Posted on 03-23-2020 05:18 PM
Hi All,
Pretty much at the moment I've enable a deny access to the security and privacy tab in system preferences. We have mainly done this to stop the users changing their password. But this however is really annoying if a user needs to grant permission to an app to allow microphone access, camera access and the rest.
Is there any work around where I can allow users to this but grey out the change password option under security & privacy > general > change password
Posted on 03-23-2020 05:19 PM
Posted on 03-23-2020 08:29 PM
I'm curious why you want to prevent users from changing their own passwords. Administrators have access to everything users can access without knowing their passwords or forcing the same password for every user.
If you're binding to Active Directory, you can specify there that a user's password cannot be changed. Or you may be interested in looking at the pwpolicy
command line tool. It appears to have a canModifyPasswordforSelf
policy, although it's considered "legacy".
Posted on 01-08-2021 10:28 AM
@Steven.jamf did you ever find a way to do this?
@talkingmoose our Identity and Access Management team is rolling out a new IAM system that requires all users to change their passwords through their web interface. I am not sure of the details of why they require that but we have to disable the Ctrl-Alt-Del option on Windows, too.
Posted on 03-10-2021 10:11 AM
Man I am also curious on a way of doing the same. On my end we use NoMad that will eventually be subsided by JAMF Connect but for now I have employees who still on occasion not all who change their passwords using System Preferences messing up the FV Encryption and Login of their machines. I then have to fix it with a script deployed to SelfService that does some DiskUtil actions. But I feel if I can just grey our the option not the whole section altogether it would stop that from happening.
Posted on 04-14-2022 09:43 AM
Any solution found?
Posted on 04-15-2022 05:49 PM
Having the option to "change password" greyed out/blocked within System Preferences under both User & Groups as well as Security & Privacy is useful for any admin that is utilizing JAMF connect and does not want their laptop users to accidentally mess up the password change workflow.
To block both options, first create plists for the following two payloads (preference domains).
com.apple.preference.security
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>dontAllowPasswordResetUI</key>
<true/>
</dict>
</plist>
com.apple.loginwindow
<?xml version=”1.0” encoding=”UTF-8”?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0”>
<dict>
<key>ChangePasswordDisabled</key>
<true/>
</dict>
</plist>
In JAMF go to configuration profiles > New > Application & Custom Settings > Upload > add both plists above > scope to devices.
Here is a screen shot of what mine looks like:
And the final result:
Posted on 04-27-2022 02:04 PM
This is great! Adding the Plist was a success and worked beautifully. Thank you!
Posted on 07-12-2023 03:12 PM
Still works great on Ventura. @knuckle-sndwich , where did you find this com.apple.loginwindow key value?
<key>ChangePasswordDisabled</key>
Even Apple's documentation for LoginWindow doesn't list this key even though it definitely works. Is there a way to find out other "undocumented" keys?
https://developer.apple.com/documentation/devicemanagement/loginwindow
Posted on 08-08-2024 01:22 PM
Works great for our new iMac lab on Sonoma 14.6! Thank you!
Posted on 02-12-2023 07:21 AM
Hi Friends, Hey is this still the best way to make this happen with current OS and such? Thanks so much!
Posted on 11-17-2023 01:08 AM
Hi JBartkowiak, this works still with macOS Sonoma. You can skip one PLIST though and lock "User & Groups" through the GUI of the Restrictions-Payload (Preferences, Restricts items in System Preferences, disable selected items, User & Groups). I'm still using the PLIST for com.apple.preference.security because I don't want to lock down the whole menu but only the change password option.