All that being said, my hope is that there might be others on the thread who were in a position to try this setting change and report on their results. I will report back with an update tomorrow on my lockout situation.
Thank you to everyone who has invested time and energy researching and providing information on this issue so far! As someone mentioned previously, if Apple won't fix the issue, then we as the community might be able to.
Well this is now the spot I will be looking every moment of the day now. This is an issue I'm seeing a lot our macs. Seeing disabling or killing the kerbos tickets seems to work sometimes. But no real fix so far.
The post by mattpogue is almost exactly spot on from what I am seeing in my environment. I'm going to look at implementing similar changes here for some users and will report back on the results.
Hello gang, and Happy Friday! I wanted to provide an update to my previous post.
Although it didn't show up in the forums until Friday morning due to moderation delay, my original post was posted on late Thursday afternoon (11/10). At that point, I had gone approximately 27 hours without a lockout after making the change described in my post.
As I sit writing this post at 6:20 PM CST on Friday (11/11), I can now officially say that I've gone for 50+ hours without an account lockout! I'm still configured with no password on the screen saver, and as I mentioned, I can't keep this fix in place forever, but I'm going to keep it enabled for at least the first few days of next week so that I can provide a final report. Also, I'm going to find out if my employer has any kind of Apple Support available and if so, I will open a case.
I'm definitely curious to hear from others who are in a position to implement the change. I'll update you all again early next week (Monday or Tuesday) with results, but I'm almost 100% certain the setting that I have now will prevent the lockouts for me. I'm going to change the "1 hour" setting value to something a bit more conservative, like "1 minute" or "5 minutes" to see whether I can confirm my hypothesis, which as of now is that the lockouts occur when the Mac enters "password protected screensaver mode".
Thanks all and have a great weekend!
Matt
That's really not an option for me in our environment, so I'll hold out and see what happens. At the moment I'm simply restricting upgrades to Sierra, but this won't be an option soon with new devices being ordered.
Thanks for looking into it!
@mattpogue Your bad password count will raise when locking and unlocking (logging in/out) of your Mac. We are certain of that. In my company and I believe in many others, the option of leaving an unlocked computer is out of the question for security reasons. It seems your password policy is set up to lock you out for as little as 2-3 bad password counts. You might want to suggest to your IT Dept to raise the count to 5-10 and that will stop your constant lockouts while locking/unlocking your Mac.
Cheers.
Still showing the same behavior in Beta 3 build 16C48b
I've unbound my Mac from our domain, and I have not had a lockout since. Just FYI. I'm going the bind-less route either way for our Macs. Maybe this would be other people who are experiencing this issue in the meantime, unless you absolutely NEED to be bound to your AD.
Yeah not being bound would fix it. But we can't have that in our environment.
In our environment all Macs MUST be bound to AD, so the "lose the bind" refrain that we have been hearing isn't going to fly. Unless Apple is officially deprecating support for AD binding, they need to get on fixing this. I am going to be so pissed off if 10.12.2 comes out without a fix.
I just want to reiterate that this issue also affects Macs that are not bound to Active Directory but that have a password policy set by Configuration Profile and/or pwpolicy. The common thread is being logged into iCloud. We have discovered that users that do not log into iCloud don't get locked out.
Those of you binding to Active Directory might want to see about restricting iCloud logins.
We've opened a case with Apple Enterprise Support as well and they had me run this command from a local account once the AD account was locked out:
dscl . -readpl /Users/username accountPolicyData failedLoginCount
For me, it was actually returning a value of 0, even though the AD account was definitely locked out in the AD console and unable to login on the Mac.
Just wanted to pass this along. And this is on Beta 3 Build 16C48b, most recent beta build as of this post.
We are also getting locked out. Generally after a wake from the password protected screensaver. We dont have an AD nor bound to any directory. Local accounts only.
A password config is pushed to the devices with limits on number of failed logins, remembered passwords, min character count etc.
An Applecare enterprise case is open as well as a Jamf ticket at present as devices we were trying to upgrade to Sierra from El Capitan were being locked out after first boot. Device goes past the FV2 password prompt and users normally go straight to the desktop. Users are now seeing a user/password box and any attempt to login advises their account is locked out. Whats strange is the built in admin account is also locked out randomly so we are having to have users go into recovery, unlock their disk with the FV2 password and resetpassword in terminal before we can get them back working.
So two issues we see... one during day to day usage of the device after screensaver lock, the other after the Sierra upgrade!
@jcwoll
How many mac's do you mange? Collecting data so we can move to local passwords too..
C
We get 2 bad password counts just from locking the screen.
Bound to AD
iCloud is not signed in
all machines on 10.12.1
Good morning all. Wanted to to post a final followup my posts from last week. I can confirm, as tested on my machine and 2 others in my organization, removing the "password protected screensaver" (as described in my first post) fixes the lockout issue in our environment. We have ~80 Macs total, and we have restricted Sierra upgrades for the time being and are rolling back others who had already updated (with the exception of myself and a few others who are beta testers).
I also wanted to reply to the post from @Njofrekk as well. I can confirm that my user account is in an AD OU with a group policy that defines lockout at 7 bad attempts (organization-wide, we're at 5). My team is responsible for AD security and auditing, as well as being the final approval on any security-related group policy changes, so I can 100% confirm that these are our settings. After making the group policy change, the lockouts DID occur less frequently, but I was still being locked out between 3 and 5 times daily. Simply locking the screen and walking away starts generating failed login attempts. And I can also confirm that the issue is NOT resolved in 10.12.2 beta 3 (16C48b).
As I mentioned before, this is NOT a workable fix for any organization (including my own!) that cares even modestly about security, nor was it intended as a recommendation. My goal was to try and isolate the problem definitively to the screensaver and, for the machines I've tested on, I can confirm the screensaver as being the source of our lockouts. Fortunately for us, the majority of our Mac users are developers and sys/net admins, with the other 99.5% of our user base on Windows.
I realize that from a percentage standpoint, the number of Macs bound to Active Directory is probably small. However, we spend a crap-ton of money with Apple on an annual basis and to have an issue of this magnitude go unaddressed is very frustrating. Does anyone have a positive response from Apple Care regarding this issue, in terms of acknowledging that it exists and/or working on a fix? Maybe I missed it, but I've yet to see anyone post an official response from Apple about the issue.
In the meantime, I have no choice but to revert back to the password-protected screensaver and deal with the lockouts. As frustrating as it is, I still prefer my lovely and shiny MBP to my dark matte Lenovo for day-to-day usage, so I'll suffer through. I'll be continuing to monitor the thread and if I come across anything new, you all will be the first to know ;)
@mattpogue Why do you guys use password protected screensavers? I understand it might be practical for locking your Mac but why not just going to Login Window and logging off? That option raises bad pwd count by 1 but it does it only once and when you log back in it clears the badpwdcount attribute. We use the Login Window option and we never get locked out with a password lockout policy setting at 5.
And thank you for your contribution to the investigation of this issue. This has been bugging us since we first encountered this issue and finally there is a community working to pinpoint the problem.
Cheers to all.
@Njofrekk The main reason I use the screensaver is for convenience; I very frequently have 10 - 12 open programs at any given time and a full log off would force me to close out of everything and re-open when I log back on. Just due to the nature of my job I'm up and down quite a bit so I would be logging off and back on probably 5 or 6 times per day, not including bathroom breaks, lunch, etc. and - especially as it relates to software development, which is not my primary duty, but is something I do on a daily basis - this would be a productivity killer for me.
Something else that's a little different for me - my local failedLoginCount value, obtained my running dscl . -readpl /Users/<me> accountPolicyData failedLoginCount - always shows zero, even when I'm locked out on the domain. I'm not sure why this is, but I've spot checked a few times and it's always been zero.
A big thank you to everyone on this thread and others in the forum; I've picked up quite a few answers from the community here and I really appreciate everyone's professionalism and willingness to work together to resolve issues that come up.
My plans this weekend are to go home and not think about work, computers, account lockouts, or anything else technology-related if at all possible, except for maybe my Netflix subscription. I've had my eye on a new weird alien show on TBS (People of Earth) that looks kind of entertaining, so maybe I'll do a little binge watching. Happy Friday and happy weekend all! 
@gachowski around 1300 for now.
@jcwoll
Great news : ) thank you : )
C
@mattpogue There is another method of locking your system without losing all your work (which we use) and that is showing the login window, without actually logging out. You can do this by enabling fast user switching in the Accounts System Preferences panel. Click the Login Options button (enter your administrator password to unlock it first) and then select the Enable Fast User Switching option. Once you have fast user switching enabled, you’ll see either an icon or a name in the top right corner of the menubar, depending on what option you chose on the Login Options screen. Click on your name or icon in the menubar and select Login Window from the drop-down menu. The login window will appear. When you log back in, all your applications will be just as your left them.
Sadly there is no shortcut key for this option so you'll have to click every time but it is the best way in my opinion. Try it out.
On another note, using the terminal command (dscl . -readpl /Users/Username accountPolicyData failedLoginCount) returns a value of 1 every time for my network account, even though there is 0 in my badpwdCount AD Attribute. Interesting thing is that locking and unlocking my network account, raises the failedLoginCount of my local Admin account by two. It is currently at 578. It doesn't lock because we don't use local bad password count policy.
Cheers.
I am a business user, but after numerous lockout issues since installing the Sierra GM (3-5+ a day some days) I have found the following to be the most effective (without modifying the 'screen saver' password timing). If the user is running wifi only, then every time they have an event that would potentially lock their computer (shutting the lid, screensaver, etc), just tell them to remember to Turn off the wifi before doing so. Then logon as normal once they are back, and just switch the wifi back on. They wont remember to do this every time (which I can say from personal experience), but if dramatically drives down the amount of lockouts (to zero if perfectly executed, I believe) such that this small hassle is worth not calling the helpdesk repetitively, and stops those particularly pesky 'I just walked into a conference room with my laptop shut and now its locked out when I need to present' moments...
@Njofrekk Ah, thank you! I was not even aware that a fast user switching option existed on the Mac! I've been a Linux and Windows guy for a long time but I'm only about 7 months old as a Mac user and I learn something new just about every day I re-enabled my password-protected screensaver, which I will avoid using, and instead will now try that option when I'm leaving my desk. I'll give this a shot for a few days and post my results later this week.
