User password policies on non AD machines

on our devices (10.10.x) we have two local accounts, one "ITadmin" and one "enduser" (also admin level).
We want to set a password policy that only applies to the enduser account as we need to keep the ITadmin accounts the same.

I've tried creating a configuration profile that is set to be user level with only a password payload configured but it doesn't show as applicable to the scoped devices. If I change to computer level it deploys just fine, but is applied to all the accounts.
I've tried using pwpolicy but I can't get the xml file to be in a readable format to be applied.
there is very little help that I can find on how to make a working xml file for this, the man page is very dodgy to say the least and none of the few examples I can find seem to work.
I don't really want to go down the line of using the deprecated command set as I want them to work on 10.11.

Has anyone got a clear example of a working xml file to feed into pwpolicy?

Page 2 / 2

@lpadmin @dfriedman

I am seeing the same issue with some AD accounts a FV2.. In the GUI the accounts added after the 1st user, look like they are FV2 enable and show up at the FV2 log in screen but can't authenticate at the FV2 log in. However they can log in at the OS level...

@gachowski @lpadmin

That's too bad. Unfortunately, this problem isn't easily resolved, as this is an issue with stock Apple tools (pwpolicy, FileVault 2), and how they interact. Removing and re-adding that user as a File Vault 2 user will fix this, but it's ugly (you will also need another existing account to be encrypted with FileVault 2 in order to use the method below).

You can remove the user with

fdesetup remove <username>

Then, re-enable for the user with

fdesetup add <username>

This can be scripted and you can prompt the user for input using the -inputlist functionality. @rtrouton has documented fdesetup very well on his blog.

This script seems perfect for what our org is trying to do but everytime I run it I get
"error: Credential operation failed because an invalid parameter was provided."
I cannot figure out where I'm going wrong. I did change the LOGGEDINUSER to =$( ls -l /dev/console | awk '{print $3}' ) , but I received the same results before and after the change. Can anyone guide me as to what I might be missing here?

@evobe What version of OS X are you running this on? This was written for Yosemite/El Cap (10.10/10.11) which deprecated the old pwpolicy commands for the XML formatted plist.

@jholland I'm using el capitan (10.11.3), only a few of our machines are on yosemite and we're in the process of upgrading them to El Cap.

@evobe Are you running the script as root locally (or using sudo), or are you running from a Casper policy? It should work either way, but if you are running locally you need to run it with privileges.

@jholland, I've done it as both, I've run it using a policy with a trigger through JSS and I've run it locally, each time I've received the same error. I put in my password and it just doesn't work. Driving us crazy since it seems to work perfectly for you guys.

@evobe Hmm, strange, it should work. Must be something simple:

View your current pwpolicy, if any, with this command (edit the user):

(sudo pwpolicy -u <user> -getaccountpolicies)

Then clear the pwpolicy with this command (edit the user):

(sudo pwpolicy -u <user> -clearaccountpolicies)

Might be a copy paste error? Try copying the script again from this thread, chmod/chown it accordingly, run "file" on the script to make sure it's a "POSIX shell script text executable" file.

@jholland I just ran this script to be pushed out to two devices, even though the JSS says they completed it only one actually asked for a password change.
I did have to comment out some of the rules, but it seemed to work.
Flushed out the logs and reran the script, it says it runs, but still nothing runs:
The following Log is noted:
Executing Policy Password reset script
Running script Password reset script...
Script exit code: 0
Script result: LOGGEDINUSER is: teacher<br/>Clearing account policies for user <teacher><br/>Error: The data is not in the correct format.<br/>Password policy successfully applied. Run "sudo pwpolicy -u <user> -getaccountpolicies" to see it.<br/>

The OS is 10.12.5
We may need to run this script a few times a year or on an as needed basis. Is this going to cause problems?
Any help is greatly appreciated.

FYI,

Parts of this are broken in High Sierra when using FV2... please test and open feedback with Apple if you have access..

@lpadmin

Thanks for the input jholland & dfriedman.

This issue is definitely being caused by FileVault. As soon as my computer checked in without FileVault enabled and the JSS forced me to re-enable it, the password stopped working. I have turned it back off and removed my computer from the policy. Hopefully that fixes it for now, I will be looking for the scripts that you post on Github. Until then I will just leave FileVault turned off.

There are any news about this issue? I have the same problem in the macs of my enterprise

This script is great for enforcing password complexity on the next password change. Is there a way to for this to also expire the user's existing password?

I am using this as part of an imaging process via deploy studio.

There is another policy in pwpolicy called "newPasswordRequired":

newPasswordRequired          If 1, the user will be prompted for a new

                             password at the next authentication. Appli-

                             cations that do not support change password

                             will not authenticate.

Not sure how you would apply it in your environment, but that is the command.

@jason.bracy
100% correct. Within a few moments of posting I found the the command and entered it below the set new policies section

-setpolicy "newPasswordRequired=1" being added resolved this issue.

Does anyone have something like this that works for 10.12 and 10.13 machines?

I haven't tested with 10.13, but the pwpolicy script works with 10.12

I was using parts of the code for parts of my passwords rules in 10.12...

@jholland posted script helped me.
but this is applicable for one user who logs in for the first user on the machine, this will not impact with not an exemptAccount1
when moving forward exemptAccount1 creates a new account this script not working. and password policy not applied.

do you have any new script for this issue to get rectified?

Thanks you for this script, I am trying to set it up to use in my setup and it works really well, however does anyone know what the syntax would be if I wanted to exempt more than one user?

For context, our users are standard users but they have access to an admin account to approve updates, this way I avoid them using admin accounts for day to day usage, without fully taking away their ability to manage their own devices. I also have an admin account. so each machine will have:

User - Standard - I want the password to reset
StaffAdmin - Admin - No one every actually logs in with this account but the credentials will be sued to approve updates/install apps - I do NOT want this password to reset
ITAdmin - Admin - me - I dont want this to reset either.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded