Allowing Simple Numeric Passcode on macOS

adrw
New Contributor II

Bear with me on this, but I am considering allowing 6 digit number passcode for macOS login.  My threat assessment is similar to that of an iPhone, that has a 4 digit passcode protecting the device, which essentially has access to all the same company information the Mac is going to have.  In both cases, the attack vector requires physical access to the device and then a considerable amount of number guessing, but not before locking the device out after 10 wrong guesses.

 

Our devices will also have Password Sync installed, so users who wish to configure that certainly can, and then use their company password for login.

 

Our Macs are all ABM -> MDM enrolled, purchased through official channels, we don't have Active Directory.  We do use Okta for but as i mentioned and I have configured Password Sync with Okta and as mentioned users can configure Password Sync if they wish.

 

Am i missing anything here, that should require Mac login passwords to be long and complex?

 

PS.  This is a Jamf Now message, please don't reply from a Jamf Pro context.

1 ACCEPTED SOLUTION

AJPinto
Honored Contributor III

You probably want to look in to a tool like JAMF Connect for on demand account creation with IDP credentials. I respect the idea of trying to set simple 1st time passwords like with your iOS devices. However, macOS is not iOS, and a compromised macOS account can be weaponized to a much greater degree then a compromised iOS device. 

 

The attack vector on macOS does not need physical access to the device depending on how things are setup. MacOS does have SSH, and VNC build in as well as many other exploitable options like code execution that can open a number of doors. If you would not setup Windows devices with Simple passwords, you should not setup macOS devices with simple passwords.

View solution in original post

2 REPLIES 2

AJPinto
Honored Contributor III

You probably want to look in to a tool like JAMF Connect for on demand account creation with IDP credentials. I respect the idea of trying to set simple 1st time passwords like with your iOS devices. However, macOS is not iOS, and a compromised macOS account can be weaponized to a much greater degree then a compromised iOS device. 

 

The attack vector on macOS does not need physical access to the device depending on how things are setup. MacOS does have SSH, and VNC build in as well as many other exploitable options like code execution that can open a number of doors. If you would not setup Windows devices with Simple passwords, you should not setup macOS devices with simple passwords.

adrw
New Contributor II

Yep good feedback, i like it.