Skip to main content
Solved

Allowing Simple Numeric Passcode on macOS

A
Forum|alt.badge.img+3
  • adrw
  • New Contributor
  • 7 replies

Bear with me on this, but I am considering allowing 6 digit number passcode for macOS login.  My threat assessment is similar to that of an iPhone, that has a 4 digit passcode protecting the device, which essentially has access to all the same company information the Mac is going to have.  In both cases, the attack vector requires physical access to the device and then a considerable amount of number guessing, but not before locking the device out after 10 wrong guesses.

 

Our devices will also have Password Sync installed, so users who wish to configure that certainly can, and then use their company password for login.

 

Our Macs are all ABM -> MDM enrolled, purchased through official channels, we don't have Active Directory.  We do use Okta for but as i mentioned and I have configured Password Sync with Okta and as mentioned users can configure Password Sync if they wish.

 

Am i missing anything here, that should require Mac login passwords to be long and complex?

 

PS.  This is a Jamf Now message, please don't reply from a Jamf Pro context.

Best answer by AJPinto

You probably want to look in to a tool like JAMF Connect for on demand account creation with IDP credentials. I respect the idea of trying to set simple 1st time passwords like with your iOS devices. However, macOS is not iOS, and a compromised macOS account can be weaponized to a much greater degree then a compromised iOS device. 

 

The attack vector on macOS does not need physical access to the device depending on how things are setup. MacOS does have SSH, and VNC build in as well as many other exploitable options like code execution that can open a number of doors. If you would not setup Windows devices with Simple passwords, you should not setup macOS devices with simple passwords.

View original
    Did this topic help you find an answer to your question?

    2 replies

    AJPinto
    Forum|alt.badge.img+26
    • AJPinto
    • Legendary Contributor
    • 2716 replies
    • Answer
    • August 28, 2023

    You probably want to look in to a tool like JAMF Connect for on demand account creation with IDP credentials. I respect the idea of trying to set simple 1st time passwords like with your iOS devices. However, macOS is not iOS, and a compromised macOS account can be weaponized to a much greater degree then a compromised iOS device. 

     

    The attack vector on macOS does not need physical access to the device depending on how things are setup. MacOS does have SSH, and VNC build in as well as many other exploitable options like code execution that can open a number of doors. If you would not setup Windows devices with Simple passwords, you should not setup macOS devices with simple passwords.

    A
    1 person likes this
    • A
      adrw
    A
    Forum|alt.badge.img+3
    • adrw
    • Author
    • New Contributor
    • 7 replies
    • August 28, 2023
    AJPinto wrote:

    You probably want to look in to a tool like JAMF Connect for on demand account creation with IDP credentials. I respect the idea of trying to set simple 1st time passwords like with your iOS devices. However, macOS is not iOS, and a compromised macOS account can be weaponized to a much greater degree then a compromised iOS device. 

     

    The attack vector on macOS does not need physical access to the device depending on how things are setup. MacOS does have SSH, and VNC build in as well as many other exploitable options like code execution that can open a number of doors. If you would not setup Windows devices with Simple passwords, you should not setup macOS devices with simple passwords.


    Yep good feedback, i like it.

    Reply


    Most helpful members this week

    Terms & ConditionsCookie settingsAccessibility statement

    Cookie policy

    We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

     
    Cookie settings